SEARCH

Risk registers are part of an effective risk program and used by companies to help communicate and manage risk. Spreadsheets are often the primary database for risk registers to store and track risks that need to be: assessed, treated, and monitored. While the use of spreadsheets can help initially support a risk program they can, without additional support, result in: Inconsistent practices using the risk spreadsheet templates Confusion resulting from using different definitions for risk (i.e. hazard, effect, uncertainty, etc.) Application of incorrect risk assessments and treatments due to confusion caused by using different risk frameworks Increased exposure as unmitigated residual risks may not be evaluated and treated An incomplete picture of risk which can lead to an understated or overstated risk profile leading to increased vulnerability or over investment in risk mitigation. Not learning from prior risks analyses and treatments To counter these effects, companies can benefit by advancing their risk programs beyond using simple risk register spreadsheets. Here are 6 steps to an effective risk management program: Use a common risk framework across the organization Capture all risks in a central database Manage entire risk life-cycle with actionable and accountable tasks Monitor and control risks within the management accountability structure Provide visibility to the entire risk profile with periodic review Preserve and learn from prior risk analyses and treatments It is important to start with asking the question, "have we captured all the risk? " This requires having a consistent definition of risk that a risk framework provides such as ISO 31000 and others. Without a common framework each department, discipline, or person will likely have their own idea of what they mean by risk. This can lead to confusion and incomplete risk identification. For many organizations, a significant advancement will come by managing risks that are already contained within the risk registers. Turning risk register spreadsheets into accountable actions is an important step to better risk management. There is little value to having risks assessed and treatments defined if they are not being looked at regularly. Having appropriate controls and monitors in place to elevate risks that require attention is crucial to support management accountability and oversight. Managing all risks in one place makes it easier to learn from prior risk analyses and treatments. Establishing a learning culture will help improve risk management competency and help reduce future risk. Moving beyond the use of risk registers and establishing a consistent risk management system will help to counter the previous effects and produce better risk outcomes. Plan -Do-Check-Act Questions: Which improvement step would help produce better risk outcomes for your organization? What obstacles are hindering the improvement of your risk program? What steps can be taken to remove or reduce these obstacles? What would it look like if risk was managed more effectively?

The A3 Format and DMAIC are structured processes used for LEAN / Six Sigma improvements and problem solving. While these have proven to be very effective for certain processes, when it comes to meeting performance and outcome based compliance obligations, you need a more proactive approach that addresses threats and opportunities. We have created the Lean Compliance A3 format which incorporates the bow-tie analysis along along with measures of effectiveness, performance, and compliance to help you continually advance towards better outcomes using a PDCA cycle. Now you can document each of your obligation improvements using the A3 format. Download the free worksheet here :

In today's complex regulatory environment, compliance has become a key concern for businesses across all industries. While compliance programs are often viewed as a necessary evil, they can also provide significant benefits to organizations that are able to implement them effectively. One of the key decisions that organizations must make when designing their compliance programs is whether to take an integrated or integrative approach. In this article, we will explore the distinction between these two approaches and their respective advantages and disadvantages. We will also consider which one is better to support performance and outcome-based obligations. Let's start with integrated compliance: Integrated Compliance An integrated compliance approach involves incorporating compliance requirements into the day-to-day operations of the business. This approach is often seen as a more traditional approach to compliance, where businesses focus on meeting regulatory requirements and avoiding legal penalties. An integrated compliance program typically involves a set of policies and procedures that are designed to ensure that employees understand their obligations and responsibilities under the law. Advantages of an Integrated Compliance One of the main advantages of an integrated compliance approach is that it helps to ensure that businesses are meeting their legal obligations. By incorporating compliance requirements into the day-to-day operations of the business, organizations are able to ensure that they are meeting their obligations without having to spend significant amounts of time and resources on compliance-related activities. Another advantage of an integrated compliance approach is that it helps to create a culture of compliance within the organization. By emphasizing the importance of compliance and making it a part of the organization's core values, businesses are able to create a sense of shared responsibility among employees for meeting regulatory requirements. Disadvantages of an Integrated Compliance One of the main disadvantages of an integrated compliance approach is that it can sometimes be viewed as a "check-the-box" exercise. In other words, businesses may focus more on meeting regulatory requirements than on actually understanding and managing their compliance risks. Another disadvantage of an integrated compliance approach is that it may not be sufficient for organizations that operate in highly regulated industries. In these industries, businesses may need to take a more proactive approach to compliance in order to stay ahead of emerging regulatory risks. Now let's consider an integrative compliance approach: Integrative Compliance An integrative compliance approach involves embedding compliance into the broader strategic goals and objectives of the business. This approach is often seen as a more forward-looking approach to compliance, where businesses focus on identifying and managing compliance risks in order to achieve their strategic objectives. An integrative compliance program typically involves a more holistic approach to compliance that considers the business's broader risk profile and how compliance risks fit into that profile. Advantages of an Integrative Compliance One of the main advantages of an integrative compliance approach is that it helps businesses to manage their compliance risks in a more proactive manner. By embedding compliance into their strategic goals and objectives, organizations are able to identify and manage compliance risks in a more systematic and strategic way. Another advantage of an integrative compliance approach is that it helps businesses to create a competitive advantage. By managing their compliance risks more effectively, businesses are able to differentiate themselves from their competitors and gain a reputation for being responsible and ethical. Disadvantages of an Integrative Compliance One of the main disadvantages of an integrative compliance approach is that it can be more time-consuming and resource-intensive than an integrated approach. In order to effectively manage compliance risks, organizations may need to invest significant amounts of time and resources into developing and implementing their compliance programs. Another disadvantage of an integrative compliance approach is that it may be more difficult to implement in organizations that have a siloed approach to management. In order to successfully embed compliance into the broader strategic goals and objectives of the business, organizations may need to break down silos and promote greater collaboration and communication across different departments and functions. Summary The choice between an integrated and integrative compliance approach is a critical decision that organizations must make when designing their compliance programs. Both approaches have their advantages and disadvantages, and the decision ultimately depends on the organization's risk profile, industry, and strategic goals. An integrated approach can help ensure legal compliance and create a culture of compliance, but it may not be sufficient for highly regulated industries. On the other hand, an integrative approach can help manage compliance risks more proactively and create a competitive advantage, but it may be more time-consuming and difficult to implement in organizations with a siloed approach to management. Ultimately, a successful compliance program should be tailored to the organization's unique needs and risk profile, and should be regularly reviewed and updated to ensure ongoing effectiveness. ASPECT INTEGRATED COMPLIANCE INTEGRATIVE COMPLIANCE BETTER FOR OUTCOME / PERFORMANCE-BASED OBLIGATIONS? Focus Meeting regulatory requirements and avoiding legal penalties. Embedding compliance into the broader strategic goals and objectives of the business. Integrative Compliance Polices and Procedures Set of policies and procedures designed to ensure that employees understand their obligations and responsibilities under the law. More holistic approach to compliance that considers the business's broader risk profile and how compliance risks fit into that profile. Integrative Compliance Culture of Compliance Emphasizes the importance of compliance and makes it a part of the organization's core values. Helps businesses manage their compliance risks in a more proactive manner. Integrative Compliance Risk Management Focused on meeting regulatory requirements, but may not be sufficient for highly regulated industries. Helps identify and manage compliance risks in a more systematic and strategic way. Integrative Compliance Resource Intensity May not require as much investment of time and resources, but can be viewed as a "check-the-box" exercise. Can be more time-consuming and resource-intensive, but can create a competitive advantage Neither is better, as the optimal approach depends on the organization's needs and risk profile. However, an integrative compliance approach may be better suited for performance and outcome-based obligations. This is because an integrative approach involves embedding compliance into the broader strategic goals and objectives of the business. By doing so, organizations can identify and manage compliance risks in a more systematic and strategic way, which can help ensure that performance and outcome-based obligations are met. Additionally, an integrative approach can help organizations create a competitive advantage by managing their compliance risks more effectively, which can ultimately lead to better performance and outcomes. It is important to note that the choice between an integrated and integrative compliance approach ultimately depends on the organization's risk profile, industry, and strategic goals, and a tailored approach should be taken to ensure ongoing effectiveness.

Meeting performance and outcome-based obligations requires a different set of measures.

The notion of debt or more specifically technical debt has proven to be a helpful metaphor when discussing financial costs with respect to short term payoffs versus the delaying of technical capabilities that bring with it long-term impacts. In this blog post we explore how the notion of debt can be applied to compliance to help organizations better address their compliance obligations. An Example from Software Development When it comes to building software applications and systems technical debt has been used to refer to short cuts that developers take in order to meet urgent and usually time sensitive timelines.  These short cuts will in turn incur future costs that include: Addressing the effects of partially completed code Developing the parts that were not completed Managing the effects of changing the codebase (i.e. costs of regression testing). Other activities At a basic level technical debt can be estimated by adding up the costs associated with these activities as well as the costs connected with the debt management process itself. Obligation Debt In many ways, taking short cuts is not unique to software development as this practice is observed in other endeavours including compliance. Companies may elect to delay activities associated with meeting certain or parts of obligations and leave others until some time in the future. This may be deliberate or a result of a lack of knowledge or expertise in identifying what their obligations are. Just as in software, taking short cuts when meeting obligations comes at a cost which not only includes the future cost of meeting the obligation but also the risks associated by not having met them.  When it comes to safety and environmental obligations these risks may result in much more than just a bug in an application but a loss of life. The Nature of Obligation Debt When we consider obligation debt we need to estimate: Principal : what is the cost required to meet this obligation? Interest Rate : What is the extra cost in the future if this obligation is not met now. Interest Rate Probability: How likely is it that this obligation, if not met now, will cause extra cost in the future. The problem with obligation debt is that the principal and its interest grow over time if not addressed. This has much to do with entropy, increasing regulations, as well as the nature of risks associated with obligations themselves. The interest rate combined with its probability can be considered as a proxy for compliance risk. The resultant interest can significantly outweigh the cost of meeting the obligation in the first place, particularly when the consequences of non-conformance are severe. The level of reactivity that a company experiences with respect to its obligations is also a measure of risk and a proxy for interest rate. This can manifest as the number of complaints, issues, injuries, reportable emissions, or other ways in which non-conformance is observed.  Not only will companies have paid for the partial conformance (i.e. the short cuts), they will now pay for the effects of non-conformance and the costs of preventing them from occurring in the future. When combined these costs can be two to three times the original cost. This is similar to taking on a debt with a yearly interest rate of 200%. The only reason why we would do such a thing is if we believed that the probability of paying any interest is low.  In other words, we never expect to pay any additional cost for taking short cuts now or perhaps someone else will be responsible for doing so. What You Need To Know For companies to get on top of their obligation debt they need to know: What the total obligations are? What the cost is to meet and maintain these obligations? Which obligations are not being met now and when will they be met in the future? What the risk is in not meeting these obligations? What the cost is to service or buy down the organization's obligation debt? Unfortunately, answers to these questions are in short supply starting with the first, knowing what obligations a company is responsible for. The good news is that it doesn't have to be that way and it isn't for companies that take ownership of all their obligations. They will make sure that they take on only the obligations they can afford to keep and over time enhance their capabilities to take on more.

Process automation tends to only focus on managing responsibilities that are involved in the completion of activity. As a result many business process modelling and execution systems offer very limited support for other kinds of responsibilities that are required and documented in responsibilities assignment matrices (RAM) within existing policies and procedures. Example Responsibility Assignment Matrix (RAM) using modified RACI model: This often leads to significant gaps in compliance as only a fraction of the required responsibilities are implemented in the automation systems used to support compliance. To improve the effectiveness of critical processes that support safety, security, quality, and environmental programs it is necessary to model and automate the entire responsibility assignment matrix. This may require updating or replacing tools and platforms to those that fully support the management of responsibilities. The requirements for these tools may include: Representing the entire RACI model along with its variations Automated mapping to BPMN models to support execution platforms Implementation mapping for each type of responsibility and their interactions (i.e. RACI) Support for early and late binding of responsibilities during execution Audit of design, model, and automation rules to verify compliance Process automation to be effective needs to consider not only getting the work done but also how the work gets done in compliance with corporate policies and procedures.

Process modeling is necessary to design, implement, and improve compliance. Many of the techniques and approaches used today are based on flow charting process activity. Activity models focus on diagramming how work moves from person to person to achieve the desired output and for this reason is well suited for prescriptive processes. However, in today's climate of performance based compliance is this still the best choice? In this blog, I will look at how the Activity Model compares with the Phase-Gate Model which is used extensively for capital projects and new product development. Activity Model Activity based models typically diagram the process using flow charts containing: boxes, diamonds and arrows. Swim lanes are often added to represent activity performed by different roles. Flow charts are great at detailing how a process flows and useful for prescriptive work. This lends itself to mapping easily to workflow engines which are usually designed to support activity based processes. The flip side of using activity based workflows is that it is difficult to implement processes that require greater facilitation, descriptive procedures, and activity that is not known in advance such as risk mitigations. Once you select this approach you have to make it work for your entire process which may not always be the right fit. Phased-Gate Model This modeling technique is based on a state driven approach depicting the life cycle of a project, product, asset, or some other thing that goes through a series of phases or steps. This approach is used extensively for value creation and is the preferred approach for new development and capital projects. A popular and successful representative of this approach is Stage-Gate(r) model which is a trademark of R.G. Cooper & Associates Consultants . The phase-gate approach includes: Phases - these follow the state of the process focused on the development of intended outcome. Gates - provides a control point where quality is assessed, deliverables are reviewed, and decisions are made to proceed or not. One of the key strengths of this approach is that it affords a rigid structure to govern the overall process while at the same time allowing for flexibility in how the work gets done between gates. This flexibility provides a method for balancing prescription and descriptive parts of the process. In addition, the sequencing nature of this model offers the same kind of benefits as cellular manufacturing does on the shop floor. If implemented appropriately these are the benefits that can be expected: Reduced Work In Process (WIP) Better use of resources Better scheduling Better control Easier automation Increased quality A downside of using this model is that it may lack the appropriate level of detail and prescription for parts of the process that require it. The inherent flexibility can be abused and allow situations where appropriate program and system governance is not being followed. Hybrid Model This approach combines the best from both worlds. It is easier to add prescription to the phase-gate approach due to its flexibility. An example life cycle that combines the phase-gate and activity models is shown in the following diagram: In this scenario, prescriptive workflows have been added to the approval and verification phases of the life cycle. The other phases follow a facilitated process to produce deliverables which are then reviewed using a checklist. By combining both approaches, the hybrid model overcomes the lack of prescription while gaining all the benefits of the using the phase-gate model. The benefits of using this approach include: Increases overall process visualization - you know where you are in the process instead of just knowing what activity you are at within a work flow Identifies more easily where program compliance directives are done - ex: approvals, verification, quality review, and so on Embeds quality control throughout the process using gates Bottlenecks are easier to discover and alleviate Supports a continuum of prescriptive and descriptive process steps In order to adapt, to changes in the compliance landscape, it is necessary to evaluate the effectiveness of existing tools and techniques. Considering approaches found in other domains provides companies additional options to better meet compliance challenges. The Hybrid Model has been used effectively to support risk based compliance processes for several years across diverse industries. To find out more, visit our website at www.leancompliance.ca

After years under the tutelage of prescriptive rules and audits it is no wonder that the question of what and how to improve compliance is met with: we are fully compliant, there is nothing to improve, and we have someone that does that. However, to meet performance and outcome-based obligations this question is met with a different answer: we are making progress towards targeted outcomes, we are continuously advancing our capabilities to reduce risk, and our entire company is committed to and engaged in this process. It's time for a new mindset if compliance wants to see new and better results.

Organizations of all shapes and sizes utilize systems to ensure that the right work gets done at the right time in the right way. In fact many will have a system of systems to manage them all.  However, over the years what I have noticed is many of these systems end up as little more (and far less) than the sum of their parts: processes, activities, tasks, etc. Systems rarely do or ever create the intended outcomes at the levels needed by the organization.  There are many reasons for why this is the case. One of these reasons, which I have discussed before, has to do with the approach chosen for system implementation. Many implementations use a component-first approach using phases to build out capabilities over time to finally reach a system that is "effective."  Unfortunately, the final state of "effective" is seldom reached. As a result companies end up with systems that do not fulfill their purpose and in many cases are barely operational. You might say that a component-first approach is the equivalent of the "waterfall" project methodology where benefits are realized only at the very end. This approach makes sense when you have a a high degree of certainty in both the ends and the means of what you are building. However, what if you needed to learn both what the ends are and the means to get there as you went along. Is this not what advancing capability maturity looks like? This kind of implementation requires a different approach. You would need a working system (i.e. operational) right at the start in the same way that "agile" focuses on having working software right at the start. In fact, this strategy is referred to as, "Lean Startup" which focuses no on having working code but having a working system or better – always having a system that works . This approach affords companies the opportunity to learn on an operational system to improve performance and effectiveness at every stage of system development. Benefits can be realized early rather than later and this is critical when it comes to advancing quality, safety, environmental and regulatory outcomes where the risks are high. Agile and Lean Startup are examples of system-thinking used in software development but also compliance solutions. The key is to take a holistic rather than reductive perspective when it comes to building a system. You can read more about the Lean Startup / Agile approach here . Members of The Proactive Certainty Program™ learn and use systems-thinking to reach operational and effective compliance faster and with high degree of certainty than traditional approaches. Find out more here .

Over the last several years I have endeavoured to change the way we think and do compliance. Perhaps, a big hairy audacious goal (BHAG) as some might say. Others might even call it a fools errand. To be honest, it is hasn't been easy and it continues to be an uphill battle. As essential as compliance is, it is not the number one priority of things to improve or excel at for that matter. What has helped is knowing that I am not alone. There are others who are doing amazing things to help transform compliance. I have had the good fortune to connect with and work with some of you and look forward to meeting more in the months and years to come. What has amazed me is when I hear from someone who tells me that they have followed me on social media for a while, loved what we do, and have put the principles of lean compliance into practice to improve compliance in their organization. All I can say is, WOW. This is not an isolated case. I found your posts and the breadth of information you provide on compliance and risk topics to be particularly helpful in expanding my personal knowledge, as I am relatively early in my career and doing my best to learn on my own. I look forward to learning more from the generous amount of information you share freely on this platform. Grateful is an understatement. – Venessa Beunrostro (Compliance Analyst) It's not always possible to know how much we impact other people. However, sometimes you do hear and it reminds you why you work so hard to make a difference. Don’t underestimate the impact you are making. Good things take time, Great things take a little longer. Don’t give up. I am grateful to all those that have written to us and those who have not but have found our work helpful in supporting their compliance journey. Thank you for helping make our journey worthwhile.

In response to the Grenfell Tower Fire, the UK government recently introduced new regulations and a new regulator to address shortcomings in building safety. This new safety regime is intended to prevent the occurrence of incidents similar to the Grenfell Tower disaster that resulted in 72 deaths in 2017. Among the measures that this regulation introduces is what is being called, "A Golden Thread." This is in fact a "Digital Thread" the first of its kind to be used by regulators to improve compliance. The future of compliance looks like it is here so let's find out what digital threads are all about and why it is so important for compliance. What is a Digital Thread? To understand digital threads we first need to understand digital twins. The concept of digital twins is attributed to Michael Grieves based on a presentation he made in 2002 at the University of Michigan. In this presentation he proposed the digital twin as a conceptual model underlying a product life-cycle with three components: real space, virtual space, and the data between and about them. However, the idea of modelling the real-world with computer simulation is not new and can go back to as early as1960s when NASA used basic concepts of twinning in the development of its space program. What makes digital twins different from computer-based modelling are the connections between the real and virtual worlds. In essence, a model becomes a digital twin when it connected with its real life counterpart. This connection closes the loop and is referred to as the digital thread. How are digital twins and threads defined today? Digital Twin The definition commonly used in defence, aerospace and related industries in the US is: “an integrated multiphysics, multiscale, probabilistic simulation of an as-built system, enabled by Digital Thread, that uses the best available models, sensor information, and input data to mirror and predict activities/performance over the life of its corresponding physical twin.” A digital twin is a virtual representation of real-world entities and processes, synchronized at a specified frequency and fidelity. This synchronization is enabled by a digital thread infrastructure or framework. Digital Thread The digital thread is used to refer to the lowest level design specification for a digital representation of a physical item. The digital thread is a critical capability in model-based systems engineering (MBSE) and the foundation for a digital twin. However, the term digital thread is also used to describe the traceability of the digital twin back to the requirements, parts and control systems that make up the physical asset. It is this latter aspect which is of significance for compliance specifically where traceability and accountability are regulated. Regulatory Use of Digital Threads: UK Building Safety In 2021 the UK Parliament introduced the Building Safety Bill to address shortfalls in building safety not limited to but largely in response to the Grenfall Tower Fire in 2017. This bill introduces a new regulator and regulation with the purpose that safety is ensured throughout every stage of a building's life. It also addresses specific failures with the lack of accountability and compliance throughout design, construction, and operations. The concept of a digital thread will now be part of this regulatory regime to provide traceability of information so that nothing falls between the cracks. This digital thread is not necessarily part of a digital twin but will instead become a measure of compliance and a critical one. Using the name "Golden Thread" to describe this particular application makes sense. It is an idea or feature that is present in all parts of something, holds it together and gives it value (Oxford's Learner's Dictionary); and in this case the value is improved safety. The Building Safety Bill further defines The Golden Thread: Full Definition: The golden thread is both the information that allows you to understand a building and the steps needed to keep both the building and people safe, now and in the future. The golden thread will hold the information that those responsible for the building require to: (a) how that the building was compliant with applicable building regulations during its construction and provide evidence of meeting the requirements of the new building control route throughout the design and construction and refurbishment of a building (b) Identify, understand, manage, and mitigate building safety risks in order to prevent or reduce the severity of the consequences of fire spread or structural collapse throughout the life cycle of a building The information stored in the golden thread will be reviewed and managed so that the information retained, at all times, achieves these purposes. The golden thread covers both the information and documents, and the information management processes (or steps) used to support building safety. The golden thread information should be stored as structured digital information. It will be stored, managed, maintained, and retained in line with the golden thread principles (see below). The government will specify digital standards which will provide guidance on how the principles can be met. The golden thread information management approach will apply through design, construction, occupation, refurbishment, and ongoing management of buildings. It supports the wider changes in the regime to promote a culture of building safety. Building safety should be taken to include the fire and structural safety of a building and the safety of all the people in or in the vicinity of a building (including emergency responders). Many people will need to access the golden thread to update and share golden thread information throughout a building’s lifecycle, including but not limited to building managers, architects, contractors, and many others. Information from the golden thread will also need to be shared by the Accountable Person with other relevant people including residents and emergency responders. The Golden Thread is based on the following principles which you could also consider as system properties: Principles: Accurate and Trusted: the dutyholder/Accountable Person/Building Safety Managers and other relevant persons (e.g. contractors) must be able to use the golden thread to maintain and manage building safety and ensure compliance with building regulations. The Regulator should also be able to use this information as part of their work to assess the compliance with building regulations, the safety of the building and the operator’s safety case report, including supportive evidence, and to hold people to account. The golden thread will be a source of evidence to show how building safety risks are understood and how they are being managed on an ongoing basis. The golden thread must be accurate and trusted so that relevant people use it. The information produced will therefore have to be accurate, structured, and verified, requiring a clear change control process that sets out how and when information is updated and who should update and check the information. Residents feeling secure in their homes : residents will be provided information from the golden thread – so that they have accurate and trusted information about their home. This will also support residents in holding Accountable Persons and Building Safety Managers to account for building safety. A properly maintained golden thread should support Accountable Persons in providing residents the assurance that their building is being managed safely. Culture change : the golden thread will support culture change within the industry as it will require increased competence and capability, different working practices, updated processes and a focus on information management and control. The golden thread should be considered an enabler for better and more collaborative working. Single source of truth: the golden thread will bring all information together in a single place meaning there is always a ‘single source of truth’. It will record changes (i.e. updates, additions or deletions to information, data, documents and plans), including the reason for change, evaluation of change, date of change, and the decision-making process. This will reduce the duplication of information (email updates and multiple documents) and help drive improved accountability, responsibility and a new working culture. Persons responsible for a building are encouraged to use common data environments to ensure there is controlled access to a single source of truth. Secure: the golden thread must be secure, with sufficient protocols in place to protect personal information and control access to maintain the security of the building or residents. It should also comply with current GDPR legislation where required. Accountable: the golden thread will record changes (i.e. updates, additions or deletions to information, data, documents and plans), when these changes were made, and by who. This will help drive improved accountability. The new regime is setting out clear duties for dutyholders and Accountable Person for maintaining the golden thread information to meet the required standards. Therefore, there is accountability at every level – from the Client/Accountable Person to those designing, building or maintaining a building. Understandable/consistent: the golden thread needs to support the user in their task of managing building safety and compliance with building regulations. The information in the golden thread must be clear, understandable and focused on the needs of the user. It should be presented in a way that can be understood, and used by, users. To support this, dutyholders/Accountable person should where possible make sure the golden thread uses standard methods, processes and consistent terminology so that those working with multiple buildings can more easily understand and use the information consistently and effectively. Simple to access (accessible) : the golden thread needs to support the user in their task of managing building safety and therefore the information in the golden thread must be accessible so that people can easily find the right information at the right time. This means that the information needs to be stored in a structured way (like a library) so people can easily find, update and extract the right information. To support this the government will set out guidance on how people can apply digital standards to ensure their golden thread meets these principles. Longevity/durability and shareability of information: the golden thread information needs to be formatted in a way that can be easily handed over and maintained over the entire lifetime of a building. In practical terms, this is likely to mean that it needs to align with the rules around open data and the principles of interoperability – so that information can be handed over in the future and still be accessed. Information should be able to be shared and accessed by contractors who use different software and if the building is sold the golden thread information must be accessible to the new owner. This does not mean everything about a building and its history needs to be kept, the golden thread must be reviewed to ensure that the information within it is still relevant and useful. Relevant/proportionate : preserving the golden thread does not mean everything about a building and its history needs to be kept and updated from inception to disposal. The objective of the golden thread is building safety and therefore if information is no longer relevant to building safety it does not need to be kept. The golden thread, the changes to it and processes related to it must be reviewed periodically to ensure that the information comprising it remains relevant and useful. These definitions and principles will help set the direction for how digital threads will be built in the compliance domain not only within the UK but also other jurisdictions. What Digital Threads Mean For Compliance Evidence of compliance has always been needed and this means more than attestations as the way to verify that what should have been done was actually done. This approach was always to slow, too late and not always accurate. And that is why the concept of a Golden Thread as a means t o provide evidence and assurance of compliance throughout the design, building and maintenance of buildings is a game changer. However, it will still take time for digital thread infrastructures to be established particularly those that meet the properties outlined for the UK's Golden Thread. At one level digital threads are still retrospective and on the lagging side of risk events. However, they could become more than feed-back processes particularly for downstream activities. When combined with digital twins they could become feed-forward and provide predictive utility particularly when to improve and validate design models. At a minimum digital threads will provide more up-to-date and reliable information for all stakeholders during every stage of building's life cycle. Now that we have defined purpose and properties for digital threads in the compliance domain it is likely that "Golden Threads" will become part of other regulator regimes. Medical device manufacturers are already using digital threads to provide traceability across DHF, DMR, and DHRs. There are also examples of digital threads in Oil & Gas and other regulated industries with respect to safety-critical data. In addition, using digital threads as part of Management of Change (MOC) process may help ensure design integrity as a result of planned changes. Instead of trying to integrate systems together, digital threads may provide a more effective means for compliance critical information to be made available not only as evidence of compliance but as a proactive measure to prevent risk. Proactive organizations should begin to plan pilot projects to explore how digital threads would be used in response to regulatory reforms but also as part of their own internal compliance efforts. If you are interested in developing and implementing digital thread strategies please contact our project management office to learn how Lean Compliance can help. References: GoldenThread.co.uk Developing a Digital Twin and Digital Thread Framework for an ‘Industry 4.0’ Shipyard What Are Digital Twins and Digital Threads? Industry 4.0 How to navigate digitization of the manufacturing sector

Business processes require information to produce the desired outcomes. This information comes in various forms and is used in a variety of ways which cannot always be known in advance. However, there is a class of documents where it is necessary to control the format and its use in order to meet compliance requirements. Capabilities to manage these types of documents are needed today just as they were a few decades ago. However, in today's world of big data and artificial intelligence (AI) managing documents is not seen as important and some would even say no longer necessary. In fact, recently, some technology enthusiasts are proclaiming that electronic/enterprise document management (EDM) is dead or will be in the near future. The approaches and technologies used in the past no longer (if at all) work and should be abandoned in favor of newer technologies. There are many reasons that are typically given (several of which are well justified) as to why EDM has not provided the promised benefits. One key reason is that users still cannot find the documents they need even using EDM technology. EDM has traditionally relied on indexing documents using a classification scheme to locate documents. Developing and managing classification schemes is considered to be too costly, error prone, and not needed as you can just search the content within the documents directly. In Part 1, of this blog post we will look at this assertion, the state of EDM and reasons why it has not delivered on its objectives. In, Part 2, we will consider how to address these shortcomings and outline how EDM can be successfully implemented using existing technologies. HISTORICAL LESSONS To start, it is helpful to remind ourselves that similar statements about EDM have been made before. This tends to happen whenever newer technologies enter the marketplace. This was the case when full text was first introduced in the 90s. Leading vendors at that time advocated doing away with classification schemes. Forget about trying to manage data because we can find the data for you using our search technology. Today we hear the same argument from those that promote big data and artificial intelligence. Using full text search to discover information is useful and needed when looking for information stored in vast amounts of content. However, a critical problem with using these technologies is that they assume that the data is self-describing which means that data about the data (which we call metadata) is contained within the object we are looking for. If this is not the case then it becomes almost impossible to locate relevant information. It is worth noting that after many years of using the web and searching using the content alone we are now investing significant amount of time and money doing Search Engine Optimization (SEO) to improve search results. There are still problems with false positives and search accuracy. We are now inserting classification (i.e. metadata) back into documents in the form of keywords and tags so that the content we are looking for can be found. Google will get you close but not close enough which is a serious risk to compliance based processes. You can just imagine the consequences of retrieving and using the wrong procedure because the search engine returned a list of close but not exact matches to your query. Managing document classifications is necessary when the purpose is to deliver exactly the correct document to the correct person at the correct time. This is still something that search engines alone cannot provide and one of the key reasons why you still need EDM. WHAT IS EDM? EDM is simply a system to manage documents and is considered part of the overall domain of Enterprise Content Management (ECM). EDM manages the class of documents that need to be controlled because they are inputs to critical business processes in the same way that raw materials are controlled in manufacturing processes. We find that these documents are still mostly unstructured requiring data describing them to be controlled and managed outside the document itself. EDM also provides other capabilities to manage important aspects that are critical to compliance which have largely been forgotten. It is common when talking about documents to take a reductionist view and lump them in the general bucket of data. This perspective unfortunately removes important distinctions that characterize the nature of documents which can be seen when considering the following definition for a document: "Something tangible that records communication or facts with the help of marks, words, or symbols. A document serves to establish one or several facts, and can be relied upon as a proof thereof. Generally speaking, documents function as evidence of intentions, whereas records function as evidence of activities" This definition suggests several characteristics that a document must have in order to be considered as evidence or as a record. These include: Unalterable Bi-temporal Structured Intentional And so on What is very common these days is to hear companies use the concept of a "living" document to describe their documents. These documents are constantly changing, edited in place, and where only the latest version should be used. This description defines a particularly use case for how documents are edited and retrieved. However, the notion of living documents is seldom if ever used in compliance processes were what is critical is that the user use the "latest approved" version and more correctly the one that he/she was trained on. The use cases for which version should be used is more nuanced, for example: The latest official release The latest approved version The latest approved version in the training system The latest work in progress version To effectively manage documents it is necessary to first understand what a document will be used for. It is in managing these intentions where EDM shines. This is very different from how content on the web is used. Content on the web typically is for a single use case and seldom has support for different uses of a document. EDM systems will have many more capabilities to support what is needed to preserve the integrity of documents across various uses to satisfy business and compliance requirements. These will include: Life Cycle Management (or workflow) Metadata Management Versioning Electronic Signatures Markup / Annotations Multiple Formats Office Integration Relationship Management Release Management Digital Rights Management Navigation / Search The power of EDM comes from managing all the dependent relationships with related information. In this way, EDM is more like a database than it is a file server. These relationships describe the intention for each document and therefore essential from a compliance perspective. For example, a document is: A Work Instruction, or Policy, or Standard Effective for the next 24 hours Superseded by the current version Controlled or Uncontrolled The latest approved version THE STATE OF EDM EDM has always suffered from an identity crisis. EDM started out as purpose built applications that utilized a relational database back end with an attached file store. This evolved to be more object oriented and over time transitioned to a platform offering in an attempt to become a "content" version of traditional database systems. API standards were developed to address proprietary interfaces and implementations. However, before these could gain traction the web took over. This would in many ways diminish the advances that EDM had up until then provided. It was very much three step forwards and two steps back. The introduction of the web and later content management did furnish a needed level of standardization along with enabling the shift from client/server technologies to web based architectures. While this was good it sacrificed functionality specific to managing documents in doing so. After many years of using HTML, creating web pages, and managing web content, most people consider managing content as synonymous with managing documents. Intranet platforms have for the most part replaced document management systems not in terms of capability but in terms of mind share. Many EDM vendors have been sidelined or have pivoted to content management providers. Some of them are doing both. One of these vendors is Microsoft with their SharePoint platform which is used in many organizations. SharePoint is an intranet platform that has over time added document and record management capabilities. SharePoint is worth mentioning because it has also become the defacto repository for documents in many companies. However, instead of controlling documents using EDM paradigms, instead we find that: 1. Documents are managed as files Metadata is not used, managed, or controlled New documents are created for every version Life cycles are implemented as folders were files are duplicated 2. Documents are managed as web content Minimal life cycle management Minimal relationship or Link management Minimal release management Minimal security 3. Document management is left to each business process owner IT is not involved Lack of consistent practices Lack of expertise and best practices 4. Documents are stored in communication channels E-mail Messaging 5. Documents are stored in collaboration platforms: File servers Intranets Cloud Applications While data awareness and capabilities have to some degree improved over the years these have been limited to what can be done using spreadsheets and what can be done using content management on intranets. Unfortunately, both of these tools are inadequate to effectively control and manage data and documents. The hope that content management would catch up to EDM still has not materialized. Many have waited for approaches such as the semantic web and RDF to create self-describing data however these have not advanced far enough to fill in the gaps. In the meantime, information technology has moved on. Enterprise IT is now preoccupied with moving to the cloud. Application developers are deconstructing workflows and redoing them for mobile. Cloud providers are racing to become the preferred repository for all your data but mostly agnostic to how you use this information. Information technology for all intents and purposes has abandoned the domain of controlled documents and EDM. WHAT CAN BE DONE? Given the limited resources available to companies, many are struggling to manage documents needed to support their business processes. Many technologies exist to help but have been largely forgotten, misunderstood, or otherwise neglected. The good news is that the steps to improve the management of documents have largely stayed the same and include: Identify which documents are critical for compliance. Conduct a document inventory to locate each document, and how they are used. Establish a standardized approach to managing these documents. Leverage existing technologies to manage the document life-cycle Automate management processes to embed evidence of compliance, streamline approvals, and manage document security.