SEARCH

When it comes to improving compliance it is important to know not only what your obligations are but also how each obligation has been designed to perform the regulation function. Knowing this will help organizations better understand what is needed to meet their obligations by understanding: The level of compliance rigour required. The level of support needed from leadership and management Controls that may need to be established Who is accountability for which part (self, industry, or government) How best to improve compliance What level of investment to make What is at stake and the level of risk Among other things All of which are derived from the obligation design. Four Obligation Designs There are four common ways that obligations are architected to regulate aspects of quality, safety, environmental and legal concerns. These can be described across the dimensions of micro-macro and means-ends parameters: Prescriptive-based (micro/means ) - rules that if followed will reduce risk. Management-based (macro/means) - processes that must be followed to manage obligations and risk. Performance-based (micro/ends) - specific measures that must be followed to achieve targeted performance targets. Outcome-based (macros/end ) - targeted outcomes that must be advanced. Obligation Taxonomy Each compliance design approach will in turn create different demands on an organization which can be discovered by considering where the regulation function is being applied to structure of the obligation: Outcome-based regulations specify the ends or the outcomes and not the means. The onus is on organizations and industry to determine the means, the performance criteria and the rules that should be followed. This is an example of self-regulation and where leadership is essential at all levels to advance outcomes. Performance-based regulations specify the level of performance to achieve the desired outcomes but not the means or the rules that should be followed. This is common with industry programs to achieve zero fatalities, zero emissions, incidents, breaches, and so on. Continual improvement is necessary to advance the desired outcome. In this case, industry associations act as the regulator and take on some of the leadership responsibilities. Prescriptive–based designs specify the details and does not specify performance or outcomes just the rules to follow. This the primary form of government regulation which takes on responsibility to achieve the desired outcomes. Organizations are expected to conform to the rules. Leadership is still important but perhaps less or in a different way. Following rules requires a culture of conformance rather than a culture of improvement and proactivity. Management-based designs like ISO 14000 and 19600 more generally focus on the processes by which you manage obligations. What is being regulated are the management processes not necessarily performance, or outcomes. This makes management standards applicable to all forms of regulatory designs, however, with the caveat that this only happens when organizations incorporate performance and outcome standards along side of their management systems. Leadership is essential at the program level to ensure that effectiveness is not lost in the pursuit of consistency and efficiency. Regulatory bodies and standards organizations may elect to use a combination of the four regulatory designs based on the nature of the risks they are attempting to ameliorate through regulation. Compliance analysts should be aware of this when they identify obligations and evaluate compliance risk. Obligation registers should include this information to help inform the actions for effective compliance. Related Posts: https://www.leancompliance.ca/post/an-objective-view-of-obligations

I once worked for a company that had multiple programs to address concerns such as: process safety, occupational safety, loss prevention, emergency preparedness, and several others. All of these programs involved contending with risk to various degrees mostly independently from each other. Over the years it became clear that their risk capabilities had not progressed as well as other aspects of their compliance programs. So a decision was made to improve the situation which resulted in the hiring of a risk manager. The goal for this new manager was to establish a consistent risk framework to be used across each of the compliance programs. This outcome was mostly achieved but with an unintended consequence. Managers of the compliance programs along with asset owners now believed that they no longer needed to manage risk as the company had hired someone else to take care of it. The ownership for risk started to migrate from where it once was to the new risk manager. Not all at first but over time the culture started to change and then the practice as it almost always does in these kinds of situations. If this sounds familiar it might be because you have heard this story before connected with your initiatives. You may have heard the following: I don’t have to manage quality; we have a department that does that. I don’t have to manage security; we have someone who does that. I don’t have to manage safety; we have a safety manager who does that. We believe that by transferring responsibility we are also transferring risk. Why does this happen? Organizations that try to improve their compliance often start by breaking down silos consolidating effort into a centralized function. This almost always ends up with the ownership of risk being transferred along with the effort. The distinction between accountability and responsibility has been confused and it is here that lies the rub. Those that are accountable for the objective should also be accountable for the risk. This is implied by ISO 3100 which defines risk as: the effects of uncertainty on objectives. The ownership for risk must remain closest to those that are answerable for the objective. Even when the objective is transferred to a third party the accountability for the objective is shared and so should the risk. You can delegate responsibility for risk identification, analysis, treatment, and monitoring to others. However, if you own the objective you cannot delegate your ownership of risk. In essence, risk can never be transferred. Who owns risk within your organization? If you have a department or manager who takes care of risk and compliance then you most likely have fallen into the same trap that many others have. If this is your situation then it may be time to make sure that those who are accountable for objectives remain accountable for risk. The first step is to take ownership of all your obligations which is necessary before any accountability can be assigned.

In the world of compliance, humility is a critical trait that is often overlooked. The lean principle of being humble is just as important in compliance as it is in any other aspect of business. The urgency for humility in compliance arises due to the constantly changing and complex regulatory landscape, which necessitates businesses and organizations to navigate regulations efficiently. Non-compliance can have severe consequences, including legal and financial penalties, damage to reputation, and criminal charges. In addition, the increased focus on corporate social responsibility and ethical behavior demands compliance professionals not only to follow regulations but also act in the best interests of their stakeholders and society at large. In today's ever-changing regulatory environment, humility in compliance is an urgent necessity for several reasons: Preventing arrogance : Compliance professionals must constantly deal with complex regulations and laws that are often changing. If they become arrogant in their understanding of these regulations, they may overlook certain nuances or misinterpret them, leading to non-compliance. Preventing cognitive bias : The compliance landscape is constantly evolving, and there is always something new to learn. Preventing unethical behaviour: Compliance is not just about following rules and regulations; it is also about behaving ethically. Preventing miscommunication: Compliance professionals often work with a wide range of stakeholders, from senior executives to front-line employees leaving lots of room for misunderstanding. How does humility help compliance? Being humble in compliance means acknowledging that no compliance program is perfect and that there is always room for improvement. It involves recognizing that regulatory requirements and best practices are constantly evolving, and being open to learning from others to stay ahead of the curve. When organizations approach compliance with humility, they are more likely to identify potential issues and vulnerabilities before they become major problems. They are also more likely to take a proactive approach to compliance, rather than waiting for regulators to identify areas of concern. Being humble in compliance also means being willing to learn from mistakes. No compliance program is immune to errors, but organizations that are open to feedback and willing to admit when they've made a mistake are better equipped to identify and address the root cause of the problem. Humility in compliance means recognizing the importance of collaboration. Compliance is not the responsibility of one person or team, but rather a shared responsibility across the organization. When teams work together and are open to feedback and ideas from others, they are better equipped to identify and address compliance issues. Being humble is a critical aspect of building a successful and sustainable compliance program. By acknowledging that there is always room for improvement, being open to learning from others, and recognizing the importance of collaboration, organizations can stay ahead of the curve and avoid costly compliance issues. Humility is essential for effective compliance because it promotes continuous learning, ethical behaviour, effective communication, and a mindset that is open to new perspectives and ideas. The lack of these traits hinder compliance from always staying between the lines and ahead of risk. Steps for becoming more humble Becoming more humble is a personal journey and requires a willingness to examine oneself and make changes. Here are some steps that may help: Practice active listening : One way to become more humble is to listen more and talk less. When someone else is speaking, resist the urge to interrupt or interject your own opinions. Instead, focus on understanding their perspective and ask questions to clarify their thoughts. Cultivate gratitude : Practising gratitude can help shift our focus from ourselves to the people and things around us. Take time each day to reflect on what you are thankful for, and acknowledge the contributions of others. Embrace vulnerability: Humility often requires us to be vulnerable and admit when we don't have all the answers. Embracing vulnerability means acknowledging that we are not perfect and being open to feedback and constructive criticism. Seek out diverse perspectives : It's easy to become trapped in our own ways of thinking, but seeking out diverse perspectives can help us broaden our understanding and challenge our assumptions. Make an effort to seek out people with different backgrounds, experiences, and opinions. Practice self-reflection: Take time to reflect on your actions and behaviors, and consider how they impact others. Be honest with yourself about areas where you may need to improve, and make a plan to address them. Serve others: Serving others can help us develop a sense of empathy and compassion. Look for opportunities to volunteer or help those in need. Remember, becoming more humble is a process that takes time and effort. It's important to approach this journey with an open mind and a willingness to learn and grow.

Some may be aware of an obscure but important guideline called ISO 19600 “Compliance Management System” which was introduced in 2014. This guideline has now been replaced by a full on Type A management standard ISO 37301 which affords organizations with a best practices approach to modernize their compliance. ISO 37301 specifies requirements which organizations must meet to provide stakeholders the assurance they need that obligations are being met. ISO 37301 is certifiable and applicable for organizations of all shapes and sizes. It can serve as a management system for corporate obligations, or as an overarching framework for managing compliance across risk domains or provide better assurance for areas which no standards exist. ISO outlines the following benefits for this standard: improving business opportunities and sustainability; protecting and enhancing an organization’s reputation and credibility; taking into account expectations of interested parties; demonstrating an organization’s commitment to managing its compliance risks effectively and efficiently; increasing the confidence of third parties in the organization’s capacity to achieve sustained success; minimizing the risk of a contravention occurring with the attendant costs and reputational damage. ISO 37301 builds on and replaces ISO 19600 with the following differences: ISO 37301 is a Type A management standard that is certifiable compatible with other Type A Management System standards such as ISO 9001, 45001, 14001, etc. replaces should with shall statements adds whistleblowing and expands culture and governance adds requirements for hiring or promoting staff to critical positions. adds assessment of staff in matters of regulatory compliance. provides description of what is considered a regulatory compliance culture. highlights the issues of independence, staffing and skills of Regulatory Compliance to operate without interventions and with appropriate staff. identifies Code of Ethics and Conduct as a key element in determining and controlling compliance. Is this standard what you need to modernize your compliance? With increasing and expanding stakeholder obligations this standard applied effectively will help organizations demonstrate that they have the capabilities to properly contend with risk and ensure that obligations can be met today and into the future. ISO 37001 is applicable for organizations that: want to modernized their corporate compliance efforts with industry best practices need a compliance management system for specific risk domains not currently covered need an overarching assurance framework across existing compliance management systems (e.g. safety, security, environmental, EHS, ESG, etc.) need to better address obligations not currently captured under existing management systems engender greater stakeholder trust More information can be found on the ISO website: https://www.iso.org/obp/ui/#iso:std:iso:37301:ed-1:v1:en

The new year has begun for many in earnest with the year's goals and objectives on the forefront of our minds. How will we achieve these in the presence of continued uncertainty? Which threats and opportunities should we contend with and with what measures? There are many assessment tools to help you identify risk but there are few that help you identify where and how to implement risk measures. The bow-tie analysis is one of the best and is used by many in highly-regulated, high-risk industries such as oil&gas, pipeline, chemical, and increasingly in IT and other industries. The Bow-Tie is one of their super powers to contend with uncertainty. That's why we recommend that organizations use the Bow-Tie Analysis to improve the probability of meeting all their stakeholder obligations and why you should too. Here is a list of articles and templates covering the bow-tie for you to use to help you increase your chances of mission success this year. Are Your Risk Measures Valid? Compliance versus Obligation Risk Integrated Risk Assessment - Template Lean Compliance A3 Format - Template Bow Tie Analysis - Template If you are interested in learning more please consider joining: The Proactive Certainty Program™

Risk management has for many years focused mostly on identifying possible losses and working out those probabilities. As beneficial as that might be it does not capture the full nature of uncertainty. ISO 31000 (and others) have tried to expand the definition but only go half way. They focus on the effects or better the symptoms and not the cause or the disease itself. Unfortunately, the lack of holistic approach and the negative connotations associated with the word risk, "Risk Management" is getting in the way of effectively contending with uncertainty. It's time for a change and why we no longer should only use risk. Historically compliance is considered as a means to keep risk at bay. When organizations are in compliance (i.e. operating consistently between the lines) they will in turn reduce the possibility of loss. This places compliance programs along side of the value chain with risk reduction as the goal. We have used this model in the past and in some cases it still make sense to do so. However, what we have found is that this approach tends to focus compliance mostly on conformance to rules attested by surveys and monitored by occasional audits. The goals seems to be only on "staying between the lines" and not staying ahead of risk. The lack of focus on the latter results in risk programs paying too much attention on risk identification and registers (staying between the lines) and not enough on contending with risk itself. In a sense, both risk & compliance suffer from too many check boxes and not enough action. A Need for Change Operationally, compliance at its core is the practice of meeting obligations in the presence of uncertainty. Risk management is a means to that end and more specifically, this should be the focus of operational risk management. This places the majority of risk programs: safety, sustainability, environmental, health, security, privacy, asset management, and so on, along side of the value chain with compliance as the outcome. However, compliance here does not mean check boxes. Instead, it means meeting all your obligations (conformance, performance, and outcome-based) in the presence of uncertainty. This change however is not enough in our estimation. To reflect the shift to improve the certainty of meeting obligations we have elected to call these certainty rather than risk programs. This aligns better with the ISO 31000 definition and the purpose of these programs which is - make certain (ensure) that objectives across the business are achieved. That is why we propose using the labels Certainty & Compliance rather than Risk & Compliance . There will still be a role for enterprise risk management but this should result in the creation of operational objectives that fall within certainty and compliance functions. The purpose of Certainty Programs is to keep organizations between the lines while increasing the probability of targeted outcomes and decreasing the probability of undesirable outcomes. These objectives should become part of certainty-based balanced scorecards instead of risk-based. This is more than semantics, it is a change in mindset, strategy, and focus.

The world is changing, and with it, so are the risks that businesses and organizations face. Over the last year, there has been much discussion in the domain of risk management, with many experts raising concerns about the use of risk matrices. In fact, some are even calling for their abandonment altogether, citing the dangers of relying on them to make critical decisions. The best advice, it seems, is to do nothing rather than use a risk matrix – but is that really the best course of action? The first step in understanding and managing risk is to recognize that it is a complex, multifaceted issue. It cannot be reduced to a simple, one-dimensional matrix or a set of numbers. Rather, it requires a nuanced understanding of the qualitative nature of the risk or hazard at hand. This means taking the time to thoroughly evaluate the specific risks faced by your organization and developing a comprehensive plan to address them. While quantitative analysis using tools like Monte Carlo simulations can be helpful when data is available, the reality is that many risks are difficult to quantify. In these cases, a more qualitative approach is necessary. This might involve conducting interviews with subject matter experts, analyzing historical data and trends, and engaging in scenario planning exercises to develop a more complete picture of the risks involved. The question then becomes, where is the middle ground between qualitative and quantitative analysis? How can organizations strike a balance between the two to effectively manage risk? The answer lies in a holistic approach that considers all available data and insights. Rather than relying solely on a risk matrix or other semi-qualitative/quantitative tools, organizations must adopt a more comprehensive approach to risk management. This might involve developing a risk management framework that includes a range of qualitative and quantitative techniques, such as scenario planning, risk mapping, and probabilistic risk assessments. By taking a more holistic view of risk, organizations can develop a more nuanced understanding of the threats they face and develop strategies to mitigate them. By discarding risk matrices and not having a replacement plan, organizations run the risk of being exposed to various risks that cannot be easily categorized and analyzed quantitatively. It is not enough to simply avoid using risk matrices – organizations must be proactive in identifying and managing risk.This requires a commitment to ongoing risk management efforts, including regular assessments, monitoring, and updating of risk management plans. The debate around risk matrices and their use is an important one, but it is just one piece of the larger puzzle of risk management. To effectively manage risk, organizations must take a comprehensive, holistic approach that considers all available data and insights. The stakes are too high to simply do nothing – the future of organizations depends on it.

An effective program results in changed outcomes. Therefore, for an environmental program to be effective it must perform in such a way so that outcomes are continually advanced towards the overall goal – community sustainability in the case of municipalities. For that to happen each pillar and the system as-a-whole must be operational. This means all essential parts working together to produce what no part can create on its own. We need a golden thread so to speak that runs through each environmental pillar that holds them altogether and defines what is essential for the pillar and the entire program to be operational and effective. As a current reference, The UK last year passed regulation requiring a golden information thread for building safety. This is a digital thread that will provide assurance during a buildings life-cycle that what should have been done was done. The environmental golden thread approach is an extension of this same thinking. It will provide leadership and management with the status of the environmental program, level of risk, and where investments might or need to be made across and through each pillar of their environmental program. Many do not have these tools but they are needed to advance environmental outcomes. As Elihayu Goldratt (father of Theory of Constraints) has said: "Partial implementation of a holistic approach is an oxymoron" An environmental golden thread can help ensure your environmental efforts produce more than the sum of your action plans. You can download a copy of our presentation from our recent webinar on the Environmental Golden Thread using the following link: If you are interested in learning more about how Lean Compliance can help you with your environmental efforts please book a 30 minute call with us:

In our previous blog post we considered the nature of environmental obligations from the perspective of their compliance approach and the shift from rules and audit-based regimes to performance and risk-based strategies. This week we continue our look at the nature of environmental obligations through the lens of regulatory, social, and government licenses to operate. Private and public sector obligations come from multiple sources that can be mapped to the following three type of licenses: Obligations arising from a regulatory license to operate. These come from accepting public responsibilities to behave in line with the conditions of an operating license. They tend to be mandatory and prescriptive in nature. They are often referred to as external obligations as they are imposed on organizations from external authorities. Obligations arising from a social license to operate . These come from accepting stakeholder responsibilities where stakeholder is defined in the broadest sense: employees, shareholders, communities, suppliers, customers, residence, the public at large – anyone who has a stake in what the organization is doing. These tend to be voluntary and more performance and outcome-based. They are referred to as internal obligations since organizations choose to impose these on themselves. Obligations arising from the authority to govern . These obligations are a result of accepting government responsibilities to contend with public risk. In the case of local governments they will have obligations from the previous two categories along with obligations associated with their role as regulator to inspect, enforce, monitor, and implement regulatory acts. In recent years internal obligations have approached parity and in some cases exceeded external obligations in many organizations driven to a large extent by the adoption of environmental, social, and governance (ESG) objectives. At the same time environmental obligations have increased across all categories in response to climate change. Unfortunately, compliance for many organizations focuses mostly on external obligations associated with a regulatory license to operate. This leaves a significant number of obligations, many of which are environmental, under-resourced, un-managed and at-risk. For compliance to be effective it must adapt to the changing landscape by expanding beyond mandatory and regulatory obligations to include obligations from all sources. This requires knowledge of the nature of obligations and strategies needed to meet them. Does compliance in your organization cover all your obligations?

Recently the province of Ontario experienced a thunderstorm leaving 10 dead and hundreds of thousands without power for several weeks. Waiting to act until an incident has occurred is never the best option when it comes to environmental risk. This tends to result in significant disruption and other adverse effects that might otherwise have been avoided. However, this is the approach when compliance is based on the traditional operating principles of audits and corrective actions. To get ahead of environmental risk will require a change in mindset and behaviors of the kind that we have talked about in recent years. Just as we have seen quality and safety become more performance and risk-based the same shift is happening for environmental obligations with increasing measure. This shift will require an operational model that is more than training, audits and corrective actions. It will more akin to Total Quality Management (TQM) where better environmental outcomes are designed into products and services – Environmental By Design. Organizations will need to set goals and objectives, contend with uncertainty, continuously improve performance, and make progress in the advancement of environmental outcomes. The good news is the same principles applied to TQM and Operational Excellence can be used to meet environmental obligations. It's time for environmental compliance to become operational in the full sense of the word. Are environmental objectives included in your operational plans?

There are 3 ways that we talk about strengthening defences: Reliability Resiliency Anti-fragility Reliability has to do we preventing disruption and most often by preventing failure of equipment, processes, systems, and other measures to prevent risk from becoming a reality. When reliability fails, we need Resilience to recover from the disruption created when that happens. In a storm trees need to bend and snap back and so do businesses. Anti-fragile is about getting stronger, better at what we do, as a result of disruption. This has much to do about learning and improving our defences to make them more robust. The airline industry has a strong safety record partly because after every incident they took a deep dive and learned from what happened. They became stronger at preventing accidents over time. They did not waste any knowledge that could be learned from disasters. All of this applies to meeting all our obligations and keeping our promises. We need to prevent non-conformance, recover from them should they occur, and get stronger when we learn from our experiences. What strategies have you adopted so that you endure in the presence of uncertainty? Are you abilities at keeping commitments to all your obligations getting stronger or weaker? Are you extracting all you can from your incidents?

This blog post continues our series on Cyber Safety where we have explored various standards, frameworks and guidelines to address management vulnerabilities with respect to achieving cyber safety objectives. In this week's post we consider steps you can take to select which approach is best for you to start improving your cyber safety. 1. Evaluate Defences & Develop Improvement Roadmap The framework or standard you choose depends on the risks your organizations are currently facing or anticipating. So the best place to start is with an assessment of what you want to keep safe, your safety goals, and your cybersecurity objectives. To help you answers these we recommend first conducting a Cyber Resilience Review (CRR) which is a non-technical assessment of your current situation. This review will provide the parameters you need to formulate an improvement roadmap you could work on in a stepwise fashion over time. If you currently do not have a formal cybersecurity program you might consider a facilitated CRR assessment. Although CRR is a self-assessment that you could do yourself you will benefit from having someone facilitate the review, create an assessment summary with recommendations, and develop a cyber safety improvement plan based on the CRR results. 2. Select Standard and Conduct Detailed Assessments Conducting a CRR will place you in a better position to select a management standard that best suits your business if you don’t already have one. You will also know if and which detailed technical assessments may be necessary to address serious holes in your defences. In our last post in this series we looked at three frameworks: Cybersecure Canada Program - this is great place to start if your exposure to cyber risk is moderate and your organization is just getting started with a cyber safety program. NIST Cybersecurity Framework - this framework has a strong technical component and best suits organizations with a significant sized IT component, infrastructure, and governance. ISO 27001 - this family of standards is particularly useful for organizations that have already adopted other ISO standards where they can leverage existing management processes and infrastructure. The results of a CRR will help you make a determination if which approach is best for you. 3. Develop and Implement Detailed Improvement Roadmap Once a framework has been selected additional detailed assessments can conducted based on the kinds and level of risk identified in the CRR along with additional considerations suggested by the given framework. The goal is to: Identify the risks that really matter. Uncover strategies and plans that already exist that contend with these risks. Evaluate if these defences are strong enough to keep what you value safe. Develop a comprehensive improvement roadmap that meets your cyber safety objectives. If you currently do not have a formal cybersecurity program you might consider a facilitated CRR assessment and roadmap development process. Although CRR is a self-assessment that you could do yourself you will benefit from having someone facilitate the review, create an assessment summary with recommendations, and develop a cyber safety improvement plan based on the CRR results. If you are interested in having a cyber safety improvement roadmap for your organization please reach out to us. Also, if you missed Part 1 of this series you can find it here .