SEARCH

"Pipeline process management includes determination of needs throughout the pipeline life-cycle, provision of sufficient human and financial resources, identification of the proper sequence of a series of activities, monitoring and measuring the effectiveness of the activities performed, and applying changes or corrections to those activities as needed. " – API RP 1173 Managing the Safety of Complex Processes API RP 1173 is a recommended practice introduced by the American Petroleum Institute that defines requirements for a holistic approach to pipeline safety. Companies that adopt these requirements can improve their safety efforts and achieve greater levels of safety performance. To accomplish this, companies must first define their obligations before they can successfully implement their pipeline safety system. The goal for API RP 1173 is not to implement all aspects of the practice but rather to use it as a framework on which to build or review a safety program to determine how better to achieve safety objectives (i.e. zero incidents). There are several aspects of this framework that makes a traditional check-box approach to compliance ineffective. In fact, it is the wrong way to look at applying this practice. Here are three key characteristics of API RP 1173 that companies should keep in mind: 1. API RP 1173 is a recommended practice API RP 1173 requirements are not mandatory nor are they the full extent of what a pipeline safety program should do. Each company needs to determine what they want their safety program to accomplish and to what extent API RP 1173 will be used and if other practices or standards should also be adopted. "In all cases, operators are intended to have the flexibility to apply this RP as appropriate to their specific circumstances" – API RP 1173 2. API RP 1173 is performance-based API RP 1173 is not prescriptive in terms of how requirements should be met and in some cases what needs to be accomplished. At a minimum, it is up to each company to determine the "how" necessary to achieve the goals and objectives of their pipeline safety program. As the practice is a framework, each implementation may look different in the details from one company to the next. Several of the approaches I have seen use a gap analysis as part of the implementation process. This is common particularly when dealing with prescriptive standards. However, API RP 1173 is not prescriptive so it creates a challenge for those that are looking for a simple check-box approach to compliance. This may result in adding prescriptive requirements so that there is something to be assessed. While prescription may be necessary, there can and often is a significant difference between what is prescribed and the obligations themselves. They are not one and the same. Instead, companies need to separate the "ends" from the "means" with their implementations. This distinction is critical and affects how audits should be conducted to assess compliance. It is common for performance-based standards to separate those things that verify the means from those that validate the ends (i.e. outcomes). An effective safety program will do both. 3. API RP 1173 is risk-based Safety programs are often described as being all about risk reduction and you could say the same about API RP 1173. However, it also means using a risk-based approach to achieving safety outcomes given that there are limited funds, resources, and time to accomplish the goals. Tailoring the means by which safety is done while at the same time coordinating efforts to address systemic risk is one of the hallmarks of API RP 1173. Using a risk-based approach to identify the extent of this tailoring is an effective strategy that is gaining traction as better way to establish compliance objectives. Build your safety program on obligations instead of requirements All of the reasons previously stated contribute to why it is first necessary for companies to identify and define their obligations. This will help ensure that appropriate levels of effort are directed to meeting each obligation. In addition, it allows the means by which they are met to improve and mature over time which is recommended by API RP 1173. The following steps are well suited for companies who are looking to establish their API RP 1173 compliance obligations: Document the context and expectations for each obligation Define what constitutes evidence of compliance Define how progress against outcomes will be measured Identify what standard will be used to establish normative processes (ex. ISO 9001:2015, ISO 31000, internally defined, etc.) Identify what is needed (structure, resources, technology, culture, etc.) by the organization to achieve the desired outcomes Identify and evaluate risks (both threats and opportunities) for each obligation Embed obligations, controls, and risk treatment into compliance programs, systems and processes The output from these steps can be used as input to create a compliance map to help steer the API RP 1173 program. Instead of the typical compliance map that looks like this: you will end up with an obligations-based compliance map that looks like this: This may appear to be a subtle and insignificant difference in approaches, however, this is far from the truth. An obligation-based compliance map is focused on identifying and meeting obligations. These are commitments that management makes and it is these commitments that are used to determine the means by which outcomes are achieved. Compliance is built into the means and verified through measures of: effectiveness (MoE), compliance (MoC), and performance (MoP). This affords companies the ability to be certain of their compliance and their capacity to always stay in compliance. Whereas, the previous approach is a remnant of prescriptive-based compliance focused on audits where for the most part documents and records substitute for evidence of compliance. It is well understood (yet not often heeded) that you can have a documented procedure that is not being followed or is ineffective at achieving the outcomes of the program. The only thing you do know is that you met the requirement to have a procedure and this is the crux of the matter. Compliance to prescriptive requirements while important is no substitute for programs that continually advance compliance outcome by maturing capabilities. #APIRP1173 #ManagementofChange #PipelineSafetySystem #ObligationsbasedComplianceMap

I have spent most of my career building information and management systems in support of engineering, compliance, and mission critical processes for highly regulated, high risk companies. In many cases, these systems were deployed following a process which would roughly follow these steps: Create a project team Identify requirements Select technology Implement system Train Users Disband project team After these steps were done the system would move into "maintenance mode" as is typical for other equipment in the organization. For that is how management and information systems were considered – as equipment. The thought of improving the capabilities of a system after it had been installed did not cross anyone's mind. The only thing that did was to make sure the system remained operational and continued to perform according to how it was originally designed. When the system could no longer do that it would be replaced. In some circles this is called, "run to fail" and fail they always did for all kinds of reasons that included the effects of: Changes in compliance requirements Lack of training Lack of support Changes in technology Changes in leadership priorities Changes in organizational structure Business process changes Changes in culture Improvements were few and far between and were seldom able to keep up. You might patch the software, upgrade the hardware, or even move to the cloud but eventually the system would need to be replaced. Improvement of the system might then be entertained. However, what I have observed is that even then improvement did not always come for the following reasons: The people who knew how things worked no longer work for the company The constraints of the old technology would became "requirements" for the new technology which would mostly negate any improvement Moving to the "cloud" and cost reduction would be a higher priority than improving system effectiveness Different leadership would have different priorities Run to fail created an urgent response instead of a planned one with sufficient time to consider options Resistance to change (what we did in the past is good enough for the future) And many other reasons ... When it comes to quality, safety, environmental, and regulatory systems where the goal is to reach a certain level of performance over time it is no wonder that one of the contributors to lack of overall progress is due to the effects of a "run to fail" or "set and forget" mode of system operations. The phrase, "two steps forward, three steps back" comes to mind and aptly describes the current state of many systems in place today. Continuous improvement and maturity of capabilities is extremely difficult when a system is thrown out and replaced every 3-5 years and always starting over. As compliance is now heading towards performance and outcome based standards the way in which systems operate must change to a new mode of operation. This new way of managing systems requires the ability to improve on a continuous basis but as importantly the ability to steer which is what compliance governance is responsible for and the function of a compliance program. The steering function must continually adjust system capabilities to achieve increasing and changing standards either from mandatory or voluntary obligations. Governance is what proactively drives this continuous improvement. It is important to note that this differs from continuous improvement at the process level which tends to focus on cost reduction by eliminating waste and improving efficiencies. While this is better than re-actively addressing non-conformance its purpose is still to improve consistency against current standards. Whereas, improvement at the system level directed by a compliance program focuses on advancing capabilities to advance overall outcomes: A compliance program is fundamentally a system in its own right consisting of proactive processes that anticipates, plans, and acts to improve compliance outcomes. An effective compliance program will steer the continuous improvement of processes, technology, and people so as to increase the probability that outcomes will be advanced. This is very different than the "run to fail" and "set and forget" mode of operations that assume that compliance obligations are mostly prescriptive and never change. In a world measured by the continuous increase in value, compliance must also be continuous and advancing in capabilities to keep up. This changes the role of governance away from "run to fail" and "set and forget" to one that proactively steers towards better outcomes. Instead of two steps forward three steps back, compliance governance needs to always be steps forward.

" Proactivity is a process that can be applied to any set of actions through anticipating, planning, and striving to have an impact." ​ Source: Research in Organizational Behavior, "The dynamics of proactivity at work", Adam Grant, Susan Ashford To help meet your quality, safety, environmental, and regulatory compliance objectives being proactive is essential and best done by incorporating feed-forward processes between functions as well as implementing learn / improve cycles in your feed-back path. These become proactive mechanisms when used to achieve goal-directed objectives where progress is made over time by advancing process capabilities not by conformance to prescriptive requirements.

Many companies run out of time, money, and motivation before results are achieved and outcomes are improved. This is often the case when it comes to adopting managed safety, quality, environmental and regulatory systems. Traditional component-first approaches fail to deliver an operational system on which real improvement in outcomes can occur. The good news is there is a better way.  Read more here

When it comes to systems the goals we choose greatly affect the outcomes that are obtained. This is particularly true when it comes to the goals of feedback processes those used for correcting or reinforcing behaviors. When these goals are ill defined, the system will faithfully continue to produce a result, however, it may not be the one intended or wanted. Donella H. Meadows, in her book "Thinking in Systems" provides an illustrative example: The Goal of Sailboat Design Once upon a time, people raced sailboats not for millions of dollars or for national glory, but just for the fun of it. They raced the boats they already had for normal purposes, boats that were designed for fishing, or transporting goods, or sailing around on weekends. It quickly was observed that races are more interesting if the competitors are roughly equal in speed and maneuverability. So rules evolved, that defined various classes of boat by length, and sail area and other parameters, and that restricted races to competitors of the same class. Soon boats were designed not for normal sailing, but for winning races within the categories defined by the rules. They squeezed the last possible burst of speed out of a square inch of sail, or the lightest possible load out of a standard-sized rudder. These boats were strange-looking and strange-handling, not at all the sort of boat you would want to take out fishing or for a Sunday sail. As the races became more serious, the rules became stricter and the boat designs more bizarre. Now racing sailboats were extremely fast, highly responsive, and nearly unseaworthy. They need athletic and expert crews to manage them. No one would think of using an America's Cup yacht for any purpose other than racing within the rules. The boats are so optimized around the present rules that they have lost all resilience. Any change in the rules would render them useless. Meadows suggests a way out of the trap of seeking the wrong goal: "Specify indicators and goals that reflect the real welfare of the system. Be careful not to confuse effort with result or you will end up with a system that is producing effort, not result." These principles are not new, although they are easily forgotten and something we must always be reminded of. This can be seen by the number of companies that define their indicators and goals mostly by counting the things they are doing (i.e. measures of effort) without evaluating the effects of these efforts (i.e. measures of effectiveness). Many companies have created policies to optimize the production of numbers which when it comes to compliance looks something like this: The number of compliance issues open The number of hours of training per employee The number of internal audits completed on-time The percentage of outstanding post-audit issues The number of complaints And so on. As a result, companies have become experts (or now require hiring them) to support the business of auditing rather than the business of meeting obligations. They have created the equivalent of an America's Cup yacht optimized for one purpose - winning the audit game within the rules they have created. The compliance function is now so optimized around passing audits that it is unable to adapt to changes in regulations from prescriptive to performance and outcome-based designs. Compliance has created a high-performing yacht to win a race, but not the race that now matters. #systemsthinking

When it comes to business, life, and of course compliance, there are dragons that come across our path that cannot or should not be avoided and instead must be faced head on. Dragons may appear first from a distance and when viewed from afar may appear more or less dangerous than they really are. Until the threat arrives we have time to improve our vision to understand its nature and devise strategies to successfully contend with it. Most threats are a manifestation of uncertainty which is the root cause of risk (ISO 31000). This uncertainty may come in different forms the most common of which are aleatory uncertainty, having to do with randomness, and epistemic uncertainty, having to do with lack of knowledge. However, threats often will not be limited to either one but will consist of all forms of uncertainty in varying measures over time. When risk behaves mostly like aleatory uncertainty (random, chaotic, complex): Assume the threat is serious and its effects cannot be controlled. Accept that negative outcomes will happen. Treat uncertainty by using margins such as reserves, contingencies, insurance, savings, etc. Introduce broad level safeguards and life saving practices Goal is amelioration (to make better, to improve) When risk behaves mostly like epistemic uncertainty (lack of knowledge): Assume the threat is serious but its effects can be controlled if better understood. Accept that negative outcomes may happen Treat uncertainty by buying down risk Develop capabilities to increase knowledge of the threat and learn how to prevent or reduces its effects. Introduce targeted level safeguards and life saving practices Goal is mitigation (to reduce, lesson, or decrease) Although when it comes to uncertainty, nothing stays the same: The threat may change The effectiveness of measures may change Our understanding of the threat may change Conditions may change Therefore the path to certainty will seldom be a straight line which can be frustrating for some. As our knowledge of the threat increases and effectiveness of risk measures is better understood our path will necessarily change to focus on the uncertainty that remains. For this reason risk & compliance will always be a continuous endeavor, seldom a straight path but always working toward taming the dragon of uncertainty. More articles on dragons, uncertainty and risk can be found here

Everything happens in the presence of uncertainty, and this uncertainty creates the opportunity for risk.

When life is uncertain things are unclear, you don’t know what to expect, and you react to things when they happen. So you walk slowly, as if on-egg-shells, testing every step to make sure it is not a hole or the edge of a cliff. Life under uncertainty is a slow process. This is what it is like for many organizations with their compliance. They are uncertain of their obligations, they don’t know what to expect, and they react when non-conformance happens. So they create more rules to walk slowly, check every step to make sure that everything and everyone stays within the lines. Compliance under uncertainty is also a slow process. So how does one make progress and move faster? Some may decide to throw caution to wind and just press ahead hoping for the best. This happens in life and in compliance. This approach appeals to risk takers but perhaps those that like risk too much. Given a chance they will gamble their life and their companies away. All of these approaches fail to address the root cause which is the lack of knowledge or what is called epistemic uncertainty. If one wants to make progress it is important to contend with this uncertainty. This means identifying risk and then establishing measures to buy-it-down so that it doesn’t slow-you-down. If you want to stop compliance from slowing your business consider joining The Proactive Certainty Program™ . This program helps you move faster by reducing risk so you don’t have to walk as if on-egg-shells any more.

Compliance creates value by building trust when obligations are met and protects against the erosion of value when they are not. To achieve this compliance needs to operate as a business. It must create value, advance goals & objectives, and manage resources and systems to deliver a return on investment. ISO 19600 provides a framework to manage all your obligations under one governance system. It does this by establishing processes to identify, implement, evaluate, and maintain all mandatory and voluntary obligations covering: quality, safety, environment, security, regulatory, and other risk-based obligations. The goal of ISO 19600 is to promote compliance effectiveness. An important first step is establishing an obligations registry where you can manage: performance / outcome goals, threats & opportunities, controls, improvement objectives, and measures of compliance, performance and effectiveness. This will help you to know the status of your compliance, and as importantly, whether you have the capabilities you need to be effective at creating trust and protecting against loss.

Maximizing Business Value and Improving Strategy for Organizations and Teams All executives and senior management responsible for compliance will be well aware of how difficult it is to ensure that value creation is protected and progress is being made towards stakeholder objectives. These outcomes are often not well articulated and even when they are the means by which outcomes are achieved are usually not. Focus on effort over results is the name of the game while the board sits hoping for the best. Is there a better way to ensure outcomes are achieved? "It's a common trap to assume that outcomes are known and a mistake to place all emphasis on the outputs of work." – Alex Yakyma It is relatively easy to identify and manage outputs to ensure that they are on time, on budget, and on spec. This domain is well understand with vast amounts of knowledge, expertise, and practices to improve the certainty that outputs are created with a defect rate of 3.4 defects per million opportunities (i.e. six sigma). We are very good at doing this or at least know how to do it. However, when it comes to realizing outcomes this is not as easy and is often left to chance. Companies hope that their good intentions and hard work will produce the outcomes they are looking for. However, the road of good intentions often does not deliver what we want or what we need. Alex Yakyma in his book, "Pursuing Enterprise Outcomes" unpacks the nature of outcomes, how they are created, and how to improve the probability that you produce the outcomes you have targeted. This is a world that is not as well defined, often non-linear, and always in the presence of uncertainty. Yakyma provides a comprehensive framework that adds needed structure to this domain as presented in his book where he covers: The killer of Organizational performance How to Uncover Disconnects In Pursuit of Outcomes The Science and the Art of Probing The Mystery of Business Value Complex Bottlenecks and Emergent Solutions Strategy and Leverage Points Excerpts from the book: Complex tasks progress at the speed of managing unknowns. Doing the wrong work faster is false progress. For complex tasks, the ability to navigate is more important than velocity. Behaviours in a complex system can only emerge. Any attempt to "design" behaviour to match an expectation will only result in waste. To succeed with the ultimate outcome, all lower-level outcomes need to have owners who hold responsibility for the outcomes, not outputs. A disconnect anywhere in the outcome chain easily jeopardizes the ultimate outcome of the task. Outcomes provide meaning and structure to business value. Business value helps determine how effectively the outcomes are achieved. Strategy is the way in which system behaviour can be vectored toward a favourable outcome. What I like about this book: The concepts of outcome chains and connections, the emergence loop, and the nature of outcome uncertainty provide a solid structure to explore how to better advance outcomes. The author provides many good examples that help illustrate key concepts and principles. Every chapter has exercises that teams can work on to help reinforce learning and stimulate discussion. I highly recommend this book for anyone who is responsible for the creation of outcomes related to regulatory, safety, security, quality, environmental and operational objectives.

One of factors that hold companies back from improving their compliance is ambivalence; having mixed feelings or contradictory ideas about what goals to have and what approach to follow. This uncertainty contributes to the lack of motivation to act which is a significant cause for failing to achieve operational and effective compliance. Knowing where you are going Having somewhere positive to go to that is well articulated and realistic will help motivate change. We need to know what the pot of gold is that we are going after. However, all too often, we find that companies have vague ideas of what compliance should do and what the outcomes should be. The opposite is also common. Many companies are very specific and clear about their compliance destination. In fact they have already arrived as stated in their declaration that they are following all applicable laws and regulations. Where else is there to go when you believe that you are already there? What we need to understand is that the compliance landscape has changed and so has the destination and the measures to get there. Compliance has moved beyond prescriptive specifications to outcome and performance targets that requires continuous improvement and the effective management of risk. Compliance is not measured by whether you are comply or not but instead is measured by the level of certainty you have in achieving your compliance goals and objectives. As risk is never static continuous risk management is needed to keep companies operating between the lines in the presence of uncertainty. All of this changes the goals and objectives for compliance. Knowing what is behind Knowing where you are going is not enough to be properly motivated. You also need the motivation that comes from being aware of the danger of staying where you are. You need be aware of the dragon that is chasing you from behind as well as the the pot of gold that is in front of you to sustain proper motivation for change. The dragon facing companies these days are the effects that come from not addressing all their stakeholder obligations. These have a negative impact on mission success, reputation and ultimately trust. As a result, you may still be left with a regulatory licence to operate but you may not have a business that investors want to invest in or customers want to buy from. If ESG (Environmental, Social, and Governance) investing and the downstream impact on environmental programs continues to gain traction learning how to navigate the broader compliance landscape will be a decisive factor in avoiding the dragon that is behind. Knowing how to get there So how to you move from ambivalence to action? Here are three steps you can follow to improve and sustain your motivation: Describe what your compliance destination looks like in realistic and specific ways – the piece of heaven that you are striving for. Describe what your designation looks like if you don’t improve – the slice of hell that you want to avoid. Establish a program that continuously advances your business towards its destination and avoids the dangers of staying where you are. Making progress is a huge motivation for even more progress. Everyday is a chance to improve your compliance so let's not waste it.

When it comes to risk & compliance no one wants to be surprised. That’s why organizations put in place controls of various kinds to avoid them. While surprises are not desirable and cannot always be avoided there is something that can be far worse which is not being surprised at all. When something bad occurs it is not uncommon for someone to say, “I am not surprised that this happened.” Hearing this offers little comfort to those negatively impacted by the surprise. But why? When preventable incidents occur associated with safety, environmental, quality or regulatory objectives not acting when it was possible to do so is perhaps more concerning than the impact of inaction. Finding out that something could have been done and wasn't is often an indication of a failure in duty of care, negligence, or simply not caring at all. It is no wonder that we might feel anything other than comfort after hearing that someone was not surprised. To avoid the surprise of not being surprised organizations need to ensure that their risk management does more than just create a list of what might or could go wrong. They also need to act to create the outcomes that an organization wants and avoid the ones that it doesn't.