SEARCH

When it comes to management-based standards and regulations they almost all include a requirement for Management Review. The purpose of a management review has traditionally been to look at what has been accomplished and make necessary corrections to maintain targeted levels of performance applied to quality, safety & security, environmental and regulatory objectives. In recent years requirements have been expanded to consider strategic alignment and overall effectiveness, which requires a different point of view. The prevailing perspective to Management Review is looking at a rear-view mirror of past performance and using lagging indicators to make adjustments that improve consistency. This is necessary but limited in terms of contending with what's coming ahead and often very soon. A proactive approach to Management Review, let's call it, Management Preview adds another perspective by looking at what's ahead and using leading indicators to make course corrections that improve effectiveness. The purpose of systems is to achieve consistency by adhering to procedures, resisting change and reacting to variation. While programs anticipate conditions, introduce change, and advance outcomes. While this distinction is conflated in many management-based standards and regulations it helps to better understand the difference between governance, the process of steering; and managing, the process of controlling. Using this distinction we can say that Management Review is a function of systems that control processes whereas Management Preview is a function of programs which govern systems. Management Previews are essential for all purposeful endeavors where outcomes are being advanced and improvement in performance is needed not only to maintain consistency but to improve outcomes.

Recently, I spoke with a client who answered this question by saying that technology can, when introduced too soon, short circuit the learning process. People can lean too much on the technology without fully understanding what the process and tools are really trying to do. This can work against trying to establish new behaviors and practices. In a fashion, my client's response speaks against today's widespread perspective that technology is the answer to many of our problems. For some, the introduction and use of technology is necessary to achieve the outcomes we want. However, is there a point where technology can actually get in the way from achieving these outcomes. And if so, how do you know when you have reached that point? This perspective that technology is the answer to our problems partly comes from a mindset of what is called technology determinism also referred to as technology-push. This view suggests that technology drives the solution instead of the business shaping what is needed. In many ways technology is the key enabler to change. However, technology-push can cause issues when the technology runs ahead of the business need. In this case, you end up with a solution looking for a problem rather than the other way around. This is where the rub is and the heart of where my client was coming from. Technology is often needed to support change but without the right balance it can "push" beyond what is needed and cause issues that can work against achieving the desired outcomes. Keeping the tension between the business demand and technology push is difficult. Here are a few things that can help: Keep the overall outcomes in mind. Don't forget what the technology is for. Keep the business need and the technology capabilities in sync. Don't let either get too far ahead of the other (i.e. don't over or under invest). Keep measuring and monitoring your outcomes and adjust capabilities when necessary. It is possible to slow or speed up adoption to stay in sync with technology introduction. Remember this is more like dancing than racing. Plan -Do-Check-Act Questions: What ways have you observed technology hindering or advancing your program outcomes? What needs to happen to keep the business need and the technology capabilities in sync? What would it look like if technology was at the right level? What step can you take to adjust your use of technology to match your business need?

Navigating the constantly evolving landscape of compliance can be a challenging task for organizations, as it involves adhering to various regulations and stakeholder obligations across industries and countries. A comprehensive compliance program that covers all applicable laws and stakeholder requirements is crucial for every business to stay on top of their compliance obligations. At Lean Compliance , we specialize in helping organizations stay between the lines and head of risk. Through the lens of our proactive integrative approach we help organizations evaluate and improve existing compliance programs, systems, and technologies used to address both management and technical aspects of compliance. In this series we explore the technology side of compliance which we have categorized into the following solution categories: Regulatory Compliance solutions - these solutions are designed specifically to help organizations comply with regulations and laws. This can include tools for monitoring regulatory changes, automating compliance tasks, and managing compliance documentation. Risk Management solutions - these solutions help organizations identify, assess, and mitigate compliance risks. This can include tools for conducting risk assessments, implementing internal controls, and monitoring compliance metrics. Environmental, Health, and Safety (EHS) solutions - these solutions are designed to help organizations manage compliance with environmental, health, and safety regulations. This can include tools for managing hazardous materials, tracking safety incidents, and monitoring compliance with OSHA regulations. Governance, Risk, and Compliance (GRC) solutions - these solutions provide a holistic approach to managing compliance, risk, and governance issues. This can include tools for managing policies and procedures, conducting risk assessments, and monitoring compliance metrics across the organization. Compliance Management software - this category includes software solutions that help organizations manage their compliance programs. This can include tools for tracking compliance obligations, managing audits and inspections, and monitoring compliance metrics. In this first article we look at four vendors that specialize in the Regulatory Compliance solutions category: Enhensa , Nimonik , RegScan , and STP Publishing : ENHESA is a consulting firm that specializes in providing EHS regulatory compliance services to multinational companies. They provide expert guidance on regulatory compliance issues, helping organizations to identify and mitigate risks, develop compliance strategies, and stay up-to-date with the latest regulatory changes. Nimonik is a compliance software company that provides environmental, health, and safety compliance auditing and monitoring solutions. They offer a web-based platform that helps organizations manage their regulatory compliance obligations through automated audits, corrective actions, and tracking of regulatory changes. RegScan is a company that provides compliance solutions to help businesses manage their environmental, health, and safety (EHS) regulations. They offer a web-based platform that provides access to regulatory data, analysis tools, and compliance management systems to help organizations stay up-to-date with regulatory changes and ensure compliance. STP Publishers is a publishing company that provides regulatory compliance information in various formats, including online, print, and mobile applications. They offer a range of products, such as guides, handbooks, and manuals, covering various EHS regulatory topics, including OSHA, EPA, and DOT regulations. These companies provide various solutions to help organizations stay compliant with obligations that include (but not limited to): environmental, health, and safety requirements. They all offer expertise, software solutions, and regulatory information to assist businesses better meet their compliance obligations. Where do ENHESA, Nimonik, Regscan and STP Publishers map to the solutions categories? There is often significant overlap with technology solutions, and this is no different when it comes to compliance. Solutions offered by each company may vary depending on the specific package or plan that an organization chooses to subscribe to, and the categories listed above are not exhaustive. However, based on their websites and marketing materials, here's how the solutions compare to the compliance solution categories: Regulatory compliance solutions : All four companies offer regulatory compliance solutions that help organizations comply with laws and regulations. These solutions can include tools for monitoring regulatory changes, automating compliance tasks, and managing compliance documentation. Risk management solutions : all four companies offer partial risk management solutions to help organizations identify, assess, and mitigate compliance risks with support for conducting risk assessments and capturing risk metrics. Environmental, health, and safety (EHS) solutions : Nimonik, ENHESA, EHS solutions to help organizations manage compliance with environmental, health, and safety regulations. Governance, risk, and compliance (GRC) solutions: ENHESA, and Nimonik both offer partial GRC solutions to address compliance, risk, and governance requirements that include managing policies and procedures and monitoring compliance metrics. Compliance management software : ENHESA, and Nimonik both offer compliance management software solutions that allow organizations to track compliance obligations, manage compliance activity, conduct audits and inspections, and monitor compliance metrics. Here's a summary comparison of the solutions offered by Enhensa , Nimonik , RegScan , and STP Publishing against the solution categories listed above: Compliance Solutions Category ENHESA Nimonik Regscan STP Publishers Regulatory compliance solutions Yes Yes Yes Yes Risk management solutions Partial Partial Partial Partial Environmental, health, and safety (EHS) solutions Yes Yes No No Governance, risk, and compliance (GRC) solutions Partial Partial No No Compliance management software Yes Yes Partial Partial This comparison is based on publicly available information and may not be exhaustive or completely accurate. How do ENHESA, Nimonik, Regscan and STP Publishers help you stay between the lines and ahead of risk? ENHESA, Nimonik, Regscan, and STP Publishers are all designed to help companies manage compliance. However, the effectiveness of each solution in handling compliance risk depends on several factors, including the specific industry, the types of regulations that the organization must comply with, and the organization's specific compliance needs and requirements. That being said, ENHESA is generally considered to be a leading provider of compliance solutions for multinational companies that need to manage compliance across multiple jurisdictions. ENHESA's solutions provide a comprehensive approach to compliance risk management, including a focus on risk assessments, compliance audits, and compliance gap analysis. Nimonik also offers a comprehensive range of compliance management tools and features to identify and manage obligations, create and track compliance activity, conduct audits, and capture and monitor compliance risks. STP Publishers and RegsScan primarily provide compliance content (RegScan also provides audit capabilities) such as manuals and online resources, that can help organizations stay up-to-date with regulatory changes and requirements. While these resources can be useful in staying between the lines, they may not provide the same level of hands-on support and guidance needed to contend with uncertainty and risk. Overall, the effectiveness of each solution in handling compliance risk will depend on the specific needs and requirements of the organization. It is important to evaluate each solution based on its specific features, capabilities, and industry focus to determine which one will best meet the organization's compliance risk management needs. Here's how each compare against key compliance capabilities: Features ENHESA Nimonik Regscan STP Publishers Compliance monitoring and tracking Yes Yes Yes No Regulatory updates and alerts Yes Yes Yes Yes Compliance gap analysis Yes Yes Yes No Compliance risk assessments Yes Yes Partial No Compliance audit tools Yes Yes Yes Partial Multinational compliance management Yes No No No Environmental, health, and safety compliance management Partial Yes No No Industry-specific compliance guidance No No No Yes Integration with enterprise systems Yes Yes Yes Yes This comparison is not meant to be exhaustive and there may be additional features and capabilities offered by each solution beyond those listed here. Additionally, the specific features and capabilities of each solution may vary depending on the specific package or plan that an organization chooses to subscribe to. What are the main differences between ENHESA, Nimonik, Regscan and STP Publishers? ENHESA, Nimonik, Regscan, and STP Publishers all provide regulatory compliance solutions, but there are some differences between them. ENHESA is a global environmental, health, and safety (EHS) consultancy that provides compliance solutions to businesses operating in various industries. Their services include regulatory analysis, EHS audits, and compliance management systems. Nimonik provides a turn-key web-based compliance monitoring platform that helps organizations to identify, track, and comply with applicable regulations. Their services include audit and inspection tools, document management, and automated compliance alerts. The main differentiator is that they have both software and content, allowing you to rapidly deploy a compliance monitoring program. They can also extract obligations from your internal documents such as permits, policies and procedures. RegScan is a global regulatory compliance solution provider that offers compliance monitoring, analysis, and management solutions for businesses. Their services include compliance audits, training, and consulting. They are now owned by ENHESA, which is based in Belgium. STP Publishers is a provider of EHS and sustainability regulatory compliance solutions, offering online tools and consulting services to help organizations stay up-to-date with regulatory changes. Their services include regulatory compliance news and analysis, training, and audit checklists. Regscan, ENHESA and STP focus on providing data. To fully use their information you often need to purchase software programs such as a GRC platform or an EHS platform. If you are a large organization with a big team and budget, this might be the best option as you will be able to fully customize the program. The main differences between these providers are the scope of the industries they serve as well as the management capabilities they provide. For example, while all four providers offer compliance monitoring and management solutions, ENHESA focuses specifically on EHS compliance, while Nimonik covers regulatory change for privacy, cybersecurity, HR, aviation and numerous other areas of concern. Each have different ways for risk to be captured, evaluated and managed. Ultimately, the choice of provider will depend on your organization's specific needs and the industries you operate in. It's important to conduct thorough research and evaluation of the various providers to determine which one offers the best fit for your organization's compliance needs. Summary In today's business landscape, regulatory compliance is more important than ever. Failure to comply with regulations can result in hefty fines, legal action, and damage to a company's reputation. Fortunately, technology solutions have emerged to help organizations manage compliance more efficiently and effectively. ENHESA, Nimonik, Regscan, and STP Publishers are four companies that offer regulatory compliance solutions that assist organizations in complying with laws and regulations. These solutions include tools for monitoring regulatory changes, automating compliance tasks, and managing compliance documentation and information. Overall, compliance technology solutions are becoming more critical for organizations to effectively manage their regulatory and stakeholder obligations. The solutions offered by these companies can provide organizations with the tools they need to stay compliant, avoid costly penalties, and protect their reputation. Lean Compliance helps organizations stay between the lines and head of risk. Visit our website to learn how you can improve the probability of mission success by using a proactive and integrative approach to compliance.

When it comes to playing games where the goal is to have fun “Best Effort” is often applauded and even celebrated. We often hear statements like, “you did your best and as long as you had fun that’s all that matters.” This may provide some consolation when stakes are low and dealing with a bruised ego. However, when the stakes are higher and the goal is to save lives, “Best Effort” may not be enough. Knowing that you did your best when an incident occurs provides little comfort to those who have been injured or those who are responsible for their well being. A “Best Effort” approach is also rarely acceptable for high performing companies when it involves making production numbers or other business goals. However, it is surprisingly the approach often adopted for meeting compliance objectives. In this blog we will look at why a “Best Effort” approach is not enough and how you can turn it into a “Best Outcome” strategy to advance compliance objectives and improve overall outcomes. The Tale of Two Companies Let’s consider two companies each operating processing facilities that produce natural gas for distribution by downstream operators. They are both focused on operational excellence, cost reduction, and have a safety culture in place. Their safety records to date have not been stellar both having had numerous incidents as well as at least one fatality in the last decade. Both companies have come to realize that they need to improve their safety record and have decided to adopt a new safety initiative and introduce a new safety management system. At this point, as far as one can tell, these companies look the same and are taking the same kind of actions to improve. However, their results may turn out differently. One company has adopted a “Best Effort” approach, whereas, the other an approach based on “Best Outcome.” Best Effort Approach The best effort approach is more common than one would expect. Companies promise to achieve the desired outcomes (ex. zero incidents, zero defects, zero fatalities, and so on) but their focus is on “effort” rather than “results.” Companies may implement standard practices and behaviours, management systems, safety culture, and even continuous improvement, however outcomes remain largely incidental and contingent (subject to chance) rather than planned and managed. The “best effort” approach is characteristic of organizations in early stages of capability maturity as attention is given to: Standard work Process consistency Inspections and audits Corrective actions Systems (safety, quality, environmental, etc.) are introduced to manage processes and industry standards help to ensure that the minimum processes are in place. The goal of all systems is to “execute processes as consistently as possible” or using the previous analogy “play the game the best you can.” This approach has the greatest impact when essential processes, practices, or culture is missing or not meeting a minimum standard. Outcomes may improve although these are often not measured or used to drive continuous improvement. Since the goal is to “execute processes as consistently as possible” resources are aligned to achieve that end, rather than on advancing outcomes. From a systems-theory perspective we know that when optimizing for a given outcome you will necessarily optimize away from other outcomes. In other words, you can only improve in the direction you are facing. When you are facing “consistency” you will necessarily move away from “effectiveness.” Best Outcome Approach A “Best Outcome” approach differs from “Best Effort” in that it optimizes for progress with respect to outcomes rather than effort or efficiency. This is more than just a subtle change in focus or a play on words, it defines a different strategy altogether. Companies will still implement standard practices and behaviours, management systems, safety culture, and even continuous improvement. However, focus is on whether or not they have the “right” capabilities at the “right” level of performance to achieve the promised outcomes. This is one of the roles that governance and associated programs (i.e. the permanent versions of steering committees) has which is to steer capabilities towards creating “Best Outcomes.” This approach is “proactive” in that it doesn’t wait until an incident has occurred before making further improvements. Instead, it anticipates, plans, and acts to ensure that progress against outcomes is made. This requires that risk is managed, and improvement is made by continually steering towards defined goals, objectives, and intended results. Adopting a “Best Outcome” Approach When companies are in early stages of capability maturity a “Best Effort” approach can provide utility to introduce missing capabilities. For some companies this is a starting point but for all companies it is not the destination when it comes to advancing compliance outcomes. Without a steering function a “Best Effort” approach will “continuously improve” towards greater consistency rather than effectiveness. Unfortunately, this tends to promote more inspections, audits, and corrective actions which is commonly referred to as the “audit-fix cycle.” However, there is a way for companies that have adopted this approach or caught in the audit-fix cycle to become more effective. Here are 5 steps towards that end: Clearly define goals, objectives, and expected outcomes. Determine the capabilities (people, processes, organization, technology, culture, etc) needed to achieve them. Develop a risk plan to ensure progress is made. Define how progress will be measured. Establish a governance program to continuously improve compliance effectiveness. Two Companies, Two Outcomes? The outcomes of the two companies mentioned previously are still pending. Which one do you think will reach zero incidents, the one that chose a “Best Effort” or “Best Outcome” approach? Let me know what you think or which approach you would use.

Does your approach to planning adequately address performance and outcome-based obligations?

Many companies are in the midst of adopting changes introduced by ISO 9001:2015. One of the most significant of these, is incorporating "Risk-based Thinking." Risk-based thinking was introduced to improve (among other things) the effectiveness of how corrective and preventative actions (CAPA) were handled. From the standard we know that preventative actions has been replaced with taking a risk-based approach. I am going to explore in this blog the concept that some have proposed to replace CAPA with CARA (i.e. Corrective Action / Risk Assessment). At the basic level this is conducting a risk assessment for the corrective action. First of all, there are good reasons to conduct a risk assessment on corrective actions. We know that change can be a significant source of new and emerging risks. When dealing with any change there are two primary sources of risk that need to be addressed: Risks implementing the change – these are risks in conducting the work needed to effect the change. These risks may include: worker safety, temporary impacts on other processes (including risk controls), and so on. A portion of these risks can be addressed proactively by using safe work practices which are procedures that have been previously risk-assessed. Risks introduced by the change – these are new risks or changes to existing risks that result after the change has been made. These risks are identified as part of the change process usually by a cross-functional team with experience in detecting risks within their particular discipline. Depending on the scope of the change it is not uncommon to have: occupational safety, process safety, IT, compliance, regulatory, environment, and other specialists involved as part of the risk assessment team. Corrective actions are a source of change and therefore also a potential source of risk. However, there are limitations in using these as the only trigger to identify and manage both external as well as internal program risks. These limitations result from the fact that corrective actions are often: addressed in isolation from other actions triggered by symptoms and not systemic causes a reaction to a non-conformance leading to lagging actions not effective at addressing latent failure modes (those that have yet to be discovered by the customer for example) To overcome these limitations companies should take a proactive and holistic/systems approach to assess risk. In fact, ISO 9001:2015 states that each company must identify and manage threats and opportunities associated with each process within their quality program. While this is good, it is not enough to identify risks associated with the objectives of the entire program. The latter requires consideration of not only individual processes but also how they interact with other processes within and outside the quality program. All with the goal of assessing how uncertainty affects achieving program outcomes. The first step is having clear and concise program objectives for each system and process. This will properly constrain risk assessments along with resulting treatments to ensure that the certainty of achieving program goals are increased. The advantages of being proactive and using a holistic/systems approach to risk assessment include: Improving processes before non-conformance is realized Addressing latent failure modes before they become active Minimizing disruption, and risks introduced by implementing the change by consolidating changes Avoiding higher costs associated with addressing non-compliance after the fact Applying resources to risks that really matter to achieving program outcomes Including risk assessments as part of corrective actions is indeed part of risk-based thinking. However, on its own, it is not enough to address uncertainty in achieving program outcomes. #RiskbasedThinking #CAPA #ISO9001 #ManagementofChange

With the emergence of the COIVID-19 pandemic many are working remotely with minimal on-site presence. This has put a strain on existing operational systems and processes particularly those connected with risk and compliance designed for and under different conditions. Organizations that have relied solely on audits to identify gaps in their compliance may now discover them to be too late and too slow for that purpose. In fact, as operating conditions have significantly changed they may no longer be effective at all. What should organizations do to deal with possible increases in incidents across their safety, environmental, regulatory, or quality programs? In this blog I will explore how organizations can answer this question but first we need to understand why audits are used in the first place. Use of Audits The use of periodic audits as the primary compliance control is all too common and has always had its limitations. By design audits provide evidence of what has happened. Audits provide a lagging indicator that can be used to identify and then correct prescriptive compliance gaps so that they don’t reoccur. Audits work best when organizations are mostly “in-compliance.” Audits cannot correct what has already happened. However, they do provide status of the integrity of financial and other reports that give witness to the conditions at a certain point in time. Under normal conditions when organization's are mostly “in-compliance” they may be also help to identify minor violations or infractions against standard practices and procedures. However, conditions today are not normal. The assumption that organizations are still mostly “in-compliance” may no longer be warranted or wise. In the presence of significant uncertainty in a COVID-19 pandemic world what should organizations now do so that they continue to operate between the lines? Are audits enough to provide the assurance that stakeholders require? Lessons from Process Safety In highly-regulated high-risk industries another process is used to stay ahead of the effects of uncertainty. This process is known as “Incident Management (IM)” and is a one of the pillars of an effective risk & compliance program. Incident management systems are used to address emergencies but also to discover when organizations cross the lines well before audits might otherwise catch them. The hope is that infractions are caught when the consequences and the cost to correct them is small. In fact it may even capture near misses which can provide an earlier warning of possible future incidents. Incident Management (IM) systems help to turn this hope into a reality. Incident management systems are used by safety-first organizations that have a culture of preparedness and response something that almost all compliance programs need these days. The following are key principles of effective incident management programs. Practice of these principles can be observed in industries such as Energy, Oil & Gas, and Mining. However, they also can also provide insights for others who are experiencing higher levels of uncertainty and risk as result of the on-going COVID-19 pandemic. Incident Management Principles 1. Preparedness and Response While effective risk management aims to prevent incidents before they happen; incident management aims to protect the public, workers, property and the environment just in case it does. This requires awareness of the effects of uncertainty (c.f. RISK: ISO 31000) and establishing measures in advance to mitigate the effects should an adverse situation arise. Establishing response standards is essential to knowing the level of preparedness needed along with how best to address specific cases such as emergencies. 3. Emergency Management Process Emergency management involves all the activities prior to and in response to a significant adverse event that has the potential of doing harm. Having a comprehensive response plan focused on rapid response can mean the difference between life and death along with the potential to avoid substantial remediation costs. After the emergency has been addressed, clean up, restoration, and remediation efforts are put in place informed by the results of a thorough incident investigation. 4. Incident Investigation To prevent re-occurrence of an adverse event it is necessary to understand the root cause or at least primary causes leading to the event occurrence. This requires thorough investigation and expert practice of root cause analysis (ex. Apollo Method), STAMP (Systems Theoretic Accident Modelling and Processing), HAZOPS, and other techniques designed to identify factors that may create the conditions and actions for the re-occurrence of the incident or similar ones. 5. Incident Resolution Investigation while important will not have its full effect unless measures are put in place to implement recommendations to reduce the probability of re-occurrence. Establishing new or updated measures and monitoring their effectiveness are necessary and where much of the failure in risk management occurs. Continuous evaluation of risk measure effectiveness is an essential practice for companies that strive towards operational excellence. 6. Incident Reporting Incident reporting provides both leading and lagging information of incidents. Tracking of events that fall outside of risk and compliance boundaries or targets are essential for both government reporting as well as in the discovery of causes leading to possible future events. Capturing of “near misses” while not easy to define or to do is the current focus for many safety-first organizations that are serious on preventing harm to their workers, property, communities, and the environment. 7. Continuous Learning and Adaptation For an incident management program to remain relevant and effective it must continually adapt to changing conditions and consider learning from within as well as outside of the organization. When conditions are changing as fast and as significantly as they are now it is imperative that organizations continue to learn and adapt their risk and compliance programs. For some (perhaps many) this begins with not assuming the state of existing risk & compliance is what it was prior to the pandemic. This will necessarily lead to establishing and or upgrading processes associated with incident management. Summary: COVID-19 has created significant disruption and uncertainty across the world, across communities, and across businesses of all shapes and sizes. Assuming that prior risk & compliance controls have remained intact and are still effective may no longer be warranted or wise. Waiting for downstream audits and reports may not be fast enough to close the gaps in programs essential to keep organizations operating between the lines and protect against harm or loss. Under current pandemic conditions or until the state of risk and compliance programs are better understood, organizations should consider implementing incident management programs to mitigate the effect of adverse events which are now more likely to occur. Tracking and monitoring of incidents may themselves provide early warning giving organizations time to prepare. However, safety-first organizations will take the proactive step to first understand their risks to ensure that they are ready to respond. Lean Compliance helps forward looking organizations improve stakeholder trust by improving the effectiveness of risk and compliance programs.

In a recent decision of the Ontario Court of Appeal they stated that the general duty clause in the Occupational Health and Safety Act, can impose higher obligations than specific requirements in regulations. They concluded the following in the case involving Quinton Steel with respect to a case involving guard rails: "It may not be possible for all risk to be eliminated from a workplace, as this court noted in Sheehan Truck, at para. 30, but it does not follow that employers need do only as little as is specifically prescribed in the regulations. There may be cases in which more is required – in which additional safety precautions tailored to fit the distinctive nature of a workplace are reasonably required by s. 25(2)(h) in order to protect workers. The trial justice’s erroneous conception of the relationship between s. 25(2)(h) and the regulations resulted in his failure to adjudicate the s. 25(2)(h) charge as laid." – Emphasis added in bold. Based on this decision, the general duty clause could require employers to do more than the prescriptive requirements of any hazard-specific regulations. Some might argue that this has expanded the scope of an employer's obligations. However, what this decision has affirmed is that regulations should be considered as "the low-water mark" when it comes to safety. It is therefore essential that employers understand exactly what and how they will keep their obligations. This requires greater consideration when it comes to duty and liability as well as other categories of obligations: Micro-means (prescriptive) Macro-means (management-based) Micro-ends (performance-based) Macro-ends (duty and liability) It is common for employers to focus on the prescriptive elements as these can be more easily quantified and measured. Whereas, the others often require the establishment of systems and processes to achieve standards that go above and beyond prescriptive elements. To address these companies will implement processes to address uncertainty and the management of risk, along with continuous improvement specifically with respect to performance and outcomes. A primary difference between following prescription compared with duty and liability obligations is the latter requires employers to be more proactive with their compliance. And this begins with taking ownership for each obligation and not waiting for an audit or a fine for improvements to occur. There will always be more risk than a company can contend with and so each company must decide which risks really matter. When it comes to duty of care the decision should always side in favor of employee safety. If you want to be more certain about your compliance you may want to consider joining – The Proactive Certainty Program™ – designed to help you avoid – The Reactive Uncertainty Trap™ . Visit our website at www.leancompliance.ca for more information on how to join. Sources: [1] - http://www.occupationalhealthandsafetylaw.com/in-important-decision-ontario-appeal-court-says-that-general-duty-clause-in-ohsa-can-impose-higher-obligations-than-specific-requirements-in-regulations?utm_source=Mondaq&utm_medium=syndication&utm_campaign=LinkedIn-integration [2] - Canadian Occupational Safety, www.cos-mag.com, "Regulatory compliance not enough: Court", Jeremy Warning

Compliance management systems are used by organizations for the purpose of helping them first achieve and then maintain compliance which is the outcome of meeting all your obligations (ISO 19600). The question is what properties or behaviours of a compliance system are needed for this outcome to be created? What is essential for a compliance system to be effective? How are outcomes created? To answer this we need to understand how outcomes are created in the first place. A system outcome is an emergent property that for compliance may be greater safety, quality, security, reputation, or any number of desired objectives. It is the collective interactions of all essential parts of a compliance system that are responsible for the overall system behaviour and any emergent properties. Dr. Russell Ackoff defined a system as: " a whole which is defined by its function in a larger system of which it's a part. For a system to perform its function it has essential parts: Essential parts are necessary for the system to perform its function but not sufficient Implies that an essential property of a system is that it can not be divided into independent parts. Its properties derive out of the interaction of its parts and not the actions of its parts taken separately." For example, using a transportation system such as a car, transporting someone from point A to B is an emergent property. A car fulfills this purpose when all its essential parts are working together to "transport" someone. It is not the property of any of its parts taken separately. When you take a car apart it is no longer a car. It cannot perform its function. You can take all the parts and put them on the ground. You can analyze them, improve them, but you still don’t have a car. There are also no parts on their own that can perform the function of a car. A car engine by itself cannot transport anything including itself. Another way of saying this is a compliance system is not the sum of its parts. In fact, it is a product of the interaction of its parts. Without the interactions you only have a bin of parts, a collection of components, a set of elements, but you do not have a system. Building parts For many organizations, compliance remains an exercise in manufacturing parts which they add to their collective parts bin. Unfortunately, none of the parts on their own will produce the desired compliance outcome. Audits, obligation registers, controls, risk measures, training; none of these by themselves is enough. Even if all the parts existed, if they do not work together as a whole you will still not have a compliance system. As with a transportation system we could have something simple like a skateboard or bicycle or more capable such as a motorcycle, car or a plane. What is important is that they all fulfill the transportation function recognizing that some are more effective than others. Instead of focusing on building parts organizations need to think about enhancing systems. They perhaps need to start with a skateboard equivalent of a compliance system, then move onto a bicycle, and so on. Each version of the system can produce compliance and will manifest all essential properties. Compliance system properties We have found that the following properties contribute to a compliance system's effectiveness: Operational – must have all the essential parts working together as a whole to produce an emergent property of compliance evidenced by the advancement of outcomes. Proactive – capable of establishing new goals and measures that continually advance outcomes. (ex. governance) Viable - capable of being achieved using current technologies. While new technologies may be helpful the system must be operational with the technologies currently available. Sustainable – capable of consistently achieving targeted levels. Resilient – consistently performs in the presence of changing conditions. Feed-back controls are used to reduce variation and to create consistency in both performance and outcomes. Efficient – capable of achieving targeted performance with minimum waste. Adaptive – capable of learning from the past to improve future outcomes. Performance and outcomes are measured to understand correlation and causation. Transparent – capable of retrospective investigation and analysis. We are able to know what the rules are. Compliance systems that have these properties in increasing measure of capability maturity are more likely to fulfill their compliance function. What is essential? We can now answer the question as to what properties are essential for a compliance system. The properties that are essential are those that are needed for the system to be operational. These are not sufficient for it to be effective but are necessary to perform in such a way to create the emergent property of compliance. The system may not perform much beyond a skateboard at first but you can still get from point A to B. You can improve capabilities over time to get faster, with less resources, and so on. Determining what is needed to be operational requires clearly defining the purpose of your compliance system (what are the desired outcomes) and then identifying the capabilities along with their interactions (i.e. the behaviours) to fulfill that purpose.

Safety performance is improved when organizations take a comprehensive and systemic view of their safety efforts. This requires different skills than implementing separate activities connected with requirements where the "means" have already been specified.  With todays performance and outcome-based regulatory designs, organizations must now identify and determine how they will achieve targeted safety goals; which can be considered as obligations. A "design" step is needed to translate requirements to design specifications. These specifications describe the ends (key results and objectives) and the means (people, process, technology) of the safety effort needed to meet your obligations. API RP 1173 Management of Change (MOC) Example The following completed system requirements canvas demonstrates how this looks like for a Management of Change (MOC) sub-system for a Pipeline Safety Managment System (SMS) using API RP 1173. Although, this approach can be applied to other types of systems where improvement in both performance and outcomes have been targeted. This canvas maps requirements to the processes and capabilities that have been identified to achieve MOC effectiveness. Since API RP 1173 is a recommended practice (i.e. not mandatory) and uses a performance-based approach, it is no surprise that elements only include minimum procedural requirements that could be verified using an internal or external audit. Although, no certification body exists or is expected. When considering requirements a necessary (and perhaps the first) step is to identify what effectiveness looks like. This goes beyond looking at minimum prescriptive requirements and includes consideration of the system's overall purpose, internal and external dependencies and requirements that come from improving essential capabilities to achieve key results and objectives. For an MOC subsystem, effectiveness can be defined as: Management of change is effective when it keeps pipeline safety risk (individual and aggregate) within acceptable risk levels (risk tolerance) resulting from technical, physical, procedural or organizational change. This measure of effectiveness will create additional requirements although not specified in API RP 1173, are certainly expected as part of its adoption. A comprehensive design will also consider overall system properties which for a purposively system, like a Pipeline SMS, can be expressed in the following way: The first property we have already addressed, although not for the system as a whole. We know from system theory that a system is not the sum of its parts and is rather the product of its interactions. We expect that all subsystems will be designed to contribute to the production of the essential system properties. Therefore, we must identify what is needed for the MOC subsystem itself and its contribution to the whole (i.e. dependency requirements) with respect to being: effective, proactive, viable, sustainable, resilient, efficient, adaptive, and transparent. A design structure matrix (as shown below) can be used to identify dependency requirements along with possible vulnerabilities or gaps in system capabilities: Summary To meet performance and outcome-based obligations each organization must establish their own goals and objectives along with the means by which they will be achieved. It is in meeting these obligations that create performance requirements that extend beyond procedural specifications within the API RP 1173 framework as in our MOC example. A design step is now needed to translate performance, element, and system requirements to design specifications for solutions that advance overall outcomes. As safety is an emergent property of an overall safety system the design step requires knowledge and skills in system design, cybernetic controls, and risk-based strategies to ensure that safety is advanced. These are not only needed for adopting API RP 1173 but for all performance and outcome-based regulations and standards.

When it comes to contending with risk it is important to have an understanding of the nature of uncertainty – the root cause of risk. There are several types of uncertainty but the two that are most critical are: epistemic and aleatory uncertainty. Epistemic uncertainty has to do with the lack of knowledge. The effects of epistemic uncertainty are often characterized in terms of its likelihood of occurrence and the severity of its impact. We can predict the outcomes with some level of confidence which facilitates decision making with respect to "buying down" these risks by reducing the likelihood or by mitigating the effects, or both. We call these reducible risks. Aleatory uncertainty has to do with chance. The effects of aleatory uncertainty can also be characterized using probabilities, however, the specific outcomes are not predictable with any level of certainty. This kind of uncertainty is considered as irreducible although its effects can be mitigated by introducing margins in the form of such things as extra resources, time, and capacity to help mitigate the effects. However, what we cannot do is improve the accuracy of our predictions. For risk management to be effective it must adequately contend with both kinds of uncertainty. However, in highly-regulated, high risk industries it is aleatory uncertainty that is foremost on everyone's mind as it presents a significant source of risk in the form of low occurrence, high impact events which are often called: unknown-unknowns and "black swans". These cannot be predicted and are in the domain of randomness, chaos, complexity and disorder – aleatory uncertainty. The solution to aleatory uncertainty In the book, "Antifragile" the author Nassim Nicholas Taleb who also wrote the book, "Black Swans" proposes that the solution to aleatory uncertainty is not greater margins or safeguards but instead the development of what he calls, antifragility properties. Taleb defines antifragility as going beyond resilience and robustness. A resilient system resists shocks to maintain its state, whereas, antifragile systems gets better; it improves. He suggests that uncertainty, disorder and the unknown are completely equivalent in their effects and therefore can be addressed in the same manner. Instead of trying to predict the future which is not possible for aleatory uncertainty, steps are taken to measure and reduce the level of fragility which is easier to do and results in greater utility. Fragile systems breakdown easily in the presence of uncertainty. The solution is not to build more robust systems as we might think. Resilient, robust systems neither break nor do they improve and therein lies the rub. The opposite of fragile is not robustness it is a word that we don't have a name for, so Taleb uses, "antifragile" – things that gain from disorder. Offshore drilling safety example A few years ago, a safety assessment of offshore drilling platforms was conducted for operations in the North Sea. Each platform had written procedures some of which were followed and some that were not. Each had a positive safety culture (more or less) and each had commitment from senior leadership, and so on. In terms of practice, compliance, and other categories of assessment there where no differences that stood out other than their safety performance. Some of platforms had experienced no incidents for a long period of time, while others were contending with multiple but mostly minor ones. The question that was asked was which platforms are the safest to work on? The platforms that had no incidents for a long time were considered to be the most unsafe which maybe surprising to some. While these platforms had excellent performance in the past there were other indicators that caused concern such as signs of complacency, and over confidence to name a few. Using past performance to predict the occurrence of future incidents suggested that these platforms would be the safest. However, their current behaviors suggested otherwise. The platforms considered most safe were the ones dealing with minor incidents. They had a heightened level of awareness, and from a "antifragile" perspective were improving with each incident. Everyone was looking out for each other and not resting on the achievements of the past. You might get "injured" but you would not be harmed. Lack of volatility is not the goal Seeking stability by inhibiting fluctuations (you might say incidents) tends to produce the opposite of what we had intended. According to Taleb, overly constrained systems become prone to Black Swan events. Such environments tend to experience massive blowups, catching everyone off guard and undoing years of stability almost all at once. It is for this reason that over regulation (mandatory or voluntary) and the preponderance of prescriptive rules can create greater levels of fragility which in turn increases the chance of risk. It is no wonder why some have criticized the pursuit of vision zero targets (zero defects, zero incidents, zero fatalities, and so on.) The low occurrence of these events is not sufficient to drive improvements and create the necessary behaviors. Antifragile companies learn from errors they create and the errors from others. With every plant failure, worker injury, and failed objective the industry as a whole becomes safer, but only if the we learn from what has happened. That is why it is so important for companies to share not only their best practices but more importantly their failures; otherwise the "sacrifices" paid by others will be for nought. Unfortunately, sharing of failures is considered by many to be foolishness when it fact it is the behavior of the wise. Continuous improvement as a means to introduce volatility Over the last several decades the adoption of continuous improvement (CI) has helped to transform many organizations foremost coming from the automotive industry. However, you will now find its application in almost every sector. The reasons stated for why companies adopt CI often have more to do with improving quality, increasing efficiencies, or lowering costs. However, is that all that is happening? Continuous improvement at its core is an intervention strategy to facilitate change. These changes done in small increments over time create the capacity for even greater changes in the future; they make companies less fragile. This is precisely what is behind the principle of "fail fast, fail often." Although, CI for many focuses on failures of the past it still creates the benefits associated with contending with volatility. If you were to ask, "which company is most likely to succeed in the presence of uncertainty?" the answer for me would not be the largest or most robust. It would be the ones that were practicing continuous change in any of its forms be it LEAN, Agile, CI, and others. These are the companies that embrace uncertainty, becoming stronger in the process, and instead of being surprised by negative black swans they anticipate and are delighted to see the appearance of the positive black swan.

In this article we take a look at the nature of risk reduction controls through the lens of barrier analysis. This is a common practice in process safety and is becoming more popular in other fields such as environmental, finance, regulatory, cybersecurity, and overall compliance risk. At a basic level, the bow-tie diagram (simplified above) is used to visualize a risk path initiated by a threat that results in an event that if left unmitigated will result in harmful consequences. Each element can be expanded so that analysis can occur to design measures or discover vulnerabilities in them that might lead to their insufficiency to completely stop harm to the people and things we care about. Process visualization is an important tenet of LEAN and also for risk management although not as prevalent or easy to do. What is more common is for risk to be communicated using statistical attributes which while necessary often fails to properly describe event chains and their contribution to harmful or hazardous events. Nancy Leveson (STAMP method) calls these hazardous processes, although other phrases have been used that include event chains, error chains, risk streams, and the like. What barrier analysis and bow-ties do for risk is what LEAN value stream analysis does for quality. The latter helps to identify waste to eliminate or reduce in the creation of value whereas the former helps to identify uncertainty whose effects we also want to eliminate or reduce in the creation of safety. Bow Tie Concept Handbook While the Bow Tie and Barrier Analysis methods are commonly used in process safety they have lacked consistent practices and vocabulary which has hindered their utility and advancement. To address these concerns, as well as others, The Center for Chemical and Process Safety (CCPS) along with the Energy Institute (UK) in 2018 published a handbook entitled, " BOW TIES IN RISK MANAGEMENT - A Concept Book for Process Safety. " This handbook provides a common set of definitions, best practices and guidelines by which hazard and risk analysis may be done. In the Bow Tie handbook the following definitions are provided for the basic elements of the bow tie shown previously which will be helpful for our consideration and application with respect to compliance where hazards also exist in need of contending with. Hazard : An operation, activity or material with the potential to cause harm to people, property, the environment or business or simply, a potential source of harm. Top Event : In bow tie risk analysis, a central event lying between a threat and a consequence corresponding to the moment when there is a loss of control or loss of containment of the hazard. Prevention Barrier : A barrier located on the left hand side of bow tie diagram and lies between a threat and the top event. It must have the capability on its own to completely terminate a threat sequence. (other possible names Proactive Barrier). Mitigation Barrier : A barrier located on the right hand side of a bow tie diagram lying between the top event and a consequence. It might only reduce a consequence, not necessarily terminate the sequence before the consequence occurs (other possible names Reactive Barrier, Recovery Measure). Threat : A possible initiating event that can result in a loss of control or containment of a hazard (i.e., the top event). ( other possible names Cause, Initiating Event). Consequence : The undesirable result of a loss event, usually measured in health and safety effects, environmental impacts, loss of property, and business interruption costs. Another possible name Outcome . The magnitude of the consequence may be described using a risk matrix For this article, I want to focus in on barriers which in other industries are called Risk Measures. Risk Measure Validity Barriers are the technical and human factors used to prevent threats from becoming a reality. They have specific meaning when it comes to process safety and particularly to the properties they should have. The handbook suggests that barriers must have three essential properties. They should be effective , independent , and auditable : Effective - A prevention barrier is described as ‘effective’ if it performs the intended function when demanded and to the standard intended, and it is capable on its own of preventing a threat from developing into the top event. A mitigation barrier is described as ‘effective’ if it is capable of either completely mitigating the consequences of a top event, or significantly reducing the severity. Independent - Barriers should be independent of the threat and of other barriers on that pathway. For example, if the threat was loss of power and a barrier requires power to operate, then that would not be a permissible barrier in that pathway. Auditable - Barriers should be capable of being audited to check that they work. formally, it could be that performance standards are assigned to the functionality of a barrier. For example, a performance standard for an ESD valve would ideally include ‘periodic end to end testing’, i.e., a signal is placed upon the detection device, the logic controller responds, and activates the end device, e.g., the ESD valve. Validity of Compliance Risk Measures While these definitions are described for process safety they are applicable to general risk management including compliance. Compliance uses risk measures to prevent or reduce the consequences associated with data breaches, ethical violations, non-conformance, and other "hazardous" events. They should also have essential properties to ensure they perform their intended purpose. These would include the ones for barriers: effective, independent, and auditable for similar reasons given for process safety. In fact, compliance risk measures would also benefit from the extended list of attributes defined by CCPS: independence, functionality, integrity, reliability, auditability, access security, and management of change Unfortunately, just as in process safety and perhaps more so, there is a lack of a standard set of definitions and practices with respect to risk management as a whole. We seldom see risk defined using a consistent vocabulary across organizations let alone within them. Risk identification even when done tends to be focused on the "components" of an organization and seldom at the level describing how these might work together to create what in process safety is call a hazardous process. Without understanding the causal nature of risk it is impossible to effectively prevent risk from occurring. As a result it is no wonder that risk registers rarely contain the risks that really matter with measures that have been properly analyzed and designed to be effective at preventing or mitigating harmful outcomes. You might say that compliance is in need of tools such as the Bow Tie and Barrier Analysis to better visualize, describe and analysis risk processes. For those interested in learning more we have written additional articles on the topic of using bow ties in the compliance domain which can be found here .