SEARCH

Effectiveness: the final frontier. These are the voyages of USS Integrity, our continuing mission to meet and advance stakeholder obligations. To seek out new levels of performance and new standards. To boldly go where no organization has gone before. Ships Capabilities ... STAR-FLEET (board of directors) - identify corporate risk and commission compliance missions. STAR-FLEET DATABASE (obligations & risk register) - register of stakeholder obligations, risks, and corporate objectives. OFFICERS (CEO, corporate officers) - accountable for achieving compliance mission success. BRIDGE (management, steering committees) - plan, execute, and monitor compliance effectiveness and performance. COMMAND (management) - execute projects, initiatives, and tasks to achieve compliance objectives. CREW (staff, contractors) - provide skill, talent, and capability to meet compliance objectives. THRUSTERS (risk & compliance programs) - provide capabilities to move forward and stay on course. ENGINEERING (risk & compliance specialists, lean, etc.) - maintain risk & compliance measures running at peak efficiencies. MAINTENANCE (reliability and preventative programs, integrity management) - maintain the health of the organization. MEDICAL BAY (health and safety, first responders, primary care) - maintain health of crew. STELLAR CARTOGRAPHY (obligations map) - map the regulatory compliance terrain, organizational goals, outcomes and objectives. HELM (management) - plot course to higher standards while avoiding obstacles and taking advantage of opportunities. NAVIGATION (balanced scorecard, KPIs) - maintain course, stay between the lines SHIELDS (resiliency, integrity, margin, safety, etc) - protect organization and staff against threats and obstacles. ESCAPE PODS (emergency response) - save crew in case of emergency TACTICAL (risk and compliance measures) - defend crew and organization against threats and pursue opportunities. SHIPS LIBRARY (document management) - database of regulations, standards, policies, procedures. ALERT STATUS (change management) - adapt to changes in objectives, terrain, threat levels. AWAY MISSIONS (Gemba, investigations) - first contact, reconnaissance LONG RANGE SENSORS (leading indicators) - threat detection MISSION LOG (records management) - add to and update knowledge base Act 1, Scene 1 USS Integrity ready to leave space dock after making needed repairs ... Captain's quarters ... Captain makes log entry: Star Date : now Our last incident almost took us out. We lost some of our crew and star fleet is unsure we can complete our next mission. Work is proceeding on the USS Integrity as the crew completes needed repairs and modifications. Will they be enough? Will our defences hold this time? They must. The galaxy is depending on us to succeed. Bridge hails the Captain: This is Spock. Repairs completed captain. Captain responds: Do we have any problems with compliance? Spock responds: Compliance presents no problem. Captain speaks: Then, Mr. Spock. Let us comply. and let's hope we don't run into any auditors. Spock: Indeed.

When it comes to safety there are two schools of thought. The oldest one is focused on behavior and its by-line is, " Act Safe ." This is the domain of Behavior Based Safety or BBS and has been around for many years and has contributed significantly to improving occupational safety. However, a major problem with this approach is the tendency to blame the person should an incident or mishap occur. This results in workers not wanting to report incidents or even near-misses, and who would blame them for not wanting to under a climate of fault finding. The second school of thought focuses on systems and processes and its by-line is " Be Safe ." This is the realm of Human and Organizational Performance or HOP . This is relatively new and parallels the work in process safety management. The goal is to use systems and processes to create the conditions for people to be safe. In a manner of speaking, this approach reduces risk so that individual behaviors are less likely to cause an incident. This approach is also not without its problems as it can sometimes lead to "blaming" the system and loss of accountability for human action. Nevertheless, HOP has helped to address systemic safety issues that would otherwise not be addressed by human behavior alone. There has been much debate in recent years as to whether HOP will replace BBS or whether they will merge into one approach, or even turn into something new altogether. It is my belief that both are needed as they deal with two different aspects of safety and here is why. Root Cause Analysis Dean Gano, the creator of the Apollo Root Cause Analysis method [2][3], goes back to St. Thomas Aquinas (13th Century Philosopher) to help us to understand the nature of cause and effect. Aquinas writes that the existence of potency (i.e. capability) cannot reduce itself to act. As an example, "the copper cannot become a statue by its own existence." For that to happen you need a sculptor to act on the copper to make it into a statue. In other words, for an effect you need both a condition and an action . In fact, an effect needs a prior cause and that cause needs both a condition and an action and so on. This leads to the conclusion that a cause and an effect are the same thing. This distinction is an important one and one that is often lost when using other methods for attempting to discover the "rootiness" of a cause. The point that I would like to highlight is that at every branch (see previous Figure) in the analysis you always have at least one condition and one action. A condition by itself is not enough and neither is an action. This is where the two schools of safety come in. Without the presence of a risky condition (the focus of HOP) an adverse effect is less likely to occur no matter what the action might be (of course there are exceptions). Similarly, risky actions will not be a problem if there are no risky conditions. You cannot have an explosion without bringing an ignition source (the action) into the presence of a flammable gas (the condition). The consideration of both actions and conditions is helpful to understand why we might need both the benefits of an effective BBS based program to address behavior as well as a HOP based approach using systems and processes to create safer conditions. However, we cannot so neatly put everything into one of the camps or the other. The two towers need to work together. The Apollo Root Cause Analysis would have us look for a prior condition and action for every behavior and a prior condition and action for e very condition. To put it another way, each camp needs to be resident in both towers. Perhaps, this might suggest that the two towers might indeed become one and using methods like the Apollo Root Cause Analysis might help to integrate the two schools of thought. Until then, no matter what approach you choose, Be Safe, Act Safe Further reading: Aurisicchio, Marco & Bracewell, Rob & Hooey, Becky. (2016). Rationale mapping and functional modelling enhanced root cause analysis. Safety Science. 85. 241-257. 10.1016/j.ssci.2015.12.022. The Apollo Root Cause Analysis, https://www.apollorootcause.com/ RealityCharting, https://www.realitycharting.com/ Behaviour Based Safety, https://en.wikipedia.org/wiki/Behavior-based_safety Safety and Performance Excellence: The Two Dimensions of Safety, https://www.ehstoday.com/safety-leadership/safety-and-performance-excellence-two-dimensional-safety

"Compliance, in many ways, is about doing the right thing at the right time in the right way. Collecting evidentiary material is an important aspect in providing assurance, and for many companies, it is a way to improve compliance. This evidence often comes in the form of data and plenty of it. Companies measure, gather, and store data of all kinds and in increasing amounts. In fact, as companies continue their digital progression, the amount of data is expected to balloon. All this data will be analyzed, and patterns will be discovered. This will help in updating our system models and processes to make them more efficient. Recent advancements in artificial intelligence and machine learning will take this to even higher levels and discover patterns that we currently cannot see, and all of this can be used for improvement. However, even with these advancements, what this data will never be able to tell us is how things “ought” to be. In other words, data cannot be used to determine what is right." – Raimund Laqua Read the full article in the Sep/Oct 2018 Ethikos - Journal of Practical Business Ethics which you can download here . Copyright [2018] Lean Compliance Consulting, Copyright [2018] ethikos, a publication of the Society for Corporate Compliance and Ethics (SCCE), Copyright [2018] Compliance & Ethics Professional, a publication of the Society for Corporate Compliance and Ethics (SCCE).

Effectively managing risk is essential to every business. To achieve this, companies will typically have several programs to address different sources of risk such as: asset integrity, damage prevention, injury reduction, process safety, corporate risk, and others. All of these programs inherently serve to reduce risk to business, people, assets, and the environment. However, each program may differ in how they think about about risk and how it should be addressed. This can lead to confusion when cross-functional teams are brought together to identify risk when changes are being considered. It is common during organizational changes to bring various groups together to assess any new risks arising from the proposed changes. Far too often, these discussions are not as productive as they could be because of the definition each group has for risk. For example to: Engineers , risk is a hazard, Management , risk is about uncertainty on system objectives, Health and Safety , risk is a threat to personnel, Finance , risk is threat to return on investment, Project Managers , risk are threats to schedule, cost, and quality In addition, in recent years, regulators and standards organizations have started using broader definitions for risk beyond just simply referring to hazards. These different views of risk can lead to uncertainty concerning what assessment tools to use, how risks should be treated, and the controls and measures that need to be in place. For example, to those involved with process safety, risks are tightly connected to hazards. If you remove the hazard, you remove the risk. So the discussions tend to focus on hazard identification and barriers. However, this technique does not have parallels when considering impacts arising from organizational changes, cyber threats, and other sources of risk. For the latter, there are other techniques that need to be used to identify and address risk. To help reduce confusion when discussing risk it is helpful to use the same definition for risk. Using a consistent risk framework and specifically for the definition of risk across compliance programs can help ensure that risks are adequately identified and treated. The ISO 31000 risk management framework offers a definition for risk that can be used across multiple risk domains. This definition focuses on the effects rather than the chance that a risk will occur: With some work, compliance programs can be re-framed using this definition (or one similar to it) to provide a consistent vocabulary for talking about risk. Over time, this change will improve the outcomes of risk identification discussions, minimize the misapplication of risk assessments and treatments, and bring greater clarity as to the level of risk contained in corporate risk registers. Plan- Do-Check-Act Questions : In what ways has different meanings of risk affected your compliance programs? How would your risk program benefit from using a common risk framework? What step could be taken to increase the effectiveness of risk management within your organization?

There is much discussion these days about the need to create an improved safety culture particularly in high-risk, highly-regulated sectors. The question is how do you do this? According to Dr. Jordan B. Peterson, professor of Psychology at the University of Toronto and clinical psychologist, "Culture is the remnant of our actions." Therefore, if you want to change your culture the place to start is by changing your actions.

Culture is difficult to define and hard to measure, but without the right one a company cannot succeed. A common definition for culture as it applies to businesses is: "Corporate culture refers to the beliefs and behaviors that determine how a company's employees and management interact and handle outside business transactions. Often, corporate culture is implied, not expressly defined, and develops organically over time from the cumulative traits of the people the company hires." Peter Drucker's well-known statement, "Culture eats strategy for breakfast," captures the importance of culture extremely well. Culture reinforces what is valuable and acts as filter (i.e. eats up) to keep out what is not valued. No wonder when it comes to transforming a business it is important to start with culture transformation. But how do you do this?  Do you start with changing paradigms and beliefs or with behavior and actions?  When you look at the success of LEAN in transforming businesses, the answer appears to be that you need to do both at the same time. LEAN is a set of beliefs based on respect for people, although, it is also a set of practices reinforced by tools and methods. However, what sets it apart is its focus on continuous improvement of both processes and people . LEAN introduces the role of " coach " whose primary function is as an agent for cultural change which may seem surprising to some. However, challenging paradigms and beliefs is the key to LEAN's success. Improvement initiatives become the vehicle not only for cycle time reduction or the elimination of waste, but also for changes to beliefs, biases, and behaviors. Companies that have adopted this approach find that LEAN is a powerful mechanism for transforming culture. These same principles can and are being used to transform compliance culture to advance quality, safety, environmental and regulatory compliance outcomes. Almost all compliance programs and standards include the need for continuous improvement. However, this is not the last step after all the compliance gaps have been addressed, common among improvement roadmaps. Instead, it is the first step and the means of changing culture to realign, reinforce, and sustain the values that really matter.

Saying what you will do and doing what you say is essential for organizations where staying between the lines is critical to mission success. If you want to lower your risks you need to foster a culture of integrity across all levels of your organization. For compliance, integrity is manifested when organizations take ownership of all their obligations and hold themselves accountable to them. In order to say what you will do requires that you first know what your obligations are. This means taking inventory of both regulatory requirements and voluntary commitments. Companies must then set appropriate organizational outcomes, targets, and goals commensurate with their level of commitment and operational risk. The way that companies say what they will do is by documenting their promises usually in the form of policy. To be effective policies must be put into practice. This is demonstrated when organizations operationalize their promises by embedding compliance objectives into programs, systems, processes, and procedures. You can call this compliance-by-design but it is really just ensuring that you do what you say. This is still not is not enough. Organizations must also hold themselves accountable. In fact, they must regulate themselves to provide assurance that they meet their obligations today and will meet them in future. Sustainability is the goal and integrity is the means. This involves continually evaluating performance and effectiveness of risk & compliance programs. Culture is a remnant of our actions. Organizations that continually say what they will do and do what they say will build and strengthen a culture of integrity.

When it comes to compliance many believe that it all comes down to integrity. When it comes to integrity, according to Dr. Henry Cloud, it all comes down to being whole. Dr. Henry Cloud in his book, "Integrity" suggests that a person of integrity is a person of balanced integration of all that character affords. In his book he explores six qualities of character that defines integrity: The ability to connect authentically The ability to be oriented towards the truth The ability to work in away to get results and finishes well The ability to embrace, engage, and deal with the negative The ability to be oriented towards growth The ability to be transcendent If people are able to perform well in these areas good results are inevitable. However, as Dr. Cloud reminds us, " integration of all the parts is key." The opposite of integration is compartmentalization or reductionism. This means that a part of you is operating without the benefits of the other parts, and that usually doesn't end well. When one part of our character is preference over the others we become "unbalanced" or "misaligned." We have all heard the phrase, "he is just too trusting to be of any good." What we mean by this is that the person trusts too much and is possibly ignoring reality or negative signals. The trust ability has become corrupted and in many ways and ironically, "cannot be trusted." Considering integrity as a whole – an integration of the parts – not only applies for people who desire to live lives of integrity, it also applies to the use of compliance programs intended to keep an organization aligned with their mission, vision and values. Compliance programs and systems need to operate as a whole – an integration of its parts – if good results are to become inevitable. Unfortunately, for many organizations, compliance is seen only as one part that is "internal audit." Very little is done to develop other essential capabilities needed to continuously keep organizations between the lines towards mission success. This results all too often in an increasing non-conformance debt leaving a wake of missteps, failure, and possible ruin rather than a wake of good results. Dr. Cloud subtitles his book on integrity, "the courage to meet the demands of reality." You could say that this is a good subtitle for all people, organizations and communities that operate with integrity. They are the ones who are facing reality one aspect of which includes that their parts need to operate as a whole. Each part contributing to and keeping each other balanced and on course. We can take Dr. Cloud's character qualities for integrity and adapt them to compliance where characteristics of effective compliance programs would include the following all working together: The ability to connect authentically with stakeholders which leads to trust The ability to be oriented towards the truth which leads to focusing on what really matters The ability to work in a way to continuously achieve better outcomes which leads to a reduction of harm, improved reputation, and increased stakeholder value . The ability to embrace the negative which leads to improving the certainty of mission success. The ability to be oriented towards growth which leads to an increase in the things that are valued by all stakeholders. The ability to understand that it is only one part of a larger whole w hich leads to an integrated system. The gaps we find are the opportunities for growth. The good news is that these gaps can be developed and improved over time. We often refer to this growth as "capability maturity" when it applies to systems or just "maturity" when it refers to you and I. Maturing is something that we all need to continue doing because we all know we are not yet all that we can or need to be and this is true for compliance systems as well.

In this blog article we continue to explore the topic of cyber security or more rightly cyber safety. Cyber security mostly refers to protection from hostile forces which is a critical aspect of keeping what we value safe. However, it does not go far enough, cyber security must also protect against failure, breakage, or accidents. It must maintain a state of safety – the condition of being protected from harm or non-desirable outcomes which is what a managed cyber safety program does. A Managed Cyber Safety Program A managed safety program is an implementation of what is referred to as a " Safety II " approach with a focus on outcomes but may also incorporate attention to behaviors and activities as found in " Safety I". A managed cyber safety program will answer the following questions: What do we need to keep safe? What are the effects of uncertainty on safety objectives? What threatens safety? What and how strong do defenses need to be to achieve safety objectives? How do we maintain the performance of your defenses How do we continuously improve effectiveness? Answers to these questions form the context for the implementation of a managed safety system or Cyber SMS. To meet objectives of a managed cyber safety program we need a means of protection which we call "security" when it addresses hostile forces. In general terms, these are risk controls and measures. The level of protection is roughly speaking equal to the safeguards or margins that buffer us from the effects of the threats should they occur. The greater the effects, the greater the margin or buffers needs to be. We call this, "irreducible uncertainty." We can't reduce the threat from occurring, so we are left with creating a wall (safe guard) or at least buying insurance to address its effects. However, there is another kind of uncertainty, "reducible uncertainty", which we can buy down by improving our knowledge, our models, and our measures to prevent threats from occurring in the first place or minimize their effects should they manifest themselves. A managed cyber safety program will effectively address both kinds of uncertainty. It will safeguard against irreducible risk and buy-down reducible risk to provide the necessary total protection needed to keep what we value safe. It does this through a business-like approach that uses a systematic, explicit and comprehensive process for managing safety risk. This is reinforced by a risk-based culture where risk is viewed as something to optimize rather than ignore. Now, how is a managed cyber safety program implemented and managed? It's important to point out that many companies will most likely be doing many of the activities involved to manage cyber safety. Every company has a cybersecurity program, some are more effective than others. A managed cyber safety system will help you to coordinate your efforts more efficiently and effectively to ensure the safety outcomes that you have targeted are achieved and the undesirable outcomes are avoided. And that's a good thing. And that’s what we want. Cyber safety is not only a technical problem; it is a business problem that requires a business solution. A managed cyber safety system will therefore coordinate and manage two kinds of processes. Technical processes - are risk measures used to contend with threats, vulnerabilities, and risk. These are the controls to prevent or recover from threats to safety. Management processes - coordinate these controls, their performance, and their effectiveness at achieving a targeted level of safety. Both of these types of processes are needed to establish effective layers of defense and where any weaknesses in either will create an opportunity for a breach. Many companies invest in traditional cyber security which focuses on technology and equipment such as: firewalls, VPNs,, networks, software and so on. All of these are needed, but how much, and how well do they need to perform, and how effective do they need to be to achieve your cyber safety objectives? It is reported that 75% of companies do not measure the effectiveness of their compliance programs. This means that most companies do not know if their efforts are helping to prevent a breach or increasing the certainty of one happening. Companies that are effective at achieving their cyber safety outcomes will have the essential management processes to ensure safety is achieved, consistently, and that improves over time to address new uncertainties and risks as we are now experiencing with COVID-19. In our next blog article we will look into what a selection of available guidelines, standards, and frameworks available to help organizations realize their cyber safety goals.

Instead of in or out the question should be how close and which direction are we heading. Organizations are periodically asked to attest to their compliance. The question usually boils down to a simple one "Are you in our out of compliance?" The answer expected and often given is something like this, “Of course, we are fully complaint with all applicable laws, regulations & standards, and internal policies as far as we know.” This will, of course, be verified by internal and external audits. The answer may be true for the most part but perhaps not as useful as it could be. Organizations might be in compliance today or at the time of their last audit. But tomorrow a misstep may find them off-side. In fact they may have been heading off-side for some time but were not paying attention. Single point evaluations are poor predictors of risk. What organizations don’t know is how close they are to stepping over the edge and as importantly if they are heading closer or farther way from that edge. Where staying between the lines is mission critical, risk and compliance programs to be operational must provide credible answers to these questions: How close are we to an incident occurring? and Are we moving closer or farther away from that point? These would be considered as measures of assurance. Unfortunately, most organizations don't consider risk exposure in their decision making and so don't expect it from their risk and compliance programs. No wonder everyone is surprised when an incident occurs. Although, successful organizations will expect more from their programs and ensure that they get the answers they need to keep the organization between the lines today and every day they choose to operate.

Evaluating risk is important but handling risk is better. To meet obligations requires contending with threats as well as opportunities. Deciding how best to handle these may well make the difference between staying between the lines or crashing through a guard rail. Unfortunately, many organizations jump from obligation to risk controls and skip the step of deciding which risk handling strategy to use. In this post we explore the application of the US Department of Energy (DOE)’s risk handling strategies as defined in the DOE G 413.3-7A – Risk Management Guide to help meet obligations. While this guideline is directed towards projects the same principles can be applied to meeting an obligation – a project in it’s own right – particularly when obligations include targets to achieve net-zero emissions by 2050. Risk Handling Risk handling covers various strategies to contend with uncertainty. After obligations have been identified, risks have been evaluated, uncertainty estimated, and consequences determined, a decision needs to be made on how best to handle the risk. The first step is to chose a strategy which the DOE Risk Management Guide suggests include: acceptance, avoidance, exploit, mitigative, enhance, transfer and share. Let’s unpack each one. Acceptance Acceptance of risk means that it is acknowledged without measures to address the risk. The organization accepts both the positive and negative effects of the uncertainty left untreated using ISO 31000 terminology. This strategy is often chosen when the risk is irreducible or no other means are feasible to buy down risk. In this case, the risk is assumed will occur and the loss included in the overall contingency fund or management reserve. Acceptance is not the same as ignoring the risk. Risk is ignored when it is not identified and/or costs are not accounted for in management reserve. Ignoring risk amounts to hoping for the best but NOT preparing for the worst which is the same as gambling. For opportunities, instead of accounting for the cost in a management reserve the benefit is identified (in an outcomes register) and monitored. If the opportunity happens then further action may be taken to leverage the opportunity further. Avoidance / Exploit Avoidance is a risk handling strategy when organizations are risk adverse or if the risk cannot be tolerated. This strategy is accomplished by introducing measures to eliminate / prevent the potential threat from occurring. For opportunities risk handling introduces exploitive measures to increase the probability of the event happening. In both cases, the focus is on ensuring that the uncertainty is removed and the opportunity definitely happens and the threat definitely doesn’t. In other words, eliminate the uncertainty / hazard; eliminate the risk. Mitigation / Enhance Mitigation is a risk handling strategy to reduce the likelihood of occurrence of an identified negative impact (i.e. consequence) for a threat. The goal of mitigation is to reduce the risk to an acceptable level (e.g. ALARP, etc.) The rule for mitigation is not spend more on the mitigation than what the risk even would cost if it occurred. Enhancement is used for opportunities to increase the positive impact or benefit or reinforce the conditions that trigger it. The rule for enhancement is not to spend more on the enhancement costs than the benefits realized from the opportunity. Transfer / Share Transferring risk in most cases involves the purchase of insurance as the transference of the risk. This transfers the cost of the effects and distributes it across a larger group. This strategy does not help you meet the obligation. It only helps address the cost of non-conformance provided that you can coverage. Risk that is shared refers to positive consequences (i.e. benefits). Those that share the risks share in the benefits. For example, achieving safety compliance creates benefits that are shared across an organization. Applying Risk Handling to Obligations The best strategy to contend with risk may well be not to accept the obligation in the first place. However, if an organization accepts an obligation it must contend with the associated risk. If the obligation must be met either by regulation or internally imposed then an organization should do what it can to improve the probability that it meets the obligation. When deciding on which risk handling approach to take the following should be considered: 1. Is the obligation mandatory or voluntary? Mandatory obligations are often considered as necessary to avoid fines, and other effects of non-conformance. These may require a higher degree of rigour as the effects may be more immediate and may lead to loss of a license to operate. However, voluntary obligations tend to be seen as investments and measured against a ROI. One might be more inclined to accept an opportunity risk without introducing any enhancement or exploitive measures. The risk tolerance for voluntary obligations is usually higher than mandatory ones. 2. Is meeting the obligation necessary for meeting another obligation? To avoid a cascading or propagation of risk similar strategies should be used to avoid weaknesses in the compliance chain. Obligations should consider risk handling strategies used by dependant obligations to so that they do not become the weakest link. 3. Do the benefits outweigh the costs? The cost of the handling should be commensurate with the cost of the risk. This evaluation may position some strategies as too expensive compared with the loss or benefit anticipated. 4. Is the risk handling strategy feasible? Deciding on a risk handling strategy is necessary, but so is having feasible measures available to implement. It is best not to rely on the invention of new technologies to handle critical uncertainties. The lack of available risk measures may demand choosing a different risk handling strategy. 5. How effective is the risk handling strategy? Risk measures may be available, feasible, but not effective enough to buy down risk below the risk tolerance level. This may require additional strategies to contend with the residual risk. In DOE terms this means promoting the residual risk to the primary risk category along with the inherent risk. Evaluating the effectiveness of a selected risk strategy is necessary to knowing how much residual risk is left which in turn needs to be handled. 6. How long does the obligation last? Obligations typically have a long life-cycle which means the effectiveness of risk measures should be monitored continuously and adjusted when necessary. To help with this the decision of risk handling strategy should be captured in the obligations-risk register along with other obligation and risk information to provide context for the risk controls. If over the course of the obligation's life-cycle the chosen strategy does not perform as specified improvements may be required. In some cases, a different risk handling strategy may be needed. If the obligation is retired then the corresponding controls may be decommissioned if not needed by another obligation. Conclusion As regulations continue to expand to include outcome and performance-based designs choosing the best risk handling strategies will become increasingly important. This reflects the growing shift of risk transferring or shared by regulators with industry and individual companies. The DOE guidelines provide a robust framework for managing project risk that can be applied to compliance to improve the probability of meeting obligations. At a minimum it will help organizations know why risk controls have been chosen so they can better evaluate their effectiveness and make adjustments when and if necessary.

Registration is now CLOSED Why is this training needed? Over the last decade regulators have started to modernize their programs to become more risk-based moving towards performance and outcome based designs. The new compliance landscape requires organizations to take a proactive and systems approach instead of the prevailing reactive and siloed approach to compliance. Unfortunately, many organizations are unable to keep up and are falling behind. Adopting the new mindset along with the necessary skills takes time which many find they don't have. That's why we are offering this micro learning series. We have designed each module in bite sized portions. By spending just 1-hour a week over 15-weeks you will gain knowledge and skills to meet the demands of this new compliance landscape. Each module focuses on an essential principle for effective compliance: 1. Develop systems that always keep you in compliance 2. Continuously improve your compliance capabilities and effectiveness 3. Improve the probability of meeting all your obligations. These modules are designed for practitioners across all risk & compliance domains to improve their knowledge and skills. Each module consists of: 5 one-hour "HOW-TO" sessions (40-minute instruction with worked examples / 20-minute Q&A) Worksheets and reference materials Quiz (optional) Certificate after successfully completing all quizzes in the module. Sessions will be hands-on conducted over Zoom on Tuesdays @ 1:00-2:00pm (EDT) following the schedule below. Each session will be recorded and available to participants. Price is $300 (CAD) per module or $750 (CAD) for all three. We encourage you to take advantage of this opportunity to improve your knowledge and skills. The first module starts April 5th so register today. SYSTEMS MODULE - "Keep it Green" In this module you will learn tools & techniques to always stay in compliance. We start with classifying obligations followed by identifying goals and objectives, defining measures for success, and establishing actionable metrics to keep you between the lines. DATE SESSION TOPIC Tuesday, April 5, 2022 SYSTEMS-1 Module Overview - concepts and principles Tuesday, April 12, 2022 SYSTEMS-2 How to define and classify obligations Tuesday, April 19, 2022 SYSTEMS-3 How to define compliance outcomes, objectives and targets Tuesday, April 26, 2022 SYSTEMS-4 How to define measures of conformance, performance, and effectiveness Tuesday, May 3, 2022 SYSTEMS-5 How to define leading / lagging indicators and actions for compliance LEAN MODULE - "Keep it Lean" In this module you will learn how to apply Lean tools & techniques to continuously improve your compliance at the process, systems, and program levels. DATE SESSION TOPIC Tuesday, May 17, 2022 LEAN-1 Module Overview - concepts and principles Tuesday, May 24, 2022 LEAN-2 How to use Lean 5M to identify areas for improvement Tuesday, May 31, 2022 LEAN-3 How to use Lean A3 to conduct compliance Improvements Tuesday, June 7, 2022 LEAN-4 How to use Lean X-Matrix to stay on course Tuesday, June14, 2022 LEAN-5 How to use Lean Startup to achieve operational compliance RISK MODULE - "Keep it Certain" In this module you will learn how to improve the probability of keeping all your promises by contending with uncertainty. DATE SESSION TOPIC Tuesday, June 28, 2022 RISK-1 Module Overview - concepts and principles Tuesday, July 5, 2022 RISK-2 How to evaluate compliance risk Tuesday, July 12, 2022 RISK-3 How to identify risk measures and controls using bow-tie analysis Tuesday, July 19, 2022 RISK-4 How to track compliance risk using risk scores Tuesday, July 26, 2022 RISK-5 How to manage risk due to regulatory change