SEARCH
Find what you need
609 results found with an empty search
- Are You Being Nudged Into Compliance?
The answer is yes and you have been for some time. Nudging is broadly used today in many domains including governments to addresses policy effectiveness and regulatory gaps, private companies to make employees more ethical, and in compliance to change safety, quality, and environmental cultures. Nudging can be effective and justified to get us to do what is good for us such as investing more for our retirement. Nudging can also be used to exploit our behavioral biases to achieve outcomes that we do not need or want. The use of nudging in compliance has ethical implications that need be to considered and addressed. Companies may not explicitly implement nudging yet still find themselves using technology that does which may not align with their own ethical values. Values of users are being replaced with the values of the nudge designers and this is a cause for concern. What is Nudging? Many people became aware of the theory of nudging when the book: "Nudges: Improving Decisions About Health, Wealth, and Happiness" by Richard Thaier and Cass Sunstein, was published in 2008. In their book, they define nudges as: "A nudge, as we will use the term, is any aspect of the choice architecture that alters people's behavior in a predictable way without forbidding any options or significantly changing their economic incentives." In essence, nudges use behavioral insights to influence behavior towards specific outcomes. Nudge theory has been applied in areas as diverse as: product placement, using opt-out versus opt-in strategies, and applying it to business management systems. We also see private companies introducing nudging aimed at making employees more ethical. More and more companies are considering the use of nudges as a proactive strategy to achieve compliance outcomes [8]. In Todd Haugh's paper on "Nudging Corporate Compliance" [5] he defines nudges in the compliance context: "Nudges are simple interventions designed to promote desirable choices— such as compliance choices—by taking advantage of psychology . . . [including] a growing list of mental shortcuts, cognitive biases, and psychological quirks that subconsciously influence, and often sabotage, our decisions. Nudges are designed to either harness or neutralize these tendencies, and help us make better decisions, by subtly altering the decision-making process or the mental context in which the decision is made" Neutralizing cognitive biases to make better decisions seems reasonable but harnessing these same biases to achieve a specific outcome has its problems. Critics of the use of nudging argue that they are short-term and do not help people make long-term behavior changes. However, while the effectiveness of nudging might be in question, there are other issues more pertinent to the ethics of using nudging in the first place. In the paper by David Colader and Andrew QI Lin Chong [7], they make the following argument: "Thaler and Sunstein implicitly assume that people would be better off with a choice architecture that encourages them to save more. By making this and similar assumptions, they are replacing their views for the consumer’s views. Our argument is that the explicit goal of nudge policy in this case should not be to encourage individuals to save more; rather it should be to give individuals the choice of whether they want a choice architecture that is more likely to encourage to save more. This is a subtle, but important, distinction that Thaler and Sunstein gloss over, and which underlies the difference between our non-paternalistic and their paternalistic nudge policy." The key point is that choice architectures inherently promote a set of values that may differ from those of the decision maker. This has critical implications when applied to making ethical decisions involving risk and uncertainty where it essential that the decision making process not diminish the autonomy or the accountability of the decision maker. It can be argued that too much "suggestion" may lead to holding the choice architects rather than the decision maker accountable which is not what we want or need. As a result, careful attention should be given to the use of choice architectures particularly those embedded in the technology (i.e. digital nudges) used to support and manage compliance. There are many ways in which choice architecture manifests itself in the digital environment. The most predominant is the use of defaults[1] as expressed through: check boxes, drop downs, auto complete, search results, default settings, timelines, call to actions All of these have defaults that are pre-selected. When you see these you are being nudged. For example, more people select the auto complete suggestion than what they were originally typing. What is suggested can and does nudge users towards a specific outcome. The most popular example regarding defaults is the impact of default choices on organ donations compliance rates. Countries where people where asked to opt-out of organ donation instead of opting-in reported significantly higher consent[9]: Steps to Address Nudging There are several aspects that companies should consider when considering the use of nudges, beginning with: Is the outcome what we want and need? Is the level of persuasion used in the nudge consistent with our ethical values? Is the autonomy and accountability of the decision maker preserved in the process? Nudges should by definition be easy to avoid [6] and no costlier than accepting the nudge itself. When the cost to avoid is higher, the nudge becomes a shove which is a form of coercion. Sunstein[6] posits the following distinctions for nudges with respect to ethical considerations: Paternalistic nudges – protect people from their own mistakes including behavioral biases Educational nudges – inform so that people can make better choices for themselves Nudges that enlist or exploit behavioral biases He further writes, "It follows that the most controversial nudges are paternalistic, non-educative, and designed to enlist or exploit behavioral biases." Nudging is a method of control within a spectrum between persuasion and coercion. The difference between persuasion and coercion hinges on whether or not you are free to decide if you need and want the outcome; and there in lies the rub. At what point does nudging become forced and in violation of a person's autonomy and accountability. Where you draw the line is a decision that companies need to make as part of their ethics policies. They should not let technology determine for them where this line is and even what the outcomes are. As companies continue to investigate the incorporation of nudging in their compliance programs it is incumbent on them to establish ethical policies and guidelines to govern their use. Ethical companies should at a minimum: 1. Develop a plan for how they will address the use of nudging within their compliance programs 2. Decide what is ethical and what is not (don't let the technology choose this for you). 3. Evaluate how nudges are used in existing and new technology: Where are they used? What outcomes are being influenced? Can the outcome and the level of persuasion be changed to better align with compliance obligations and core values. 4. Require that if and when nudges are used they are consistent with ethics policies and guidelines. Further reading: Digital Nudges, Fabio Pereira, Presentation at GOTO Conference, https://gotober.com/2017/sessions/303 The Persuasive Power of the Digital Nudge, Julia Fetherston, https://www.bcg.com/en-ca/publications/2017/people-organization-operations-persuasive-power-digital-nudge.aspx Digital Nudging – Guiding Judgement and Decision-Making in Digital Choice Environments, Markus Weinmann, https://link.springer.com/article/10.1007/s12599-016-0453-1 Digital Nudging: Altering User Behavior in Digital Environments, Tobias Mirsch, Chistiane Lehrer, Reinhard Junk, https://link.springer.com/article/10.1007/s12599-016-0453-1 Nudging Corporate Compliance, Todd Haugh, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3004074 The Ethics of Nudging, Cass Sunstein, http://digitalcommons.law.yale.edu/cgi/viewcontent.cgi?article=1415&context=yjreg The Choice Architecture of Choice Architecture: Toward a Non-paternalistic Nudge Policy, David Colander and Andrew Qi Chong, http://sandcat.middlebury.edu/econ/repec/mdl/ancoec/1036.pdf Cast no shadow, Dr Tim Marsh, http://www.rydermarsh.co.uk/pdfs/SHP.0112.pdf Nudge Database v1.2, Mark Egan, https://www.stir.ac.uk/media/schools/management/documents/economics/Nudge%20Database%201.2.pdf
- Is Compliance A Zero-Sum Game?
Back in the day I would visit bookstores in the places that I travelled particularly for work. Browsing the book isles was one way you could get a sense for what the current trends were and which way the wind was blowing. This for me was a from of sense-making. Trying to determine what is relevant in a sea of constant change. You could say that going to the Gemba for me was going to the bookstore. Today, you can do the same thing by using Google’s N’grams based on google books. And here is what you would find: Quality peaked in 1992 and is now in decline (around the time that ISO 9001 was introduced and the quality movement was at its peak). Risk as a general topic continues to grow and dominates the discussion across all risk & compliance domains. Safety, Security, and Fraud have peaked and on the decline since 2000. Perhaps as a result of Y2K no longer being an issue. Regulation is near the bottom and declining. Cyber, Sustainability, Climate, are on the uptick but still way behind the others. What could this all mean? Less books are being written on the various topics. Traditional risk and compliance theory and practice have stalled i.e. nothing new is being added to the discussion. New compliance concerns are starting to take over. Compliance is a zero-sum game i.e. focus on something new takes away from existing resources. If the last one turns out to be true, then it is likely we will see organizations reallocate existing resources to tackle new areas of risk. To meet the new demand without sacrificing existing risk & compliance performance organizations must find ways to leverage existing capabilities. This will include one or more of the following: Apply LEAN principles and practices to reduce waste. Apply Risk Management principles and practices to focus on what really matters. Take a Holistic view of systems and processes to ensure the parts all work together to realize compliance outcomes. Embed compliance into processes to ensure the organization always stays between the lines. Leverage common principles and practices across all risk & compliance programs. Apply Proactive and Preventive strategies to stay ahead of risk
- Playing the Compliance Game
When we consider compliance we often think of being compelled by regulation to follow an arbitrary set of rules that get in the way of achieving business outcomes. No wonder many companies only want to do the minimum. However, a more useful way of looking at compliance is as a game that we want to play and one that want to be good at. As with all games they have rules. These rules do not inhibit playing the game they instead make it possible to play the game not just once but many times. That is what we want for our businesses. We want to act in such a way that we can continue to play the game over time for as long as we want to play. This requires a long-term perspective. However, some prefer a short-term view and take short cuts, cheat, or otherwise hack the game. When they do this they find that no one wants to play with them anymore. Customers do not want to buy from them, suppliers do not want to sell to them and stakeholders do not want to invest in them either. They have ended the game for themselves and as a consequence ended their business or at least severely damaged it. Don’t sacrifice your business by choosing actions that take you out of the game. Instead, learn how to become competent at playing the game well.
- Holes in the System
In the words of W. Edwards Deming, “You cannot inspect quality into a product.” And yet, audits remain the primary mechanism to protect stakeholders from the effects of uncertainty. As Deming has rightly stated, inspecting what has already happened is too slow and too late to ensure risk does not become a reality. When it does, trust can be easily lost with those who have put their trust in your business, products, or services. Quality, safety, environmental, regulatory, and other compliance programs help to rebuild trust by reducing the risks associated with meeting the promises made to each stakeholder. However, most organizations view compliance as a necessary evil and something to avoid, let alone something to invest in. As a result, compliance remains mostly a world of disparate silos, competing cultures, inefficient processes, and excessive audits. Together with a narrow focus on prescriptive compliance to “shall statements” the opportunity now exists for threats to penetrate an organization’s defences in-between the checklists, procedures, and policies . Stakeholders now face the possibility of risk that is systemic, mostly undetected, and potentially disruptive. Looking for and filling every gap in meeting prescriptive obligations misses the gaps that are really important – the holes in the system . It is only by anticipating, planning, and acting that prevents risks from becoming a reality. This requires a proactive and intentional approach to compliance that focuses on outcomes, capabilities, and continuous improvement which are the hallmarks of an effective compliance system.
- The State of Digital Transformation
It is easy to be sympathetic with those developing digital technologies that are frustrated with the relatively slow adoption of digital transformation. By analogy, the internet has significantly changed the way we think and operate our businesses along with our own personal lives. The internet continues to this day to be the foundation for new and exciting possibilities, including further digital transformation. It is no wonder that many are anxious to quickly move ahead and wonder why companies are only taking incremental steps. One of the reasons for this is that companies are inherently resistant to change. This is partly due to the resiliency needed to continually create products and services their customers enjoy. This resilience manifests itself in many ways that include: processes that produce consistent output, management systems that ensure quality, programs that drive down risk to keep employees and the environment safe, and competent workers that are trained to use the latest standards and best practices. Often these are developed over years and become part of the company culture. These "structures" contribute to reliably make the products and services we depend on every day. Most of us don't think twice when we turn the light switch and discover that the light in the room actually turns on and that it does this almost every time. This "resistance to change" comes in sharp contrast to the disruptive posture often used to promote digital transformation. There is often an appeal to evolution that argues that change is inevitable and therefore companies should adopt digital transformation or be left behind as did the proverbial dodo bird. This is understandable, but perhaps misguided, if only for the reason that we know that evolutionary change (in the Darwinian sense) results from chance not by design or intent. Asking companies to change, however, does require intent and that demands an appeal of a different sort. Companies need a reason to change and for that they need at least an answer to the question, "how will digital transformation help my company achieve its goals?" The promise of digital transformation Before we can consider possible answers to this question, we first need to understand what digital transformation is. At a very high level it can be framed in the following way: Digitization – the transformation of analog information into digital form Digitalization – is the process of the technological-induced change brought about by digitization (ex. Internet of Things, blockchain, cryptocurrencies, Industry 4.0, etc.) Digital Transformation – the total and overall societal effect of digitalization The impact of digital transformation is often presented in terms of improved productivity. However, after you consider the cost of undergoing a transformation, it is not clear that productivity improvements, particularity incremental ones, are enough. Companies already have significant investments in technologies that remain mostly unexploited that could be used to improve productivity. Why this doesn't happen is a topic that will be discussed later in this blog. However, the primary motivation for pursuing digital transformation is not really about improved productivity, although that may happen. It is instead more about creating new ways of doing things that result in different processes altogether. Transformations of this kind are less certain in terms of what they might be, and the nature and extent of the impacts. We only need to look at companies like: Facebook, Twitter, Google, Amazon, Uber, as well as others to get an appreciation for this. Predicting with any measure of certainty that that these specific companies would emerge along with their specific impacts is something best left to speculation. What should companies do? So what do you do if you are a company that is involved in producing, let's say, physical things rather than purely digital products and services, for example, an oil producer. CEOs for these kinds of companies are correct to question how digital transformation can help them at all. Companies have many other concerns that need to addressed such as: increasing costs, threats resulting from cyber-attacks, increased regulations, and keeping their employees, communities, and the environment safe, to name only a few. Many CEOs may read about the "Internet of Things" and wonder how this might help their company. They already have sensors and control systems that monitor operations and collect lots of data all on their own secure networks. Perhaps, data could be made more useful by organizing it better. However, the thought of connecting all your sensors to the internet seems like it would add more risk rather than reduce it. Consideration of other digital technologies such as: block-chain, cryptocurrencies, machine to machine communications and others may also leave companies wondering how these would help: maintain adequate margins, keep people and the environment safe, or generally reduce the level of risk in operating their business. It is hard not to conclude that digital transformation might just be a set of technologies looking for a problem to solve, and these problems are not your problems. This is how it it was when such things as: personal computers, the internet, and cell phones, where first introduced. We knew that change was coming but it was not clear exactly what that change would be. The best you could hope for is that when the time came you would have the time necessary to adapt. How to get ready? A good question that companies might ask themselves is, "what capabilities do I need to have so that I am ready to make the change when the time came?" It may not be possible to know what specific skills you will need. However, it is possible to develop the skills and culture to adapt to changes more quickly and in a safe manner so as to increase the certainty that you will have the time you need to adapt to a new way of doing things. One might even argue that those that are already doing continuous improvement are in a stronger position to adapt to digital transformation or any other changes for that matter. These companies already have a culture that accepts change more easily and that might be the most important thing. Another capability worth considering is the ability to understand how to transform business processes to new ways of doing work. This is a skill that in many ways reached its pinnacle following the first introduction of computing. During that time we learned all about business modeling, re-engineering, and the like. This was when the role of the business analyst was essential to transforming business processes to adapt to MRP and later ERP, CRM, CMMS, and other enterprise management systems. You were a business analyst because you new the business and you understood technology and that combination is rare today. In fact, with the continued outsourcing of IT, this role has been eliminated in many companies. A jobs-to-be-done example I recently spoke with a company looking for a solution to a problem they were having with generating calibration protocols for customized laboratory equipment to be used by field technicians. This problem involved integration with existing data and documentation. This was a jobs-to-be-done (JTBD) example in an enterprise context and clearly a candidate for digital transformation. However, no one in their company understood the business or the problem well enough to form adequate requirements and evaluate possible solutions. In fact, the only person who best understood how to go forward was the director of marketing who was given the task because the source of the problem was a customer complaint. This was compounded by the lack of expertise, they discovered in the marketplace, to build enterprise solutions and who understood their business processes. This was in a part of the United States that has the most high-tech companies than any other, probably in the world. However, most of them, while skilled in the latest agile, programming languages, and cloud-based architectures where heads-down trying to become the next digital technology unicorn ($1Billion valuation) and had little interest in enterprise JTBD problems using technologies they consider to be old and obsolete. This is not a unique situation, although, it hard to know how wide-spread this issue is. However, it does appear that digital transformation is not really directed to help existing companies and is more about developing the next Facebook or Uber. Preventative measures Many companies have significant challenges and problems that need to addressed. They also have (for the most part) substantial untapped capabilities buried in their existing enterprise platforms that remain to be exploited. These may not be "emerging technologies" but they are definitely not obsolete either. The argument that companies need to tear down existing technologies and infrastructures in favor of the promise of something new and shiny should be considered cautiously. Change no matter how beneficial the outcome comes at a cost that needs to be accounted for. The diminishing of capabilities primarily in business analyst roles may have come at the expense of excessive cost reduction strategies brought about by the aggressive outsourcing of IT along with re-platforming to the cloud. It may be time for companies to bring back the role of the business analyst to help transform business processes to tackle the jobs-to-be-done right now and to help transform business processes when digital transformation strategies are more mature. Combining the role of business analyst with a continuous improvement culture is a powerful combination to prepare for change, planned or disruptive.
- The Digital Depot of Transformation
Digital Transformation – The Home Depot of Computing Walking into a building construction store like Home Depot can be overwhelming. There are so many items to choose from and if you are like me you often don't know what you are looking for. If you are a builder or contractor most of the items will make sense and be familiar to you. However, what is more important, you will know what to do with them when you take them home. This experience is similar to companies who are deciding what to do with digital technologies. It can be just as overwhelming as walking into Home Depot. What is important to realize is that this experience is not a new one. When I first started consulting over 25 years ago a popular trope was this: Let’s say you can have ERP for free and have it installed today (back in the day this would take 12 -18 months) then what will you do with all that technology? The answer given was usually, "We don't really know. Everyone is using ERP and we thought we should get one too." Well then, why are you focusing on technology when you don’t know what it is you want to accomplish?" It is remarkable that we find ourselves now able to access instantly and usually for free (to start) any software you might need for your business. But this still leaves us with the same question, "what are you going to do with all that technology?" This is where many companies find themselves with respect to digital transformation. Based on what you read you might conclude that everyone is doing digital transformation and you should too. If you find yourself thinking this you are in good company. More Items for Your Shopping Cart Everything as a Service (XAAS) is a gaining mind share among the digital community. This is a progression of what has been going on for a while manifested in the form of: Software as a Service (SAAS) Platform as a Service (PAAS) Infrastructure as a Service (IAAS) And many others. The concept has been invented by computer and business architects alike to turn delivery of everything into a service. In fact, digital components are themselves delivered as a micro-services constituting what some are calling the programmable business framework. For those that remember the days of CORBA (common object request broker architecture) for the enterprise this is the same idea but for everyone. The premise is that you can build whatever you want by accessing ready-made capabilities available in real-time, on-demand, and almost for free. The hope is that someone will use these services to build something great. The question is who and what is this going to be? The Loss of Strategic Computing and Information Services When Computing and Information Technology came on the scene each system needed to be championed and sponsored by a business function that needed the capability. Funding for such an endeavor required justification based on achieving a ROI against specific business outcomes. Sound familiar? However, over time, the connection between the business and IT was severed. This happened as computing switched from mainframes to minis to servers and finally to personal computers. Today you would add mobile devices to this progression. The transition of ownership changed along with these advances from the company, to departments, and to individual users. Computing did not all move to the end users as a significant amount computing still resides in back end data servers and today in the cloud. However, what did happen was the removal of the middle layer of management both in terms of managerial accountability and IT resources that supported them. This part of the organization is where sponsors, champions and the resources to build out projects once resided. During the time of this transition, IT also became more standardized which made it easier for it to be supplied as a commodity by external vendors instead of by internal resources. The role of IT soon turned into one that selects and manages suppliers of commodity components: networks, hardware, software, and systems. Today, it is not uncommon for companies to prefer pre-built application suites rather than individual applications or capabilities. However, when you consider IT as a commodity you are no longer considering it as strategic to your mission. With the loss of champions, sponsors, and resources, IT is left with a mandate to provide only company-wide systems (platforms) served now by the cloud. The remainder is left, not to functional groups as it once had, but to individual users. Without middle management there is very little capacity left to support strategic or competitive differentiation in terms of the use of computing and information services. This lack of strategic intent is a significant obstacle for digital transformation and creates the greatest risk to companies wanting to survive digital disruption. The Return of Strategic Computing and Information Services? Eli Goldrattt, the creator of Theory of Constraints, suggests that for technology to deliver benefits it must remove a limitation that you have that is holding you back from achieving your outcomes. Your limitations are unique to your business although they may be shared by others at some level. The business has always been the ones to build out new capabilities that were needed to meet their objectives. In earlier days you would buy separate hardware, commercial of the shelf software (COTS), and integrate them together. This was done in the context of a business function that needed new capabilities that in turn would generate improved outcomes. This did result in more silos than we wanted, but that is what enterprise architecture frameworks were supposed to solve and in most cases never did. Today we find ourselves with a shopping cart full of commodity capabilities at every level of the computing and information stack available as micro services all the way to application suites. As an aside, the only way that vendors can distinguish themselves is by creating a new way to do something that we already could. Sure it is shinier, perhaps faster, maybe better in some marginal way, but none of it is tied to your specific requirements or problems you need to solve, unless your requirements are so low as to match only basic functional levels. If you want something that meets your higher standards then you need to build it yourself. You will never find your solution in the cloud because there is not enough demand for your specific set of requirements. What you will find instead are the components and capabilities that you need to build your solutions. Think power tools, drywall, lumber, nails and screws, if that helps. If you are like most people these sit in your garage or basement and collect dust. And this brings us to the crux of digital transformation – it is about building a future not just buying technology. But who will do this? Who in your organization will champion the cause? And who will answer the question, what will we do with all that technology? A Call for Leadership We need to see the return of strategic computing and information services. Leadership at the middle level has been removed and replaced in most companies by technologies in the form of management systems and applications. No wonder we find many management functions calling out for more leadership. Technology is necessary but not a sufficient condition for success. Leadership needs to point the way forward and champion the cause. Leaders need to aim at something higher if they want more than basic improvements driven by cost reduction. This will require that top level management stand in the gap where middle management once stood. Without this kind of leadership, companies end up with users heading to their favorite Digital Depot and doing their own DIY projects. Some of that is already happening, and some of this is good. However, where this leads to is even more silos of computing at the individual level using software they can get for free that will run out in 90 days. If you thought aligning functional groups to strategic initiatives was challenging doing this at the individual level is even more. Whether you have a flattened organization or not, you still need leadership. You need it more than ever if you want to build your future rather than accepting the disruption that is coming your way. Digital technologies offer possibilities that did not exist before. However, you will need to answer the same question that we asked 25 years ago and is as relevant today: What will you do with all that technology?
- Risk-based Thinking – Quieting our Lizard Brain
Identifying risks and reacting to problems when they occur uses our "Lizard Brain" which is fast and needed for a fight and flight response to survive in the present and short term. However, looking for opportunities, and being proactive to prevent problems and ensure goals are achieved requires use of the slower part of our brain which is focused on "thinking", with the ability to choose, design, create, and anticipate so we can survive the longer term. To succeed in the long term we must slow down and quiet our "lizard brain" long enough so that we can put in place what is needed to ensure mission success. However, slowing down is not easy and that is one of the reasons why risk-based thinking is hard to do. As companies try to go faster and faster we seldom take the time needed for our brains to think. The following steps help to make sure that we use our whole brain when contending with uncertainties: Separate risk identification (fast brain) from risk analysis and assessment (slow brain) Beware of cognitive biases such as: optimism, confirmation, anchoring, ostrich effect, zero-risk etc. Consider both threats (fast brain) and opportunities (slow brain) Don't rush - create time to engage the slow part of your brain
- To Address Systemic Risk You Need Systems Thinking
If your company uses an organizational chart it was most likely designed based on the factory model created by Fredrick Taylor who introduced "Scientific Management" in 1911. The foundation of his approach was the scientific method which has been very successful to help understand how things worked by understanding the individual parts. Reductive approaches while instrumental in many fields of study is not without its limitations. The first and foremost is that it is not always possible to understand the function of the whole by knowing the function of each part. This limitation can have significant consequences with how organizations handle risk as a whole or as a part. Taylorism and Its Effects Taylor used reductionism to organize how businesses are structured and remains to this day the primary method for designing organizations although this is changing (see article in The Atlantic https://www.theatlantic.com/magazine/archive/2019/07/future-of-work-expertise-navy/590647/ ). One of Taylor's aims was to achieve maximum job fragmentation to minimize skill requirements and job learning time. The workers he would hire would not have many skills, if any, so this made sense. Taylor also introduced us to time and motion studies that would eventually lead to the assembly line refined later by Henry Ford. The reason why we have departments, silos and disparate processes is largely because of Taylor and the specialization of skills. You could say that the focus of many business transformations over the years were attempt to address the side effects of Taylorism while maintaining its benefits. Manifestations of this included a growing movement towards generalization of skills through the sharing of knowledge, use of teams, and expansion of communication networks. Addressing Risk Taylorism is still predominate and its effects impacts how management is structured and in turn how companies contend with uncertainty and risk. An important problem with a reductive approach is that risk consideration is done by looking only at the parts that make up a business and not the entire organization. Systemic risk is seldom considered. This can be seen by the way risk registers are constructed often by starting at the bottom of an organization and aggregated upwards until they form a single heat map or risk score. Aggregating risk scores and using heat maps to provide a holistic view of risk has some value. However, these are remnants of a reductionist approach and are limited in identifying and contending with uncertainty that crosses departments, functions, and processes. Trying to understand risk by assessing the risk of individual parts is very much like trying to understand the risks of driving to work by understanding the risks associated with the steering wheel, gaskets, hoses, engine block and other components. You can add them up, put them in a heat map, or prioritize them by a risk score, but they will never tell you what you need to know, "will I get to work on time?" This bottom-up approach often leads to companies playing “whack a mole” hitting the gopher on the head when it pops ups without understanding why it does and preventing it in the first place. This is treating the symptom and not the disease which unfortunately is the way that many companies contend with risk. It is only when a significant event has occurred that correction or prevention is considered. Although common this approach has limited utility when lives are lost, reputation is at stake, and future earnings are at risk. As we are becoming more aware of risks that have the largest impact are systemic in nature and no amount of mole whacking will be enough to keep its effects of uncertainty at bay. Enterprise Risk Management As a means to contend with the limits of a bottom up approach to risk many companies introduce Enterprise Risk Management (ERM) to help address the larger picture but end up with using an approach called "Holism." This is better than reductionism but not the best approach to address systemic risk. Holism is the opposite of reductionism and suffers from the similar limitations. Instead of looking only at the parts it only looks at the top (or the boundaries) which tends to lead to ERM implementations that focus mostly on extrinsic or external risk; things which affect the organization as a whole such as: exchange rates, disruptive technologies, competitors, regulation and so on. Risk consideration that focuses only at the bottom or the top of an organization creates the opportunity for systemic risk to manifest itself. Operational Risk Management To properly address systemic risk an "integrative" or systems approach is needed. An integrative approach looks to address risk throughout an organization. This is the domain of Operational Risk Management (ORM) which when implemented effectively focuses on intrinsic risk that impact internal programs, systems, and processes and its effects on achieving outcomes. One way to look at this is that ORM focuses on risk streams (i.e. the propagation of the effects of uncertainty) instead of the risk of failure of individual parts. Effective operational risk management requires knowledge of systems. This includes value streams but also the interactions between them and the value chain which provide the capabilities, capacities, and competencies to perform them. ORM will utilize tools such as Hazard and Operability Analysis (HAZOP), Dependancy Structure Analysis, Value and Risk Stream Analysis, Value and Critical Chain Analysis, and others.
- Failure of Assurance Systems
When it comes to meeting obligations the assurance function needs to provide more than just a feeling of confidence. It must provide a measure of certainty that obligations will be met based on real estimates of uncertainty and risk. In the following examples, folks thought that everything was on-schedule, on-target, on-plan, in-compliance until it was not and then it was too late. These all involve complex systems with many factors to consider. However, what we can say is that systems used to provide assurance (level of confidence that objectives will be met) failed miserably as evidenced by the surprise and shock afterwards. ROGERS On Friday July 8, Rogers experienced a disruption in service from coast to coast affecting millions of Canadians, and disrupting government services and payment systems. "We don't understand how the different levels of redundancy that we build across the network coast to coast have not worked," said Kye Prigg, Rogers' senior vice-president of access networks and operations” https://www.cbc.ca/news/business/rogers-outage-cell-mobile-wifi-1.6514373 SUNCOR On July 8th, 2022 CEO resigns after latest fatality at a company facility. "Suncor Energy Inc. chief executive officer Mark Little resigned following another death at one of the company’s worksites, sending shockwaves through the Canadian oil and gas sector." This is the second fatality at the Fort McMurry site this year and the latest incident in a string of workplace injuries and fatalities at Canada’s largest integrated oil company. Suncor was hoping they were turning a corner on safety and reported to have had a scheduled presentation in the upcoming week on safety improvements which was now cancelled. https://financialpost.com/commodities/energy/oil-gas/oilpatch-leader-mark-little-resigns-following-another-death-at-suncor-site Phoenix Pay System In 2009 the Canadian government initiated the Phoenix project which rolled out in 2016. The original budget of $309m increased to $954m expected to rise to $2.3b by 2023 in unplanned costs. The Governor General Auditor in 2019 reported, “How could Phoenix have failed so thoroughly in a system that has a management accountability framework; risk management policies, program evaluations, internal audit groups, departmental audit committees; accounting officers; departmental plans; departmental performance reports; pay-per-performance compensation; and audits by The Office of the Auditor General?” https://www.oag-bvg.gc.ca/internet/English/parl_oag_201805_00_e_43032.html Each respective assurance system failed to provide leadership with the information needed to properly evaluate and respond to risk. The alternative is that management simply ignored the information and hoped for the best. Either way the result was the same – failure. Failure to provide, failure to protect, and failure to deliver. Ignoring or not properly contending with risk in the final analysis amounts to gambling which is unwise and unnecessary. Organizations that choose not to gamble apply risk-based principles and practises to drive down risk or guard against it if not reducible.
- Between the Lines: The Need for Active Compliance and Personal Autonomy
The question of whether we comply to stay between the lines or stay between the lines to comply is a thought-provoking one. It speaks to the inherent tension between our desire to follow rules and regulations and our need for personal autonomy and self-expression. On one hand, compliance with rules and regulations is necessary for a functioning society. We need traffic laws to ensure the safety of drivers and pedestrians, building codes to ensure the structural integrity of our homes and workplaces, and health and safety regulations to protect our well-being. Without these rules, chaos would reign, and our lives would be far less secure. However, the mere act of compliance does not necessarily lead to a better society. Compliance can be a passive act, undertaken out of fear of punishment or social ostracism. When we comply simply to stay within the lines, we are not engaging with the underlying values that those lines represent. Furthermore, strict adherence to rules and regulations can stifle creativity and innovation. When we focus solely on staying within the lines, we are less likely to think outside the box and come up with new ideas. This can be detrimental to our personal growth and to the progress of society as a whole. On the other hand, staying within the lines can be a powerful tool for personal and societal growth. When we actively choose to adhere to rules and regulations, we are engaging with the underlying values that those lines represent. We are recognizing the importance of safety, respect, and fairness, and we are working to promote those values in our daily lives. Staying within the lines can also foster a sense of community and shared responsibility. When we all agree to abide by the same rules, we create a sense of collective ownership over our society. We are all working together to create a safe, fair, and just world. Ultimately, the question of whether we comply to stay between the lines or stay between the lines to comply is a false dichotomy. Both compliance and personal autonomy are important, and both can be used to promote personal and societal growth. The key is to strike a balance between the two, recognizing the value of rules and regulations while also encouraging creativity, innovation, and personal expression. By doing so, we can create a world that is both safe and dynamic, both secure and full of possibility
- The Differences Between Managing Organizational and Asset Changes
Regulated organizations in the process and energy sectors must have a management of change (MOC) process to cover process safety related changes to plants, processes, facilities and pipelines. In recent years, regulators have also added the requirement to manage risk arising from organizational changes. At a high level, organizational changes appear to be just another type of change that can be added to an existing MOC process and procedure. However, when you take a closer look, organizational changes are different in the tools and approaches used across the change life-cycle: MOC programs will need to accommodate these differences in order to effectively manage risk. Here are six (6) steps to prepare your organization to manage organizational change safely: Identify positions and roles in the organization that are safety-critical Establish a process to trigger an OMOC when these positions or roles are changed Develop a risk screening tool to assess the level of risk associated with changing these positions or roles Develop a transition plan to maintain continuity for safety critical roles and positions when these are changed according to the level of risk Establish a process to monitor changes during each transition and communicate any changes of risk to management Ensure that all safety-critical positions are roles are fully implemented (transitioned) by following up after the position or role has been changed. Organizational changes need to be part of every MOC program. An effective MOC program will consider the differences between asset and organizational changes to ensure that risk is effectively managed. Plan -Do-Check-Act Questions: What is the current condition of your organizational change process? Are risk screening and analysis tools in place? Is there a process to trigger changes to safety-critical positions and roles? How well is risk communicated to those that needs to manage and mitigate risk? What step can you take today to advance the effectiveness of managing risk during organizational changes?
- How to Manage Risk during Organizational Changes
Safety regulations and guidelines across North America call out for the need to manage risk due to organizational changes. Ensuring that safety critical roles are effectively maintained when changes are made to either personnel or positions is an essential requirement for every process or pipeline safety program. This is needed now more than ever as companies find themselves engaged in consolidation from mergers and acquisitions as well as adapting to changes in the market. Managing the following 5 (five) types of changes will help reduce risk during and after organizational changes have occurred: Personnel Changes refer to changes to safety critical roles, skills, and people Structural Changes are changes to safety critical positions, accountability, and critical management programs Temporary Conditions refer to transitional changes when people take on temporary assignments or as interim structural changes are being made. It is during these transitions that risk is at its highest and where maintaining safety is most critical. Policy and Procedure Changes can effect the ability to manage risk during the organizational change. For example, introducing travel bans may impact the ability to conduct field safety assessments. Risk Profile Changes during and after changes are implemented need to be assessed and managed appropriately. Managing these changes goes beyond on-boarding processes and involves process and pipeline safety expertise in addition to traditional human resource skills. A risk based approach is also beneficial so that the right level of rigor appropriate for the level of risk is applied. Plan -Do-Check-Act Questions: How well is your company managing risk during organizational changes? Is there a change process in place and how effective is it? Are safety critical positions identified and are roles effectively transitioned? Which ones need attention? What step can you take today to improve your organizational change process?












