SEARCH

Compliance is often considered as a hindrance more than a help. Many organizations believe that they might do better if they were less encumbered by having to meet obligations. The philosopher Emmanuel Kant pondered the same kind of thing using the following metaphor: “The light dove, in free flight cutting through the air the resistance of which it feels, could get the idea that it could do even better in airless space. “ Without the resistance of air to contend with the dove thought it might soar higher. There is an art to flying. Too much drag or not enough resistance will prevent flight from occurring. However, removing the air altogether is removing what is essential for the dove to fly. It is the very act of contending with air that enables the dove to soar. The same might be said about compliance. It is the process of meeting obligations that a business develops the art of compliance. Removing the need to meet obligations is removing what is essential for companies to achieve its goals. Without obligations to contend with organizations would not get off the ground. Resistance is not always a hindrance. Resistance can be the very thing that strengthens our abilities. It helps the dove to fly higher and an organization to achieve higher standards. We know that when it comes to meeting safety, quality, and environmental obligations that it is by meeting standards that a company develops the capability to be safe, to create quality, and to reduce its impact on the environment. This is what vision zero objectives are all about. It is not the goals so much as the struggle to get closer to them that matters most. It is the striving that creates excellence not in spite of these goals but because of them. Obligations are the air beneath an organization’s wings. It provides the resistance needed for flight. What does this means for organizations that want to improve their compliance? Perhaps, instead of trying to remove obligations or doing the minimum, invest in your people and processes to learn how to become excellent at the art of compliance. You may end up not only getting off the ground but you may actually start to soar.

Over 3 years ago we launched Lean Compliance in response to the lack of sustainable compliance effectiveness across mostly ever sector as organizations struggled under the weight primarily of existing and changing prescriptive regulations and standards. The compliance landscape was also starting to transform as regulators were modernizing their programs to become more risk-based as they moved towards performance and regulatory designs. While the impact of this transformation would ultimately reduce the weight of regulation it would require different skills and a new mindset; something that many organizations did not have or have time to learn. To navigate this new landscape companies would need to become more proactive, own their obligations, and commit to continual improvement. Instead of inspection and audit regimes as the trigger for improvement, companies would need to set obligation goals, measure progress, and manage risk. Performance rather than checkbox compliance would become the new mandate. However, organizations were too busy being reactive, fighting fires, and had little time to be proactive and for the most part didn't know how. Space also needed to be created for improvement to occur. This is where LEAN would help to eliminate waste and create capacity to escape the reactive uncertainty trap and allow companies to begin their journey towards proactive certainty of their compliance objectives and goals. This birthed The Proactive Certainty Program ™ which we launched to effect our mission to help companies lift the weight of regulation and improve their compliance effectiveness in a sustainable way through continuous improvement over time. As our mission continued we quickly realized that not much had been written about effective compliance and specifically how performance and outcome-based obligations might be managed. So we started to do research and explored what this all might look like which we wrote about in blog posts every week. With every post (over 200 at this point), presentation, webinar, and consulting engagement we begain to lay the foundation for Effective Compliance. We started at the source of the obligations and worked our way to the outcomes that companies committed to achieve. This resulted in the formulation of: A regulatory classification model An obligation taxonomy The Compliance Value Chain The Proactive Certainty Model™ The 10 Rules for Effective Compliance A proactive accountability management framework A proactive model for governance risk and compliance (GRC) Strategies to apply systems & risk-based thinking, and lean & performance management to improve the probability of meeting obligations. A system of measures: effectiveness, performance and conformance to help govern (i.e. steer) towards better outcomes Digital strategies to improve the probability of mission success and numerous other methods and practices. Many of the concepts and principles we presented were in the form of diagrams to help describe behaviors, relationships, and elements as we worked towards a comprehensive operational model to effectively manage obligations. Several have commented and indicated how much you have benefited from the insights communicated in these diagrams and blog posts over the last three years. This has been instrumental by providing valuable feedback which we have used to improve the utility of our models. This has been very satisfying for us and a source of much encouragement which we are truly grateful. It has been a fantastic journey so for but there is still much to do. We would love to help more companies escape the reactive uncertainty trap and realize the benefits that come from effective compliance programs. One of the things we are working on is compiling all our work and creating an Effective Compliance Handbook . We will keep folks posted as we get closer to publication. If you want to launch your own mission towards effective compliance compliance, consider our 12-week virtual boot camp. Through weekly coaching sessions we help you develop a detailed improvement roadmap for one of your compliance programs: quality, safety, security, environmental, regulatory, risk, process safety, or pipeline safety. To learn more contact us at bootcamp@leancompliance.ca (individual and team rates available). Continue to be safe and proactive.

Help us better understand the state of compliance programs in your industry by participating in our 2017 Compliance Program Survey. This will take 10 minutes of your time and by participating you will receive a copy of the final report. If you are involved with PSM, HSE, Security, Quality, Regulatory, IT / Cyber Security, or any other compliance program we want to hear from you. Click here to take part of our survey. Thank you in advance for taking part to help advance compliance outcomes. #Survey

Someone once asked the question, "why do cars have brakes?" The answer given was, "so they can go fast!" What brakes do for cars is what compliance does for companies. They allow companies to go fast by helping them stay between the lines. In recent years, many companies have invested significant effort in ways to help them go faster. Several strategies have been used including Agile and LEAN techniques and methods. These approaches have functioned as an accelerator for business processes and have in many cases produced remarkable results. While a faster engine may help you to go fast, you also need a braking system that is just as capable. The faster you go the better the brakes need to be. However, brakes are only one part of what makes a car effective and safe. A car also needs (among other things): A driver to choose the destination and pilot the vehicle A guidance system to identify optimal routes Limits (speed, traffic lights, etc.) to keep everyone safe Guard rails to minimize injury Lines that tell us when we are off-side Newer vehicles have the ability to tell drivers when they have crossed the line, when it is safe to make a lane change, and when they are no longer on course. Intelligent braking systems also keep cars from losing traction so they can safely slow down. However, getting to your destination safely requires more than these, it also depends on the skills and actions of the driver. When I first learned to drive we were taught what is still called, "defensive driving skills." These were skills defined as, "driving to save lives, time, and money, in spite of the conditions around you and the actions of others." Its aim was to reduce the risk of collision by anticipating dangerous situations. We practiced these skills until they became second nature. I have continued to use these skills ever since and by doing so kept me and my family safe for over 30 years. This is what it means to be a good driver. Not that you never have an accident but rather that you have the skills and mindset to reach your destination safely. Just as we need drivers to be good we also need companies to be the same. Similar strategies as "defensive driving" can be learned and applied to meeting and maintaining compliance. Unfortunately, many companies have only the equivalent of guard rails to let them know when they are off-side. They need to crash into a rail before they realize they crossed the line and lost control. This is what happens to those that only use audits to manage compliance. Audits are necessary but ineffective at protecting our businesses and keeping everyone safe. Drivers that practice defensive driving skills plan and act in such a way to arrive at there destination on time and safely. It is not a choice between one or the other. Companies must also meet multiple goals with regards to compliance whether they include: safety, security, quality, environmental, financial or otherwise. They do not need to sacrifice one for the other and neither should they. This is what it means to take ownership of all your compliance obligations which is necessary for companies to be ethical. The cybernetic law of Inevitable Ethical Inadequacy (introduced in a previous blog) states, “If you don’t specify that you require a secure ethical system, what you get is an insecure unethical system." Without including ethical goals in your systems they will regulate away from being ethical towards other goals predominately being financial and short term. We know that most companies want to be ethical as stated in their mission and value statements where words such as: integrity, respect, safety, quality, and social responsibilities are often used. Unfortunately, many of these same companies use a reactive compliance model that was developed only to verify the integrity of financial statements and protect against fraud. However, the dynamics of the systems needed to achieve non-financial goals are different and require proactive strategies that anticipate conditions in the same way that we use defensive driving skills to anticipate dangerous situations. Next to audits, training is the predominate method used by companies to achieve compliance. This training tends to be technical in nature similar to learning how to drive a car and rarely includes "defensive skills." There are areas such as safety where defensive skills are taught and reinforced. However, for the most part, compliance for many is about checking off boxes to meet prescriptive standards. Companies can improve their compliance by teaching their workers defensive skills rather than only focusing on compliance actions. In addition to defensive skills, we can also consider greater degrees of automation and embedded compliance in our work processes. Current advancements in autonomous driving provide helpful insights into how automated compliance can work. Understanding that we may never want full automation as compliance decisions are ethical in nature since they involve risk trade-offs and that is something that cybernetics does not address. For example, safety involves making decisions that involve risk. Risk-based decisions due to their inherent uncertainty are in the category of ethical decisions that a company makes and cannot easily (or at all) be reduced to a set of rules. If the risk can be completely eliminated by removing the hazard then rule-based decisions (the kinds that computers can do) might be appropriate. However, should the hazard remain and uncertainty persist then the decision to proceed becomes an ethical choice which is only something humans can do. In 2014, SAE International published their standard for driving automation (J3016) that defines six levels of autonomous driving: This chart provides a means to compare against similar automation in compliance systems and processes. What we find is that many companies are only operating at a level 0 as they provide little to no automation to assist workers in meeting compliance obligations. In fact, many do not even provide the equivalent of defensive skills training and only teach workers to follow prescribed steps. No wonder the effort applied to audits is so high and increasing. Levels 3 and above do not have a human monitoring the environment and in the case of Level 4 and 5 do not have a human to fall back on should highly ethical decisions need to be made. Therefore, these levels may not be suitable for compliance support and arguably not desirable for autonomous vehicles either. Nevertheless, partial automation and compliance assist systems are helpful in providing workers with greater visibility of compliance obligations either in terms of objectives that need to be met along with limits that need to be observed. Looking forward, companies that want to see more of their ethical values realized in their organizations will benefit from applying proactive strategies such as defensive skills to help workers better meet compliance obligations. In addition, increasing the level of automation while maintaining human accountability will provide greater and immediate certainty of compliance and reduce the spiraling increase and dependence on audits. It is better to know that you might cross a line so you have the opportunity to make course corrections. The alternative, is hitting the guard rail and reading a police report that states the obvious. The first is proactive and the latter is reactive compliance which is preventable.

The Center for Chemical Process Safety (CCPS) recently published a monograph that provides insights for managing Process Safety during the COVID-19 pandemic and other similar crises. It incorporates input from many CCPS member company representatives. It is organized by the RBPS elements and human factors impact is addressed in multiple areas. The top three elements of highest importance are: Process Safety Culture, Asset Integrity & Reliability and Management of Change. Occupational safety and health aspects are not the focus in this document. You can download this monograph using this link CCPS also has published a BowTie for Covid-19 analysis which you can also find here #managedsafety #covid

Increasingly, companies are adopting continuous improvement driven by several methodologies that include LEAN and AGILE. However, the overarching driver is the desire to achieve continuous delivery of value. These approaches fundamentally change how a business operates and impacts all aspects of the value chain including the processes that support them such as productivity and compliance programs. Production processes have moved towards continuous flow by applying LEAN principles. IT has done the same by combining development and deployment (ie. DEVOPS) to support continuous delivery. However, compliance for the most has lagged behind and still functions using the old factory model using an audit-fix cycle which is too slow to keep up with continuous change. A major contributor to why companies haven not taken a proactive approach to compliance is that they do not know exactly where they are going with their compliance. The lack of clear and concise goals makes it difficult to select strategies and to measure effectiveness. In fact, most companies do not even measure the cost of compliance. However, even knowing the cost, without goals you cannot know if you are over or under investing. To properly establish goals you need to first define your compliance obligations and this means specifying: outcomes - what you want to accomplish, objectives - how you intend to accomplish them, risks - what are the threats and opportunities to meeting objectives and achieving outcomes, critical to compliance - evidence of compliance measures of performance - ability to achieve system objectives measures of compliance - key compliance results or indicators critical to compliance success measures of effectiveness - progress towards program outcomes Compliance obligations serve to properly align programs, systems and processes and makes it possible to apply proactive strategies to continuously meet them. Defining compliance obligations increases the certainty compliance can be met, but as importantly, that compliance outcomes are advanced on a continuous basis. Continuous value requires continuous improvement which requires continuous compliance . #ContinuousImprovement #continuouscompliance

The purpose of a compliance management system is to maintain state which is achieved through consistency, reduction of variation, and achieving objectives. However, the purpose of a compliance management program is to change the state or condition with respect to compliance outcomes. This is achieved by adjusting the underlying systems to improve performance and maintain a higher standard. Continually advancing performance is required to meet "persistent achievement" obligations specified by performance / outcome-based regulations and standards. In order to continually advance quality, safety, environmental and regulatory outcomes there are 4 changes you must continually make: Re-orient policies to support continual advancement of outcomes Re-calibrate values to match the outcomes that will be achieved Re-engineer systems to create the capabilities needed to reach new performance targets Re-align processes to achieve compliance objectives #continuousimprovement

The administration problem is primarily that of reducing uncertainty within the organizational system (Organizational Strategy, Structure, and Process - 1978). Solving it involves more than simply rationalizing systems and processes already developed (uncertainty reduction); it also involves formulating and implementing those processes which will enable the organization to continue to advance outcomes. This necessarily impacts how risk & compliance systems are implemented. For managed compliance programs (i.e. safety, quality, environmental, regulatory) to be effective they must align with the specific goals, objectives, and strategies of the organization. These will be different based on each organizational type: Defender, Prospector, and Analyzer. Each type will also influence your approach to meeting obligations. Any mismatches in systems architecture will end up hindering the advancement of both business and compliance outcomes. Which organizational type best matches your business posture? Does your approach to risk & compliance align with this posture? #effectivecompliance #grc #managedrisk #managedsafety

Risk-based thinking is at the center of recent changes to compliance standards, guidelines, and regulations. One of the areas where risk-based thinking is being applied is within the operations of a business. This is the domain of operational risk management which is defined as: "The risk of direct or indirect loss due to inadequate or failed internal processes, people and systems, or from external events." – Basel II This definition comes from the financial and insurance sector although is still useful for other industries as operational risk management continues to gain traction there. However, this definition is likely to change as trends to include positive risk increase (ex. ISO 31000). Whether risks are negative or positive, an important step in any risk-based approach is the identification of the risks themselves. This requires (among other things) an understanding of where risks come from. Knowing the sources can help not only to identify risks but also how best to manage them. It is possible to think about these sources in relationship to operational systems and processes. These relationships can be classified as: extrinsic, intrinsic and emerging. For the purpose of this article, the following compliance systems model (introduced in a previous article ) will be used. Although, in principle, these definitions can apply to each component of any process or system. Extrinsic Risk These are risks that are external to the system that affect the underlying processes and activities. These risks may be introduced due to changes (shown in red in the above model) to: scope, critical to compliance requirements, resources, funding, strategies, best practices and program controls that are placed on the system. Risks may also come from other external sources that have been identified at the corporate level. A significant source of system risks arises because of changes, it is therefore important to have an effective management of change process to identify these risks and manage them. This is even more critical when the system is vulnerable to emerging risks. Intrinsic Risk These risks are inherent in the process and activities. These may be in the form of latent or active failure modes, gaps in capabilities, uncertainties in work plans, or process variability. There are two common approaches to identify and treat these kinds of risks: Risk Assessment – as part of an initial or periodic assessment, levels of risk are calculated for each activity or place were value is added. Steps can then be taken to decrease the uncertainties or minimize or exploit the consequences to better achieve the desired system objectives. These assessments assume a relatively static process where risks are not changing often. Risk-Based Process – this approach includes an embedded risk screening at the front end to determine which path to take given the level of risk associated with either the work to produce the output or the output itself. Separate work streams based on the level of risk can accelerate cycle times and also ensure that the appropriate amount of rigor (ex. further risk assessment) are applied when needed. This technique is used frequently when using stage-gate methodologies such as for: projects, change and design processes; and is effective to identify emerging risks as assessments are done each time the process is initiated. Emerging Risk These are risks that are developing or changing as a system evolves. These are often the most difficult to identify and to understand. Emerging risks can be classified as: Newly created risks Newly identified or noticed risks Changes to such things as likelihood, severity, causes, consequences, and control effectiveness for existing risks Periodic risk assessments are useful to update risk profiles to take into consideration emerging risks. Risks identified using the risk-based process, mentioned previously, can also be used to update the system risk profile so that they can be monitored. Knowing where risks come from can ensure that appropriate triggers are created so that risks are appropriately identified, managed, and effectively treated. As companies continue to change at an increasing rate to improve their business processes it is essential that risk-based approaches keep up. Conducting risk assessments periodically may not be enough. However, embedding them inside processes will enable companies to stay on top of new and emerging risks so they can stay proactive. #riskmanagement #grc #managedsafety

Those who have been following me might be aware of my presentations on demystifying risk entitled, Lord of The Risks – Defeating the Dragon of Uncertainty. In these presentations we follow the adventures of a team of individuals that go on an adventure to complete a mission of strategic importance. They have never worked together before and some have never been on an adventure. Their mission will require that they leave the world of the Shire, a place where they know everyone, how things work, and where life is predictable – it is a world of certainty. However, they must now take a step out into the a world that they don't fully understand, they don't know how things work, and both threats and opportunity are unpredictable – it is a world of uncertainty. And it is this uncertainty that creates the opportunity for risk. It’s a dangerous business, walking out one’s front door. You step onto the road, and if you don't keep your feet, there's no knowing where you might be swept off to.” While not fully understanding the risks ahead our team agree to go on the adventure because the stakes are too high not too. The Ring of Value that was forged in the Valley of Capabilities has been lost and if not recovered may end up at Mount Doom where value is destroyed. Their mission objective is to find the Ring of Value and take it to the Mountain of Better Outcomes along the value stream. Fortunately, with the help of a wizard (aka risk manager) our team was successful in fighting the Dragon of Uncertainty and reclaimed the Ring of Value. We catch up with our team as their journey continues... Lord of the Risks - The Two Towers: Productivity and Compliance The Fellowship of the Ring of Value have just decided to pass through the gate of pro-activity and are making progress towards the Mountain of Better Outcomes along the value stream when they come across someone they recognize but have not seen for a while. The Wizard who had previously helped them now greets them: "I come back to you now, at the turn of your intention. One stage of your journey is over, another begins. To make progress towards your destination you must be mindful of the ever watchful eyes of The Two Towers: Productivity and Compliance. Keep both in your gaze at all times and don't by any means look at only one and avoid the other." The leader of the fellowship puzzled by what the wizard had just said, replied: " you have not changed, my friend, you still speak in riddles." The wizard apologized for speaking in Riskish and explained, this time in English, more about The Two Towers and how the towers will help them achieve their mission. "Because even the very wise cannot see all things" The Two Towers: Productivity and Compliance The two towers were constructed in recent years to guide you through the valley of capabilities (otherwise known as the Value Chain) along the value stream. Here is a map so that you can find your way: Each tower has its own purpose to help ensure that the Ring of Value reaches the Mountain of Better Outcomes. They also have different strategies and tools to help you contend with the dragons of uncertainty: Aleatory and Epistemic. What you must always remember is to keep both towers in sight and never look at only one at the expense of the other. The Tower of Productivity - Use only what you need You must only use the resources you need to ensure you have enough to reach your destination. This tower will help you eliminate waste, and improve your productivity so that you reach your destination with room to spare which is called margin, which is the best way to contend with the Aleatory Dragon. The strategy most often used by the Tower of Productivity is something that is known as LEAN. Here the Ring of Value will be pulled through the value stream which will surface hidden artifacts that are slowing you down. The people of this tower call these artifacts waste and you will be wise to eliminate as many of these as you can manage. Learn from these folk for their practices and tools will help you with what lies ahead that you cannot predict. However, you must remember that the two towers work together and so you must be ever mindful to use your gains wisely. Some of your gains must be allocated to the Tower of Compliance to strengthen your defenses to defeat the Epistemic Dragon. The Tower of Compliance - Your defenses must hold Your standards, systems, processes, and controls must not fail to protect the the Ring of Value as you move through the value stream. The Tower of Compliance will help you buy down risk by creating lines of defense against the Epistemic Dragon. The folk in the Tower of Compliance are known to use what is known as RISK MANAGEMENT and they are fond of the BowTie Analysis. They will look to your goals and objectives to identify prevention and recovery controls (your defenses) to increase the certainty of completing your mission. Make sure that you know what your objectives are otherwise their strategies will be less effective. You must ensure your defenses are sufficient and strong enough to hold. To strengthen them and broaden your coverage you will need to make alliances with Safety, Quality, Security, Environmental, and Regulatory folk. Some of them have not worked together for many years if at all. However, you will find that they will unite and fight together under the banner of "risk reduction" which is a goal they all have in common. One last thing, there is more at risk than you realize. Your defenses must not only protect the Ring of Value , they must also protect the fellowship, the people of the value stream, and the Valley of Capabilities otherwise you will not make it to the Mountain of Better Outcomes . The Wizard Rides North Some of the fellowship did not understand and were not sure of what the Wizard had just told them. There were some who wished that this mission had not been given to them and that the wizard had not come. The Wizard hearing their murmurs picked up his staff, stood up and said, " So do all who work in highly-regulated, high-risk industries, but that is not for them to decide. All we have to decide is what to do with the time that is given us. There are other forces at work in this world, besides cost reduction and loss prevention. Remember, the people of the value stream will need you, use only what is absolutely necessary and make sure your defenses hold and promise me that you will keep both towers in your gaze at all times and don't by any means look at only one and avoid the other." The wizard then called his horse as he spoke once more to the fellowship: I have heard news about a different kind of dragon, one that has not been seen in these parts for some time, the Dragon of Opportunity. I ride north to learn more about this dragon. Look to my coming, at first light, on the fifth day. At Dawn, Look to the East." And with that the Wizard rode off leaving the fellowship in the Valley of Capabilities between the Two Towers: Productivity and Compliance planning their next part of their journey keeping in mind what the Wizard had just told them about LEAN and RISK MANAGEMENT. Note: Any reference to The Lord of The Rings by J.R.R Tolkien or related works is used under Fair Use License for the purpose of education and learning. #managedsafety #riskmanagement #leanmanagement

Risk scores are commonly used to support risk-based decisions and are usually derived from a semi-quantitative analysis of the underlying risk factors to produce a single value such as: low, medium, and high. This value is subsequently applied to the ranking of options or as a trigger for additional actions and as such can be extremely helpful to support decision making. However, if not implemented correctly, they can introduce vulnerabilities that expose companies to unnecessary and avoidable risk. In a recent discussion on LinkedIn, a person wrote about a situation where risk scores were used. With their permission, I have included an excerpt from that discussion: "A firm with an IS0 27001 certification had both a gap with risk evaluation and risk estimation unrealized by the external auditor. First, its vendor risk management process held that firms with services that cost more need more oversight than firms with services that cost less. This is fine until one looked at why a service might cost less. In this case, the service requests for vulnerability patching a corporate firewall were costing less because they had been skipped for three years. Falsely, the system reported the firewall service was lower risk because it cost less -- in this case too little for the firm’s best interests. Next, risk computations themselves were done in a manner that sounded good but was mathematically flawed. By adding a score for Confidentiality to Integrity to Availability it was possible to rank the security needs of a service, product, software or vendor. But by adding rather than multiplying it became possible for 70% or more of all risks to all have the score of medium. Summing risk indicators presumes statistical independence that was not truly present. The result is a bell curve with 70% of the answers for any combination of inputs resulting in a medium risk score. " This story helps serve to illustrate potential problems with the improper use of risk assessments, scores and ranking. Here are 5 key problems: 1. Outcomes were not validated The resultant scores were not validated to ensure that they would produce the appropriate outcomes. In addition, incorporating the other criteria: confidentiality, integrity, availability; in the calculation was not implemented correctly and may in fact not be statistical valid as mentioned in the excerpt. The decision to create a single-value score (most likely to facilitate the decision making process) contributed to unintended outcomes. 2. Risk scores were not calibrated Risk scores were not calibrated and aligned with the risk attitude (appetite and tolerance) of the organization. There are two aspects to this: (1) the scores themselves need to generate the right distribution of outcomes based on the inputs, and (2) the use of the score must be consistent with the risk attitude of the organization. For example, choosing a high risk option even if it was free would not be acceptable if the risk tolerance for the organization is low. 3. Using single-variable scores produced sub-optimal results Choosing a set of options using single-variable ranking (ex. a resultant score between 0 and 10) can often lead to a less than optimal selection. The primary concern is that a single value is not always sufficient to differentiate the available options. This appears in other domains such as choosing the optimal portfolio of: projects, investments, or process improvement initiatives. Issues with using single-variable ranking are well documented and there are solutions to overcome them. Among these include using: real options, efficient frontiers, multi-attribute ranking, and others. Often just using a matrix of value against risk is enough to produce a more optimal result. 4. Using risk scores in an automated process may be vulnerable to the " Automation Bias " As risk-based thinking becomes more embedded in the organization it is likely to also become more embedded in the decision support systems. Although, not specifically stated in the above scenario, it is possible that the resultant risk score was used (or could be) to automatically select the vendor. The automation bias is defined as, "the propensity for humans to favor suggestions from automated decision-making systems and to ignore contradictory information made without automation, even if it is correct." Automating the selection process may result in: (1) decision makers abdicating their responsibility for the decision to a computer system, and (2) leaning too much on a score to inform them as to the appropriate decision to make. For those who work in the safety field know, you cannot delegate safety (or decisions about it) to a computer system. 5. Using risk scores may not be ethical Decision support systems use numerical values which is some ways are no different from risk scores. However, in the case of the majority of these systems, they address situations of certainty where decision analysis is effective and can be mechanized in terms of moral rules and conditions. When this is done, responsibility (and possibly accountability) is abdicated to a computer system. Doing so might be appropriate accept for when decisions involve risk. Risk-based decisions due to their inherent uncertainty are in the category of ethical decisions that a company makes and cannot easily (or at all) be reduced to a set of rules. If the risk can be completely eliminated by removing the hazard then rule-based decisions might be appropriate. However, should the hazard remain and uncertainty persist then the decision to proceed becomes an ethical choice. Organizations should not transfer accountability for ethical decisions to an algorithm or a decision support system. Research is on-going and there may be at some point the possibility of implementing ethical subroutines that can be appropriately regulated. However, as of this point in time these do not exist and regulatory accountability is a human one. In the example above, the decision to pick a lower cost (although higher risk) option should be made by a person who can ensure that the decision aligns with the company's ethical standards and guidelines. #riskmanagement

The risk and compliance problem: Companies are too reactive. Prescriptive policies, standards and regulations do not adequately protect against loss or ensure value creation. High consequence risk rarely occur due to a failure of a single activity but instead occur because of an alignment of vulnerabilities across multiple activities (i.e. systemic risk). The capabilities needed to manage systems is different than managing individual processes where results are limited to the sum of the parts. To keep up at the speed that risk becomes a reality companies cannot wait for audit findings to make improvements. The solution: Companies must be more proactive. Policies, standards and regulations need to and are transitioning to performance and outcome-based designs (e.g. vision zero) Meeting performance and outcome-based obligations will require a holistic and integrative approach that goes beyond process improvement to focus on system effectiveness. Capabilities must include managing interdependencies between and across functions to unleash performance where results are the product of the interactions. Continuous improvement will be driven by the presence of uncertainty not only the presence of problems. When companies adopt a proactive approach to risk & compliance they will have a competitive advantage because most others will not. And if they become good at it they will be unstoppable. #grc #effectivecompliance #riskmanagement