SEARCH

In this blog post we look at answers from two representative companies to the question: What is the status of your compliance? Both organizations are "in compliance" using Compliance 1 measures, however, they are both not doing compliance the same way. Which company do you think is doing compliance better and does it matter? The answers are fictional but based on an aggregate from conversations I have had over the years. Here are answers from 5 compliance roles at "We Make Things, Inc." We Make Things, Inc. What is the status of your compliance? CEO, We Make Things, Inc. Answer : We have someone who looks after compliance. Chief Compliance Officer, We Make Things, Inc, Answer : We are always in compliance with all applicable laws and regulations as far we know. Safety Manager, We Make Things, Inc. Answer : We passed our last audit. Quality Manager, We Make Things, Inc. Answer : We are certified to ISO 9001. Environmental Manager, We Make Things, Inc. Answer : We comply with all greenhouse gas emissions reporting. This company is in compliance and doing what they believe they need to do. On paper everything looks just fine. Now, let's look at the answers from our second organization for the same roles: We Make Other Things, Inc. What is the status of your compliance? CEO, We Make Other Things, Inc. Answer : I take a personal interest to ensure that we meet all our obligations. To ensure that we do, we choose higher standards than asked of us. Our customers are delighted with our products, our shareholders want to invest more, our employees see a future with us, and our communities are happy to have us operate. If we are not living up to our standards let me know and I will make sure that we do better. You can hold me accountable to that. Chief Compliance Officer, We Make Other Things, Inc. Answer : We have a high level of confidence that we will meet all our obligations based on consistently achieving measures of effectiveness, performance, and conformance year over year. We communicate all our measures of assurance to our stakeholders to keep us accountable and on track. Safety Manager, We Make Other Things, Inc. Answer : All our safety obligations, commitments, risk and measures are documented, measured, controlled and continuously improved to meet higher standards of safety. We are making continued progress evidenced by fewer incidents and lower risk which we continuously measure and evaluate. We are very proud of our results. Would you like to see them? Quality Manager, We Make Other Things, Inc. Answer : All our quality obligations, commitments, risk and measures are documented, measured, controlled and continuously improved to meet higher standards of quality. We are making continued progress evidenced by fewer defects and lower risk which we continuously measure and evaluate. We are very proud of our quality just talk to our customers. Environmental Manager, We Make Other Things, Inc. Answer : All our environmental obligations, commitments, risk and measures are documented, measured, controlled and continuously improved to better our environmental stewardship. We are making continued progress evidenced by lower emissions, lower risk and reduced impact on the environment which we continuously measure and evaluate. We are very proud of our progress. We plan to meet net carbon neutrality early. Which one does compliance better? Clearly, there is a difference from the previous answers. The first organization: is doing the minimum and perhaps less than that probably considers compliance as a necessary evil (a tax on production) is not viewing compliance as mission critical Is reactive with their compliance Does not really know how well they are doing. Most likely is not realizing any of the benefits from being in compliance The second organization: is taking ownership for their obligations across all levels of the organization treats compliance as mission critical provides a greater measure of assurance that value (in the broadest sense of the word) is protected. is proactive with their approach to compliance measures how well they are doing with their compliance is realizing the benefits from their compliance effort Do you think these differences matter? Which company would you want to work for or buy products from? If you were an investor which one would you rather invest in? Which one do believe will reach their mission goals and objectives? This is the climate that organizations are facing and these are the some of the questions that stakeholders (customers, employees, communities, shareholders, suppliers, etc.) are asking. How would you answer these questions for your organization? What is the status of your compliance and do you think it matters?

In this post we consider a question that we are often asked: "How do we strengthen our ability to drive compliance improvements in our organization, particularly with those who may be resistant to change?" There are several factors that need to be considered to drive change and overcome resistance. These can be categorized along two dimensions: technical and people side of change. Technical Side of Change On the technical side, we need to overcome inherent resistance built into systems and processes. Operational systems are designed to resist change to achieve consistency to standard which is a desirable quality. This poses unique challenges when systems need to adapt to deliver improved performance or new capabilities and why managing these change need to be done carefully. It is not surprising to find resistance from those responsible to keep these systems operational. For them, change introduces the opportunity for risk. To overcome resistance one needs to first contend with risk. Managing technical change is often a regulated process referred to as Management of Change (MoC) in high-risk, highly-regulated: An effective MOC process will help guide planning, implementation, and manage change to prevent or mitigate unintended consequences that affect the safety of workers, public, or the environment. Although MOC processes may look different based on the industry or compliance system involved, the purpose remains the same, which is, to avoid unnecessary risk. An MOC process provides a structured approach to capture a change, identify and mitigate risks, assess impacts (organization, procedures, behaviours, documentation, training, etc.), define work plans to effect change safely, engage stakeholders, obtain necessary approvals, and update effected documentation. By following such a process risk can be adequately ameliorated which perhaps is the most important measure of MOC effectiveness. People Side of Change Organizations will often use management programs to introduce change needed to achieve greater effectiveness over time. Programs act as a from regulation for underlying systems to achieve a change in outcomes rather than only performance. These outcomes will be in the form of financial, safety, security, environmental, quality and other mission critical objectives. Change Management (CM) will therefore be an essential part of management programs focusing mostly (but not entirely) on the people side of change. This makes sense as programs will by necessity introduce new capabilities which will affect existing and introduce new structures, systems and processes. Organizations often look to change methodologies such as the PROSCI® ADKAR model, Kotter 8-step process, or something similar to increase support and reduce resistance to change. What is often not well understood is that CM and MoC need to work together in order to realize intended benefits. For example, accomplishing short-term wins may not be possible when new capabilities are not implemented first. All aspects of change must be coordinated and often sustained over a long period of time which will involve other change methodologies and processes aligned with continuous improvement. It is no wonder that without capabilities to navigate change of this kind some may be resistant or at least skeptical of participating in such an endeavour. Driving Compliance Improvements Using The Proactive Certainty Program The Proactive Certainty Program™ that we offer is designed to drive change towards compliance operability and better compliance outcomes over time. Participants of this program find that they are in a better position to contend with both the technical and people sides of change by defining: What changes are needed, Why these change are needed, and What strategy to use for making change a reality. The Proactive Certainty Program™ helps answer these questions by helping organizations better understand their compliance landscape, the destination (purpose, outcomes, and goals) for their compliance program, where they are now relative to that destination, and how best to get there. This knowledge contributes to building a common vision and desire for change. It also helps to discover what capabilities are needed to effect the benefits of compliance from both an organizational and technical perspective. Resistance triggers are also identified as threats and opportunities providing early insights for input into change management and MoC processes. Further information on how to strengthen your ability to drive compliance improvements can be found here . Further reading on managing change: https://www.leancompliance.ca/post/the-most-important-risk-control https://www.leancompliance.ca/post/what-is-management-of-change https://www.leancompliance.ca/post/the-differences-between-managing-organizational-and-asset-changes https://www.leancompliance.ca/post/be-certain-about-change

When we adopt a standard we find that it inevitably judges what we are currently doing. That is what good standards do. They are a measuring stick set against our current mindset, behaviours, practices, and culture. Our reaction to what the standard reveals provide important insights that will need to be addressed. We may find that we are: 🔸Indifferent - this doesn’t affect me so I don’t care if we do it or not. 🔸Confused - the standard overlaps and competes with other initiatives. This will slow down the other projects I am working on. 🔸Overwhelmed - this will be too hard. The standard is too high for us to obtain. This will only be more work. I am already doing the best that I can. 🔸Discouraged - I put a lot of work into our last effort and nothing came from it. Why should this be any different? 🔸Unsure - adopting new ways of doing things is easier said than done. I don’t see how this will succeed. 🔸Skeptical - why are we really doing this? Will this really help us? 🔸Encouraged - the standard will help us improve and provide something to work towards. Why are we waiting. Let’s get started. Organizations will need to address these reactions and others when they adopt new or revised compliance standards. How have you addressed these reactions? What other reactions did you discover? What else did a standard reveal about your situation? What ways can help bring everyone on board? You can read more about how to manage change here .

Establishing and maintaining compliance is an objective of many organizations. However, many do not measure the effectiveness of their programs (75% according to HBR do not). This means they don't know if their compliance efforts are helping or hindering meeting their regulatory or voluntary obligations. A Measure of Effectiveness An important question to answer is how should compliance effectiveness be measured? How is compliance progress measured? Mark Burgess (author of Promise Theory) defines effectiveness for purposeful systems as: Effectiveness = Promises Kept / Promises Made Promises are the operational component of obligations. They define the commitments organizations make to meet obligations associated with both a regulatory license and social license to operate. The latter being mostly "voluntary" and tied to sustainability, ESG, and other stakeholder expectations. Examples of promises: The internet service provider promises to deliver broadband internet for a specific bandwidth for a fixed monthly payment. The security officer promises that the system will conform to security requirements. The support personnel promise to be available by phone 24 ours a day. Support staff promise to reply to queries within 24 hours. The ERP cloud provider promises to provide 99.9999% service availability. We promise to reduce our emissions by10% year over year. Compliance effectiveness can be calculated by measuring if these promises have been kept over a specific period of time. According to promise theory keeping a promise is necessary but not a sufficient measure for whether obligations are met. Only the agent imposing the obligation can make that determination. This is similar to the difference between verification and validation in the medical device and pharma industries. Verification tests that a device (for example) works as designed. Validation tests to see if the device delivers the intended benefits. For most organizations verifying that their compliance systems are effective at keeping organizational promises is a good first step. More information about promises and obligations can be found here .

You do not have to wait for an ESG management standard before you start managing your ESG obligations. Obligations associated with Environmental Social Governance (ESG) initiatives can cross and overlap several compliance domains. While standards are being developed unique to ESG with respect to reporting requirements the management of the obligations themselves does not yet have a standard management approach. For the foreseeable future, deciding where ESG obligations should be managed within an organization and how best to manage them will be largely shaped by the scope and nature of the ESG obligations and the existence of other compliance programs. For example, organizations that already have EHS programs could incorporate them into those frameworks. You can use ISO 14001 and replace "Environmental" with "ESG" to provide the basics to start moving towards managed ESG. Other standards that might be helpful to get started: ISO 37301 - Compliance Management System Standard ISO 26000 - Social Responsibility (CSR) Management System Standard Most of these follow a similar framework which can be adapted to include aspects unique to ESG.

As the year comes to a close we identified 10 compliance priorities for 2023 to keep you between the lines and ahead of risk. You can download the presentation here .

In my first year of engineering I was given this advice. You can be the smartest engineer but if you cannot articulate your ideas and communicate them then it will not matter. Many engineers tend towards introversion (myself included) which means that learning to communicate requires overcoming fears in the presence of uncertain reactions. Recognizing that not all work environments are "safe" and even for those that are there will always be for many the fear of failure and what others might say. This is where courage comes in – acting in the presence of fear or uncertainty. Taking risks (calculated or not) has always required courage. It may work out or it may not. You may shipwreck your career or send it to the moon. However, what is worse is living under fear and regret – wondering what if. We need to also remember that fear itself is not a bad thing. We should fear what is dangerous. However, our fears can be misaligned. When it comes to communicating, we need to fear the risk associated with keeping silent more than the risk of speaking up. In the upcoming year, may we all find the courage to face our fears and the knowledge to know what not to fear.

Those that have watched Ted Lasso on Apple TV+ will know that the meaning of words we use can be different specifically when spoken in another culture. In the TV show, an American football coach goes over to the UK to coach a football team (and by football we mean soccer) where he soon discovers that some words, phrases, and idioms do not mean the same thing. For example, in American football, players train whereas in the UK footballers practice. The words train and practice are used for the same thing and will involve both training and practice. Confusing, right? This confusion also exists when it comes to business when we hear the word training. In this context, we usually expect to learn how to do something rather than actually doing it. Practice is the word we use to describe applying what you learned which takes more time and often done separately. This separation between training and practise perhaps can be attributed to our education system which tends to separate knowledge from skill development. What about LEAN? When it comes to LEAN, training and practice are done together more like a sports team. You learn by doing and you learn with a coach. This is often done in the context of problem-based learning where you learn what you need to solve a problem when the problem surfaces. Toyota Kata is an excellent example of how this is done. LEAN has successfully used this approach for years along with other sectors such as medicine where problem-based learning is seen as the best way for future doctors to learn their trade. What about Compliance? When it comes to compliance, training is a big thing. In fact, training for many organizations is seen as the dominate means to achieve compliance apart from audits. However, training in this case has more to do with education rather than developing skills. Receiving training about compliance while important is ineffective without practicing the skills needed to achieve compliance and that has more to do with keeping promises. According to Promise Theory (c.f. Mark Burgess), obligations are the intentions induced by someone on us with a penalty for non-compliance. Promises (the other side of the coin) are the commitments we voluntarily make to meet the obligation. You could say (and I do) that the practice of promise keeping is the true work of compliance. To that end, here are seven things you can practice to help you keep your promises: Be intentional - keep track of your promises and how well you are doing. Become more self-aware - monitor your decisions and be aware of what you are committing to. Don’t make promises you can’t keep - over promising and under delivering is still a thing. Make realistic commitments based on on your capabilities, capacity, and availability. Be courageous - making promises is a courageous act often done in the presence of uncertainty. Press into the uncertainty and learn how to contend with it rather than withdrawing from it. Be proactive - assess the risks in keeping your promises and make plans to improve your probability of success. Ask your team to help you be accountabl e - the secret sauce of promise keeping. Declare your intentions and have someone other than yourself hold yourself accountable. Fail quickly - If you can’t keeping your promise ask for help and do so as early as possible. We all need help from time to time and this is how we learn.

In recent months while reviewing several ESG reports I noticed that these reports have evolved from simply reporting on Environmental, Social, and Governance as ambiguous as that can be. They have expanded to include many other topics of interest to stakeholders such as: Diversity, Equity, and Inclusion Sustainability Health and Safety Cyber Security Privacy Protection Information Security Climate Adaptation Enterprise Risk Management ESG Priorities and Initiatives And many others ESG reports are also becoming a significant source of internal obligations as they are filled with board level commitments, goals, and targets. In previous blogs I discussed that ESG has more to do with a social license to operate rather than a legal one. In this context, "social" can be substituted for "stakeholder" – anyone who has a stake in the activities of the business. As a result, managing ESG commitments will most likely fall outside traditional compliance programs structured around legal and mandatory obligations. In fact, ESG commitments tend to be performance and outcome-based which requires organizations be proactive and integrative in their approach. This will mean more programs to introduce change rather than only systems that resist change to achieve consistency and conformance. The need for compliance to adapt to performance and outcome-based obligations has been happening for some time for those in highly-regulated, high-risk industries specifically around safety. It appears that ESG commitments will be added to these and may now become a key and perhaps dominate driver of compliance change. What we can be certain of is that reactive, check-box compliance focused on audits and action items will not be enough to address ESG commitments. Instead, compliance will need to be re-imagined and engineered to advance outcomes and meet targets in the presence of uncertainty. If you want your compliance team to learn how this is done consider joining "The Proactive Certainty Program™". This program teaches you how to take a proactive and integrative approach to compliance so you can always stay between the lines and ahead of risk. Take the first step and complete the scorecard available here .

As T.S. Eliot wrote: “It is impossible to design a system so perfect that no one needs to be good”. Professional engineers are those that promote that good. Engineers and more broadly the engineering profession have for years applied scientific knowledge for practical purposes and the good of the public at large. This comes with significant responsibilities to “do good” and protect the public from the harms that might come from the technology used. Over the course of the last several decades the original fields of engineering have grown to include other applied sciences such as: computer, sustainability, environmental, bio-medical, social, cybersecurity, safety, aerospace, risk, process safety, and many many more – most likely hundreds of fields. Unfortunately, the role of a professional engineer has not progressed to participate in these other domains. For example, the use of engineering stamps on drawings as a way to help provide assurance of public safety has not found its equivalent for other areas of the profession. However, far worse, engineers have more broadly been left out of the conversation regarding ethical aspects and protection of public harm. Back in the day, although my degree was computer engineering its core was electrical so that it could be accredited by the professional engineering association. Technically, the profession had not found a spot for computer engineers. Even today this has not really changed. Upon graduating I pursued a professional engineers license in support of my duty to protect the public something that I strongly agreed with. However, what would a computer engineer do with a professional engineer's stamp? Would we stamp computer architecture diagrams or other design documents? I never have or was every asked to. As my professional association is currently heading towards elections there is talk about modernizing the profession specifically governance and regulatory aspects. However, I wonder if we might do better to work towards the elevation of professional engineers beyond the traditional five to all engineering practices. Engineers need to have a voice to speak up to the ethical and societal aspects of the growing list of technologies that are used. We need to find an equivalent of the engineer's stamp for all of engineering. Now, I realize that there is nothing special about the stamp. What is important is what the stamp symbolizes. The stamp represents that the engineer takes responsibility for the engineering work and will be held accountable for it. It is a stamp of assurance – a seal of trust. The public today still needs the same assurances. We need engineers more than ever as we look to science and technology to help address climate change, sustainability, cyber risk, and many other public concerns. However, we just don't need their technical knowledge and skills. We also need their commitment to public safety and to do good which requires a modern day stamp of assurance and seal of trust. So yes, there is still a role for professional engineers and we need more of them in every field of engineering.

This week we explore a question that was posed in reference to IIA’s 3 line model “should risk management be connected more closely with internal audit?” As a quick overview: The 3 lines model is an updated version of what was previously known as 3 lines of defence. This updated version clarifies and strengthens how key organizational roles work together to provide strong governance and risk management. The first line of the IIA model focuses on management responsibility to deliver products and services. The second line of the IIA model provides assistance to the first line to contend with risk. The third line is the audit function providing independent and objective assurance and advice. Governance provides oversight across all lines enabling accountability, assurance, and actions. The model depends on all functions working together to create and protect value With respect to risk we can make the following observations: The first line has managerial accountability for meeting organizational objectives and obligations. Management is responsible to contend with common risk (i.e. strategic, operational, tactical) along with specific risks associated with safety, security, sustainability, environmental, quality, and other organizational objectives. The second line provides expertise, advice and support to manage specific risks and to ensure that effective measures are in place. There can be overlap in responsibilities between the first and second line, however, the second line is usually not accountable for the outcomes of risk. The third line (audit) does not have managerial accountability for organizational objectives or responsibility to contend with risk. Internal audit does have accountability with respect to the delivery of audit services. Audit effectiveness depends on many thing but mostly on its independence and objectivity. Discussion: The 3 lines model (diagram above) shows internal audit connected to management (first and second lines) as well as governance. The question of how close this connection should be is a reasonable one and worth investigation. With respect to accountability for obligations and its risks they do not belong to internal audit (3rd line) or risk management (2nd line). As a consequence, contending with uncertainty remains a first line obligation assigned to those answerable for outcomes which IIA clearly calls out. Risk as most now define it, are the effects of uncertainty on objectives. To contend with risk you need clear and concise objectives (lacking ambiguity) and have estimated the level of uncertainty associated with meeting them. From this measures can be put in place to improve the probability of meeting those objectives. These activities need to be managed, monitored, and continuously improved to ensure risk levels or below specified risk tolerances. This function is primarily proactive in nature which is defined as to anticipate, plan, and act to increase the probability of the outcomes we want and decrease the probability of the outcomes we don't want. Audit on the other hand, follows reactive and retrospective behaviour and practices most often concerned with verification of processes (i.e. controls) and procedures. Audit seldom validates effectiveness of programs and systems as measured by the realization of targeted outcomes. As risk management is concerned with both value protection and value extraction its focus includes outcomes produced by the underlying systems and something that audit struggles with measuring. Audit most often focuses on if things are done right rather than if the right things are done. This is not to say that some may provide advice on the latter, however, this works against audit being objective and independent. When businesses lean to much on audit’s advise, managerial accountability is diminished along with audit’s objectivity. This is something that should be avoided. Aligning risk management more closely with a function that is reactive such as internal audit also introduces the risk of reinforcing the wrong behaviours. Risk management needs to remain proactive and requires a culture that reinforces practices that are more prospective than retrospective. Audit’s reactive culture would compete and dominate to the detriment of risk management. If risk management should be connected more closely to something it should be connected with proactive functions involved in visioning and goal setting such as governance. However, what is more important is for risk management to work more closely with first line management. They need to be part of the team to provide assurance (confidence) that objectives will be met. This can best be done when risk management is integrated with the business something that audit cannot do as it must remain independent. Conclusion: Should risk management be connected more closely with internal audit? Probably not, for reasons that include: Different cultures: proactive versus reactive Different purpose: ensure objectives versus verify objectives Different strategy: integrate with business versus independent from business What do you think?

Compliance leaders know that when it comes to risk there is more than one type of dragon to contend with. Effective compliance is about handling uncertainty to decrease the probability of non-conformance as well as increase the probability of conformance associated with meeting legal, regulatory, and stakeholder obligations.