SEARCH

This blog post is a continuation in our series on Cyber Safety. In this article we explore several guidelines, standards, and frameworks available to help organizations realize their cyber safety goals. We will begin with a framework from The Canadian Centre for Cyber Security followed by three from the US, and one from the International Standards Organization (ISO). Let’s start with the Canadian program. CyberSecure Canada Program The Canadian Centre for Cybersecurity is a valuable source for companies of any size who want to strengthen their defenses. On their site you will find a Cyber Secure Canada Program which is a federal cyber certification program that aims to raise the cyber security baseline among small and medium enterprises (SMEs) in Canada. The desired outcome of this program is to increase overall confidence in the digital economy, and promote international standardization that better positions organizations to compete globally, and I would add locally as well. Certification requires an implementation of a set of baseline controls (v1.2) . These provide an excellent set of initial risk measures specifically designed for small and medium sized operations. You will also need to develop a management framework to advance your cybersecurity capabilities beyond the baseline, but otherwise this an excellent place to learn and get started with cybersecurity, Next we will consider what I call, the triple threat against cyber risk: CISA CRR NIST CF DOE C2M2 Cyber Resilience Review (CRR) The Cybersecurity & Infrastructure Security Agency (CISA) created what is called the Cyber Resilience Review (CRR) assessment. This assessment is a no cost, voluntary, non-technical review to evaluate an organization’s operational resilience and cybersecurity practices. The assessment covers 10 activity areas or what you might call capabilities and is available as a self-assessment tool. It is also designed to measure existing organizational resilience and provide a gap analysis for improvement based on recognized best practices. The self-assessment tool and practice guidelines are available for free on-line. A CRR will help organizations scope out what is needed to create a roadmap for improvements along with a determination if more detailed assessments should be conducted. It is compatible with other frameworks from NIST discussed below. Next we will look at what is probably the most common framework used to manage cybersecurity. NIST Cybesecurity Framework In response to a presidential executive order issued in 2013, the National Institute of Standards and Technology in collaboration with government and private sectors developed a cybersecurity framework that focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s overall risk management process. NIST CF consists of three parts, the core, the profiles, and implementation tiers covering 5 functions: Identify, protect, detect, respond, and recover. This is a very popular framework, particularly if you are a technology and information sectors. It is risk-based and not a one-size fits all strategy intended to be adapted by organizations based on their level of risk and safety obligations. Cybersecurity Capability Maturity Model (C2M2) Program The Department of Energy (DOE) developed what is known as C2M2 which is becoming one the most important tools in assessing the cybersecurity posture of organizations in the energy sector and organizations in highly-regulated, high risk industries. C2M2 focuses on the implementation and management of cybersecurity practices associated with the information technology (IT) and operations technology (OT) which are often managed separately within these industries. C2M2 provides descriptive rather than prescriptive guidance. The model content is presented at a high enough level, so that it can be interpreted by organizations of various types, structures, sizes, and industries. C2M2 differentiates between technical and management objectives across 10 domains which provides organizations with a holistic perspective and assessment of their cybersecurity program. The overall intent of C2M2 is to help organizations assess and advance their cyber safety capabilities over time. Self assessment tools and practice guidelines are also available online. Lastly, we look at what the International Standards Organization (ISO) has to offer. ISO / IEC 27001 If you already have adopted other ISO programs then this one may align better to your existing management practices. This management standard is widely known, providing requirements for an information security management system (ISMS) along with supporting standards in the 27000 family providing guidance on individual capabilities and practice domains. This standard provides the ability to leverage your existing management structure (assuming that it already aligns with other ISO standards) to support technical processes needed to address cybersecurity risk. Third party certification is attractive to companies as it provides some evidence that they are treating their cybersecurity seriously. Summary We have looked at various standards, frameworks and guidelines to address management vulnerabilities with respect to achieving cyber safety objectives. Now, which one should you use and if you are already are using one, how do you improve your effectiveness and improve your cybersecurity performance? Answering these questions will the topic of our next blog post on cyber safety so stay tuned.

When we hear the phrase cybersecurity many things may come to mind. You might think of such things as: Viruses and malware Email spam Phishing attacks Ransomware You might also think of things more technically in terms of: Internet, Internet of Things (IoT) Networks Firewalls VPNs Antivirus Software Passwords You might also think of things in terms of what is at stake, such as: Financial loss Loss of identity Loss of reputation Loss of business or the loss of your business Each of these groups represent the kinds of things that need to managed holistically, together, as a system, and pardon the pun, without any holes or as they say in the cybersecurity world, vulnerabilities. But what happens when vulnerabilities are exposed and what is valued is not protected? The LifeLabs Breach To explore the concept of cybersecurity and to bring the topic closer to home I thought it helpful to look at the LifeLabs breach that happened in Canada in 2019. Here are some of the key facts surrounding the event: This was the largest breach in Canada resulting from a ransomware attack 15 million people across Canada were affected by the theft of their private data. LifeLabs is reportedly facing lawsuits (in the billions) and certainly a loss in reputation and perhaps, maybe more. In recent weeks, I received an email from LifeLabs which was also sent to others affected by the breach. This latest communication outlines LifeLabs latest response in the wake of the ransomware attack. In the letter we read that LifeLabs has now: Appointed CISO (Chief information and Security Officer) Added CPO (Chief Protection Officer) and CIO (Chief Information Officer) Investing $50M to achieve ISO 27001 certification (international standard for information security management) Engaged third-party to evaluate their cybersecurity program Established an information security council Strengthened their detection technology Implemented yearly security awareness and training This certainly sounds substantial and it is. However, what this list of actions also tells me is that they had very little in place prior to the breach in terms of management accountability, oversight, standards, or anything that would let them know how well they were doing with respect to protecting patient data. It is good to see that they are addressing these now, perhaps, too little too late; time will tell. What we do know is that it will take time before these changes will significantly impact the improvement of their defences which they should have started to do years ago. Cybersecurity Risk Landscape When we look across the cybersecurity landscape one can make the following observations with respect to risk: Threats to people and things we care about are all around us and perhaps always will be. The risks that matter are connected with what is valued, and there are plenty of bad actors who are interested in what we value. The conditions for cybersecurity risk are also increasing, specifically now as more employees are working from home than ever before. Every company has a cybersecurity program, some are more effective than others. Cybersecurity is not only a technical problem; it is a business problem that requires a business solution. It is the last one that needs to be highlighted, underscored, and acted on the most. Cyber risk is a real threat, involves technical measures to address but is foremost a business problem that requires a business solution. LifeLabs' failure to prevent a breach was a failure in leadership and management which they are now attempting to address, and not necessarily a failure in their technology. Leadership intention and management commitment are needed for companies to keep the dragon of uncertainty from penetrating their defences and stealing their gold in whatever ways that is defined. Lack of Intention It used to be said that: There are two kinds of companies: those that have suffered a cyber-attack, and those that will. But now, we say it this way: There are two kinds of companies: those that have suffered a cyber-attack and those that don't know that they have. When they do find out it is often too late, and the effects too severe for many companies to survive its effects. Waiting until you have been breached to improve your cybersecurity defences is probably not the best business or technical strategy. However, many companies still take the wait and see approach. So what might motivate organizations to be more proactive with respect to improving their defences? Companies might consider a legal motivation. Regulations do exist and are expanding to compel organizations to establish adequate programs and measures. However, they are have not kept and fall short to adequately contend with cyber safety. Waiting for regulations to tell you what you must do will mostly likely also be too late. Improving cybersecurity defences is beneficial to reduce insurance costs, improve efficiencies if done correctly, and prevent disruptions which contributes to greater resiliency for your business. While these are all valuable outcomes, they are often considered as goals that are worked on after all other objectives have been met. Keeping what you value safe and protecting against lost can also be a power motivator particularly when it involves the safety of people and their livelihoods. But what lies behind all our motivations, is our intention. It is a company's intention that ultimately determines the effectiveness of their cybersecurity program and motivates improvement that are made. Research has shown that intention significantly determines what is accomplished. If your intention is to achieve ISO 27001 certification, for example, then that's what you will get, most likely, but you will most likely not improve your cyber security. However, if you want to improve your cyber security and choose ISO 27001 as the means to do that, then you will not only receive your certification, you will most likely improve your cybersecurity as well. You will get both. Where you aim determines what you achieve. Which is why organizations need to choose their goals well including those to improve cyber safety. In our next blog article we will look at various standards, guidelines, and strategies companies are using to address cybersecurity risk. #managedcybersafety

One of the powers of technology is its ability to externalize the means to achieve our ends. This is one way to evaluate what is happening with AI. It is externalizing the means by which we learn to the point that we don’t need to learn ourselves. What if meaning is found not by having the goal of our desire but instead by our participation in the means to make it happen. This makes the ends even more worthwhile because it is something we accomplished by our own agency, effort, and courage. Something to think about.

Value Stream Mapping (VSM) is a widely recognized and adopted lean management method used in various industries and domains including compliance. While many organizations focus on the tool itself, the true power of VSM lies in its ability to address complex problems and drive transformational improvements. In this blog post, we delve deeper into the essence of VSM and why it's crucial to move beyond the surface-level application of the tool to unlock its full potential. Understanding Value Stream Mapping Value Stream Mapping is a systematic approach to analyzing the current state of a process and designing a future state to deliver a product or service from its inception to the customer. It visualizes the flow of materials, information, and activities, highlighting value-adding and non-value-adding steps. By mapping the entire value stream, organizations gain a holistic view of the process, enabling them to identify bottlenecks, and waste but also areas of risk and compliance improvement. Beyond the Tool: Problem Solving with VSM VSM is not merely a visual representation of a process; it is a problem-solving tool. The true power of VSM lies in the subsequent steps after mapping the current state. While understanding the problem is the first step, it is through effective problem-solving that organizations can leverage VSM to drive significant improvements. Many organizations tend to focus on easily solvable issues or low-hanging fruit , resulting in incremental benefits. While these improvements are of some value, they do not maximize the potential of VSM. To truly exploit the power of VSM, organizations must have the courage and determination to address the hard problems that lie beneath the surface. Transformational Outcomes Organizations that choose to tackle challenging problems more likely will experience better outcomes. By focusing on the problems that really matter, they can initiate transformational changes in their value streams that go beyond eliminating waste and reducing lead times. They will also improve outcomes associated with quality, safety, security, sustainability, and ultimately stakeholder trust. Taking a proactive and comprehensive approach to problem-solving with VSM allows organizations to identify and eliminate root causes rather than simply treating symptoms. This will promote a culture of continuous improvement, fostering innovation, and driving sustainable change. Using VSM Strategically To extract the maximum value from VSM, organizations should adopt a strategic approach. Here are a few key considerations: Problem Prioritization : Identify the critical problems that have the most significant impact on the value stream and prioritize them accordingly. By focusing resources on these areas, organizations can achieve substantial improvements. Cross-Functional Collaboration : VSM involves multiple stakeholders from different departments and levels within the organization. Collaborative problem-solving encourages diverse perspectives, enabling the identification of comprehensive solutions and the alignment of goals. Continuous Improvement : VSM is not a one-time exercise; it is an ongoing journey. Regularly revisit and update the value stream maps as new challenges emerge, and continuously seek opportunities for improvement and risk reduction. Value Stream Mapping is a powerful tool that goes beyond its visual representation. To truly harness its potential, organizations must shift their focus from the tool itself to the problem-solving aspect. By addressing the hard problems, organizations can drive transformative improvements, eliminate waste, reduce risk, and achieve better outcomes associated with safety, security, sustainability, quality, and ultimately stakeholder trust. Strategic utilization of VSM, combined with a culture of continuous improvement, can pave the way for sustained success in any industry or domain. So, let's not just adopt VSM as a tool, but let's exploit its full potential to improve the probability of mission success.

The creation of stakeholder value is an essential obligation that successful organizations willingly accept. Contrary to common misconceptions, compliance does not hinder the creation of stakeholder value; instead, it safeguards the value creation process and ensures its effectiveness. Compliance is not solely about adhering to rules but encompasses integrity, alignment, and operational excellence—a triple threat against mission failure. Compliance as defined by ISO is the outcome of meeting obligations and therefore plays a vital role in ensuring that organizations fulfill their responsibility to create stakeholder value along with other targeted outcomes. Stakeholders, including customers, employees, shareholders, and the community, have legitimate expectations from organizations. These expectations revolve around the delivery of quality products and services, ethical practices, fair treatment, and contributions to the community's well-being. For organizations to be considered compliant, they must meet all their obligations. Compliance and Stakeholder Value Compliance and the creation of stakeholder value are two interconnected aspects that play a crucial role in the success and sustainability of organizations. Compliance refers to adherence to legal, regulatory and internal obligations, industry standards, and ethical practices. It ensures that companies operate within the boundaries set by society and mitigate risks associated with non-compliance. On the other hand, creating stakeholder value involves considering the interests and needs of all stakeholders, including employees, customers, shareholders, communities, and the environment, and actively working towards fulfilling those expectations. These two elements are not mutually exclusive; rather, they are mutually reinforcing. Compliance provides a foundation for building trust and credibility with stakeholders. When companies prioritize compliance, they demonstrate their commitment to upholding ethical standards and responsible business practices. This, in turn, fosters stakeholder confidence and enhances the organization's reputation. Compliance also helps mitigate legal and reputational risks that could negatively impact stakeholder value. By adhering to regulations and standards, companies can avoid costly fines, legal disputes, and reputational damage, thus preserving stakeholder value and ensuring long-term sustainability. Integrity, Alignment, and Operational Excellence However, compliance goes beyond the mere adherence to prescriptive rules and regulations. It encompasses a broader set of principles that govern an organization's conduct. At its core, compliance is about upholding promises associated with all organizational obligations. This requires organizations to act with integrity, align their activities with their stated values and goals, and strive for operational excellence. Integrity ensures that organizations are transparent, honest, and accountable for their actions. It establishes trust among stakeholders, fosters long-term relationships, and safeguards the organization's reputation. Alignment refers to the consistent integration of compliance principles throughout an organization's structure, policies, and practices. It ensures that compliance is embedded in all decision-making processes, preventing conflicts and promoting a unified approach. Compliance helps align organizational values with operational objectives. Operational excellence is achieved through efficient and effective practices that meet compliance requirements while driving organizational success. By implementing robust compliance management systems, organizations can streamline processes, identify areas for improvement, and enhance overall performance. Operational excellence bolsters stakeholder confidence, reinforces trust, and creates a competitive advantage. Conclusion Compliance is not a separate entity from stakeholder value creation; rather, it is intertwined with it. Organizations must meet their obligation to create stakeholder value, and compliance ensures that this obligation is fulfilled effectively and ethically. Compliance encourages innovation by providing a framework within which organizations can explore new ideas while safeguarding stakeholder interests. Compliance is rooted in integrity, alignment, and operational excellence, serving as a triple threat against mission failure. By embracing compliance as an integral part of their operations, organizations can cultivate a culture of responsible and sustainable practices. This not only enhances stakeholder relationships but also paves the way for long-term success, growth, and positive societal impact. Compliance, therefore, should be viewed as an ally rather than a hindrance—an essential driver of stakeholder value creation in the modern business landscape.

As a lean compliance leader, your role is pivotal in upholding integrity and ensuring adherence to regulations and internal obligations while maximizing efficiency. To truly excel, it's essential to find purpose in your work and become a driving force for positive change within your organization. By embracing essential habits inspired by the principles of lean compliance, you can uncover your purpose and make a meaningful impact.

In the realm of gambling, loading the dice is unequivocally seen as cheating, a violation of both legal and moral principles. Whether it is the house or an individual player who engages in such tactics, the act itself undermines the fairness of the game. We expect the dice to be impartial, providing us with an equal chance of winning or losing. However, the landscape changes drastically when we shift our focus to compliance in organizations. In this context, loading the dice, or stacking the deck, becomes not only acceptable but necessary. Before you think I have gone off the deep end, keep reading. Loading the compliance dice does not imply evading or bypassing regulations. Instead, it involves taking proactive steps to understand, interpret, and implement the requirements effectively. It is about staying one step ahead, anticipating potential compliance challenges, and mitigating risks through diligent preparation and execution. It is about loading the dice to improve the probability of staying within the boundaries of laws, regulations, and ethical standards. If you are going to gamble with your compliance at least load the dice in your favour. Let's look at how this is done. Loading The Compliance Dice Compliance is the outcome of meeting obligations associated with laws, regulations, industry standards, and internal policies that govern the conduct of businesses and organizations. The complexity and ever-evolving nature of these requirements can present significant challenges. Non-compliance can lead to severe consequences, such as legal penalties, reputational damage, loss of trust, and even the demise of the organization itself. With so much at stake, it becomes imperative for organizations to employ strategies that maximize their chances of compliance success. Loading the compliance dice involves proactively taking steps to minimize the risks of non-compliance. It entails implementing systems, processes, and controls that ensure adherence to the relevant regulations and standards. Just as a card player (but for different reasons) might stack the deck in their favour to increase their chances of winning, organizations must strategically position themselves to navigate the intricate compliance landscape. One of the ways organizations load the compliance dice is by establishing robust internal compliance programs. These programs typically include policies, procedures, training initiatives, and monitoring mechanisms to ensure obligations are met across all levels of the organization. By investing in compliance infrastructure, organizations create an environment where employees understand their obligations, are equipped with the necessary knowledge and tools, and are incentivized to keep promises associated with obligations. Additionally, organizations may leverage technology to load the compliance dice in their favor. Automation and data analytics play a crucial role in enhancing compliance efforts. Advanced software solutions can help monitor and track compliance-related activities, identify potential risks, and detect anomalies or deviations from established protocols. By leveraging technology, organizations can proactively identify areas of concern and take corrective measures before they escalate into compliance breaches. Partnerships and collaborations can also contribute to loading the compliance dice. Organizations can engage with industry associations, regulatory bodies, and other stakeholders to stay updated on the latest regulatory changes and best practices. These partnerships can provide valuable insights, guidance, and support, enabling organizations to align their practices with evolving compliance requirements effectively. Risk Management The concept of loading the compliance dice closely connected to effective risk management for organizations. By strategically taking steps to minimize risks and enhance compliance efforts, organizations can stack the deck in their favor and increase their chances of staying within the boundaries of laws, regulations, and ethical standards. Loading the compliance dice emphasizes the importance of risk assessment and mitigation as integral parts of compliance strategies. Organizations need to identify and evaluate potential compliance risks, assess their impact, and implement appropriate controls and measures to manage those risks effectively. This proactive approach allows organizations to align their risk management practices with compliance requirements and safeguard their stakeholders. This involves implementing robust risk programs, leveraging technology, and fostering partnerships. These measures not only enable organizations to proactively identify and address potential risks but also enhance their ability to detect anomalies and deviations from established protocols. By doing so, organizations can mitigate risks before they escalate into compliance breaches and potential legal consequences. The practice of loading the dice can help develop a culture of proactivity. Organizations can strive to anticipate and address compliance challenges, protecting their reputation and ensuring the long-term viability of the business. Ultimately, by embracing effective risk management practices, organizations can enhance their ability to navigate the complex compliance landscape and achieve sustainable compliance success. It's time to load the compliance dice in favour of staying between the lines and head of risk. What do you think? It you are interested in learning how to improve the probability of compliance success for your program register for our upcoming Foundations course on the topic of Operational Risk :

Compliance is the outcome of meeting obligations which requires compliance to be operational. Compliance operability is achieved when essential functions, behaviours, and interactions exist at levels sufficient to produce a measure of effectiveness – this defines Minimum Viable Compliance (MVC). Traditional approaches never reach MVC until the very end which is too slow and often too late to protect value creation and stay ahead of risk. The good news is there is a better way to do compliance that delivers benefits sooner, with greater certainty, and less waste. This approach is based on Lean Startup model by Eric Ries which we have adapted to the compliance domain as shown in the following diagram: The traditional approach is based on implementing components or the parts of the compliance function starting at the bottom and advancing in capability and maturity until the last phase is reached. This is when effectiveness happens as measured against realized outcomes. This is also when effectiveness can start to improve over time. The operational approach is based on first achieving operability which is the minimum level of capability for creating outcomes - a measure of effectiveness. Advancement in capability and maturity happens across all functions, behaviours, and interactions always tied to realizing higher levels of effectiveness. This provides the maximum amount of learning with the minimum amount of cost creating less waste while delivering benefits sooner. The operational approach has improved the development of products and services particularly when contending with uncertainty and achieving outcomes are important. This is the case for all organizations under performance and outcome-based regulation.

Recently I spoke with a retired CEO of a successful semiconductor manufacturer who said to me when I asked him about quality, "if there is care you will find quality." If a company really cares about its customers it will invest in quality. That is what he has experienced over the years. It is the object of our care that is important. Quality cares about customers. This goes beyond respect as important as that is. Care includes: the provision of what is necessary for the health, welfare, maintenance, and protection of someone or something. serious attention or consideration applied to doing something correctly or to avoid damage or risk. Many people talk about the importance of a strong culture for a company to succeed at what it does. A strong culture can reinforce values, help provide direction to employees, and fill in the gaps between what is written in policies and procedures and how things are actually done. That is why alignment of culture with strategy is so important. If your culture is at odds with your strategy it is impossible to advance outcomes. However, trying to come up with a consistent culture that supports the values and strategies of an organization is not easy. Companies consist of different kinds of activities that require their own approach and have there own culture. Geoffrey Moore in his book, "Zone to Win" suggests four zones: performance, productivity, incubation, and transformation. Each of these is managed differently, has different strategies, and ultimately have their own cultures. In fact, one could go further and suggest that there are even subcultures beyond the ones for each zone. One could imagine a culture for each value that a company has: a safety culture, a quality culture, a risk culture, a learning culture and so on. Now add to this each person's own culture and no wonder companies have a difficult time bringing everyone onto the same page. This is where having a culture of care helps. Companies that care pursue excellence, work on doing things right, and strive to make sure that they look after their workers, customers, and environment. A culture like this would go along way to bringing everyone on the same page. If there is care you will find excellence If there is care you will find safety if there is care you will find quality if there is care you will find loyalty if there is care you will find integrity The great part of working in compliance is working with people who do care about things that really matter. If "C" in compliance stands for anything it stands for "Care"

Certification is often seen as a way to demonstrate compliance in various industries, such as security, safety, sustainability, and more. However, the effectiveness of certification in improving performance is limited. Studies have shown that organizations that pursue compliance certification for its own sake, rather than as a means to improve performance, may fail to achieve real progress as certification can create a "check-the-box" mentality that hinders real improvement and the advancement of compliance outcomes. For example, ISO 14001 Environmental Management System (EMS) certification is a widely recognized certification for demonstrating compliance with environmental regulations. However, a study found that organizations that adopted ISO 14001 for the purpose of certification did not necessarily see an improvement in their environmental performance. These organizations focused on meeting the minimum requirements to obtain certification, rather than pursuing excellence and continuous improvement. Similarly, organizations that pursue security certifications, such as ISO/IEC 27001 Information Security Management System (ISMS) certification, may focus solely on meeting the minimum requirements to obtain certification, rather than on addressing real security risks. This can create a false sense of security, leading to complacency and putting the organization at risk. The problem with certification is that it can create a culture of complacency. Once an organization obtains certification, it may feel that it has achieved mastery and stop pursuing further improvement. This can lead to a stagnation of skills and performance, limiting the potential for innovation and progress. To truly improve performance, organizations must shift their focus from certification to a culture of excellence and continuous improvement. For example, instead of pursuing ISO 14001 certification for its own sake, organizations should focus on reducing their environmental impact through a continuous improvement program that includes metrics and targets for environmental performance. This can lead to real improvements in environmental sustainability and create a competitive advantage for the organization. Similarly, organizations should focus on real security risks and adopt a risk-based approach to security, rather than solely focusing on meeting certification requirements. This can create a culture of continuous improvement and innovation, improving the organization's security posture and reducing the risk of security breaches. While certification can be a useful tool for demonstrating compliance, it should not be seen as a substitute for real performance improvements. Organizations must adopt a culture of excellence and commit to learning and adapting to truly achieve their full potential across various industries. Companies that desire to improve their compliance outcomes and chose certification as a means to get there, not only receive certification, but also improve their performance – you get both. However, to get both, you need to start with intention not certification.

When it comes to making compliance decisions many organizations will consider the cost and what they can afford. This will include evaluating risk and identifying the costs associated with noncompliance (e.g. a fine) and the cost to mitigate the non-conformance. A risk/reward calculation is then performed to decide to proceed or not. If the cost of mitigation is higher than the fine then many might just accept the risk and proceed along that course of action. Why pay $100,000 if the fine is only $10,000? At one level of analysis this makes sense and appears similar to the ALARP principle referenced in many regulations and standards — reduce the risk to “As Low As Reasonably Practicable”. It’s not reasonable or practicable to invest $100,000 to cover a $10,000 fine so let's just pay the fine if and when it happens. Applying ALARP is a good principle and will lead to good decisions. However, I don’t think that is what’s happening. What appears to be going on is the scope of risk consideration is making compliance decisions “de minimis” – too small to be meaningful or material. In this case when the cost of a fine is only considered. There are many reasons why a “de minimis” rather than a broader or comprehensive scope is used. Some of this happens as a result from taking a reductive, siloed, and simplistic approach to managing compliance. Perhaps the largest factor is not considering the total value of what is at risk. This is enabled when no one owns or is accountable for enough compliance scope to make the risk consideration material. When this happens the methods used to evaluate risk are focused on only a fraction of what is at stake. Risk is more than paying a fine or the probability of the sum of all possible fines that might need to be paid. Effective risk-based compliance decisions requires that organizations widen their scope by considering all their promises: to keep people safe, to protect private data, to provide quality products and services, to be a good steward of the environment, and so on. This starts by having credible answers to these questions: What promises have we made to our stakeholders? What capabilities and resources are needed to keep all our promises? Do we have a credible plan to meet all of them? What obstacles or opportunities will we find as we meet our promises? How will we measure our progress? Having answers to these questions will help organizations evaluate the impact of their decisions on their ability to keep all their promises to avoid such things as loss to reputation, loss of trust, and loss of life which are material and not "de minimis." If you can't afford to keep your promises, fines will not be the only risk you will face an have to accept. You may face the risk of considering a new line of business. Investing $100,000 to cover a $10,000 fine may not make sense for many organizations. However, if that investment aligns with your values and helps you keep all your promises the reward will be much higher and will accrue over time. A better decision in the long run.

Wardley Mapping is a strategic planning and visualization technique that was developed by Simon Wardley, a researcher and consultant in the field of IT strategy. Simon Wardley first introduced the concept of Wardley Mapping in 2005 in his blog, Bits or pieces, where he published a series of articles explaining the technique and its benefits. Over time, Wardley Mapping gained popularity among business leaders, entrepreneurs, and strategists, as a tool to visualize and plan complex systems and processes. Today, Wardley Mapping is used by organizations around the world to gain insights into their systems, processes, and products, and to develop strategies that help them stay ahead of the curve in an ever-evolving market. In this article we look at how it is used to improve compliance. Wardley mapping is a powerful tool that can also help organizations understand the inter-dependencies of their compliance programs, systems, processes, and technology, and identify gaps and opportunities for optimization in their capabilities. It is particularly useful for assessing the maturity of capabilities required to achieve and advance compliance outcomes towards vision zero targets such as: zero breaches, zero violations, zero emissions, zero fatalities, and so on, all of which are essential for any organization's mission success. By using Wardley mapping organizations can make strategic decisions about how to allocate resources and prioritize efforts to better achieve compliance outcomes, ultimately improving efficiency and reducing costs. With its ability to provide a visual representation of a compliance value chain, Wardley mapping is a valuable tool for any organization looking to gain a better understanding of its capabilities and make informed decisions about its future direction concerning compliance. Wardley Mapping Steps Wardley mapping is a simple and yet powerful tool that everyone can learn . At a high-level here are steps you can take to map your compliance efforts to assess needed capabilities: 1. Understand the compliance landscape: First, you need to gain a good understanding of the compliance landscape in your industry or organization. This means identifying the key regulations, standards, and best practices that apply to your business. 2. Map the compliance value chain: Start by identifying the compliance value chain : Begin by identifying the various components of the program, systems, or processes that you want to map out. This may involve identifying the key activities, functions, and inputs that contribute to the overall value chain. Map out the components on an X-Y axis : The X-axis represents the evolution of the components, from the initial state (genesis) to the final state (maturity), while the Y-axis represents the value chain, from the organizational need to the final compliance program or technology. Identify the components and their dependencies: For each component on the map, identify its dependencies and how it interacts with other components in the program. This can help you understand how changes in one component can affect other components in the overall system. Determine the characteristics of each component: For each component, identify its characteristics such as its level of maturity, its cost, its importance to the system, and its level of differentiation from other components in the system. Analyze the map and identify areas of opportunity : Use the Wardley Map to identify areas of opportunity, such as areas where new technologies can be applied or where costs can be reduced. Use the map to prioritize actions and investments that will help to improve the overall program, systems, or process. Update the map as the program evolves : As the compliance function evolves, continue to update the Wardley Map to reflect changes in the components, their dependencies, and their characteristics. This will help to ensure that the map remains an accurate representation of the system and can continue to guide decision-making. 3. Identify areas for improvement : With the compliance landscape and program mapped, you can identify areas where improvements are needed. This might include areas where your organization is not meeting regulatory requirements or where your compliance program is not as effective as it could be. 4. Prioritize improvements: Once you have identified areas for improvement, you can prioritize them based on their impact on your organization's compliance posture and their feasibility. For example, you might prioritize improvements that address high-risk areas or that can be implemented quickly and easily. 5. Develop a plan : With the improvements prioritized, you can develop a plan to implement them. This might involve developing new policies or procedures, implementing new controls, or providing additional training to employees. 6. Monitor progress: Finally, it's important to monitor progress and make adjustments as needed. This might involve tracking key compliance metrics, conducting regular risk assessments, and reviewing your compliance program on a regular basis to ensure it remains effective. Using Wardley Mapping organizations can understand how best to improve compliance, gain a better understanding of the compliance landscape, identify areas for improvement, and prioritize those improvements to ensure your organization is effective at staying between the lines and ahead of risk.