top of page

SEARCH

Find what you need

608 results found with an empty search

  • Is Compliance Asking The Right Question?

    Instead of in or out the question should be how close and which direction are we heading. Organizations are periodically asked to attest to their compliance. The question usually boils down to a simple one "Are you in our out of compliance?" The answer expected and often given is something like this, “Of course, we are fully complaint with all applicable laws, regulations & standards, and internal policies as far as we know.” This will, of course, be verified by internal and external audits. The answer may be true for the most part but perhaps not as useful as it could be. Organizations might be in compliance today or at the time of their last audit. But tomorrow a misstep may find them off-side. In fact they may have been heading off-side for some time but were not paying attention. Single point evaluations are poor predictors of risk. What organizations don’t know is how close they are to stepping over the edge and as importantly if they are heading closer or farther way from that edge. Where staying between the lines is mission critical, risk and compliance programs to be operational must provide credible answers to these questions: How close are we to an incident occurring? and Are we moving closer or farther away from that point? These would be considered as measures of assurance. Unfortunately, most organizations don't consider risk exposure in their decision making and so don't expect it from their risk and compliance programs. No wonder everyone is surprised when an incident occurs. Although, successful organizations will expect more from their programs and ensure that they get the answers they need to keep the organization between the lines today and every day they choose to operate.

  • Applying DOE Risk Handling Strategies to Obligations

    Evaluating risk is important but handling risk is better. To meet obligations requires contending with threats as well as opportunities. Deciding how best to handle these may well make the difference between staying between the lines or crashing through a guard rail. Unfortunately, many organizations jump from obligation to risk controls and skip the step of deciding which risk handling strategy to use. In this post we explore the application of the US Department of Energy (DOE)’s risk handling strategies as defined in the DOE G 413.3-7A – Risk Management Guide to help meet obligations. While this guideline is directed towards projects the same principles can be applied to meeting an obligation – a project in it’s own right – particularly when obligations include targets to achieve net-zero emissions by 2050. Risk Handling Risk handling covers various strategies to contend with uncertainty. After obligations have been identified, risks have been evaluated, uncertainty estimated, and consequences determined, a decision needs to be made on how best to handle the risk. The first step is to chose a strategy which the DOE Risk Management Guide suggests include: acceptance, avoidance, exploit, mitigative, enhance, transfer and share. Let’s unpack each one. Acceptance Acceptance of risk means that it is acknowledged without measures to address the risk. The organization accepts both the positive and negative effects of the uncertainty left untreated using ISO 31000 terminology. This strategy is often chosen when the risk is irreducible or no other means are feasible to buy down risk. In this case, the risk is assumed will occur and the loss included in the overall contingency fund or management reserve. Acceptance is not the same as ignoring the risk. Risk is ignored when it is not identified and/or costs are not accounted for in management reserve. Ignoring risk amounts to hoping for the best but NOT preparing for the worst which is the same as gambling. For opportunities, instead of accounting for the cost in a management reserve the benefit is identified (in an outcomes register) and monitored. If the opportunity happens then further action may be taken to leverage the opportunity further. Avoidance / Exploit Avoidance is a risk handling strategy when organizations are risk adverse or if the risk cannot be tolerated. This strategy is accomplished by introducing measures to eliminate / prevent the potential threat from occurring. For opportunities risk handling introduces exploitive measures to increase the probability of the event happening. In both cases, the focus is on ensuring that the uncertainty is removed and the opportunity definitely happens and the threat definitely doesn’t. In other words, eliminate the uncertainty / hazard; eliminate the risk. Mitigation / Enhance Mitigation is a risk handling strategy to reduce the likelihood of occurrence of an identified negative impact (i.e. consequence) for a threat. The goal of mitigation is to reduce the risk to an acceptable level (e.g. ALARP, etc.) The rule for mitigation is not spend more on the mitigation than what the risk even would cost if it occurred. Enhancement is used for opportunities to increase the positive impact or benefit or reinforce the conditions that trigger it. The rule for enhancement is not to spend more on the enhancement costs than the benefits realized from the opportunity. Transfer / Share Transferring risk in most cases involves the purchase of insurance as the transference of the risk. This transfers the cost of the effects and distributes it across a larger group. This strategy does not help you meet the obligation. It only helps address the cost of non-conformance provided that you can coverage. Risk that is shared refers to positive consequences (i.e. benefits). Those that share the risks share in the benefits. For example, achieving safety compliance creates benefits that are shared across an organization. Applying Risk Handling to Obligations The best strategy to contend with risk may well be not to accept the obligation in the first place. However, if an organization accepts an obligation it must contend with the associated risk. If the obligation must be met either by regulation or internally imposed then an organization should do what it can to improve the probability that it meets the obligation. When deciding on which risk handling approach to take the following should be considered: 1. Is the obligation mandatory or voluntary? Mandatory obligations are often considered as necessary to avoid fines, and other effects of non-conformance. These may require a higher degree of rigour as the effects may be more immediate and may lead to loss of a license to operate. However, voluntary obligations tend to be seen as investments and measured against a ROI. One might be more inclined to accept an opportunity risk without introducing any enhancement or exploitive measures. The risk tolerance for voluntary obligations is usually higher than mandatory ones. 2. Is meeting the obligation necessary for meeting another obligation? To avoid a cascading or propagation of risk similar strategies should be used to avoid weaknesses in the compliance chain. Obligations should consider risk handling strategies used by dependant obligations to so that they do not become the weakest link. 3. Do the benefits outweigh the costs? The cost of the handling should be commensurate with the cost of the risk. This evaluation may position some strategies as too expensive compared with the loss or benefit anticipated. 4. Is the risk handling strategy feasible? Deciding on a risk handling strategy is necessary, but so is having feasible measures available to implement. It is best not to rely on the invention of new technologies to handle critical uncertainties. The lack of available risk measures may demand choosing a different risk handling strategy. 5. How effective is the risk handling strategy? Risk measures may be available, feasible, but not effective enough to buy down risk below the risk tolerance level. This may require additional strategies to contend with the residual risk. In DOE terms this means promoting the residual risk to the primary risk category along with the inherent risk. Evaluating the effectiveness of a selected risk strategy is necessary to knowing how much residual risk is left which in turn needs to be handled. 6. How long does the obligation last? Obligations typically have a long life-cycle which means the effectiveness of risk measures should be monitored continuously and adjusted when necessary. To help with this the decision of risk handling strategy should be captured in the obligations-risk register along with other obligation and risk information to provide context for the risk controls. If over the course of the obligation's life-cycle the chosen strategy does not perform as specified improvements may be required. In some cases, a different risk handling strategy may be needed. If the obligation is retired then the corresponding controls may be decommissioned if not needed by another obligation. Conclusion As regulations continue to expand to include outcome and performance-based designs choosing the best risk handling strategies will become increasingly important. This reflects the growing shift of risk transferring or shared by regulators with industry and individual companies. The DOE guidelines provide a robust framework for managing project risk that can be applied to compliance to improve the probability of meeting obligations. At a minimum it will help organizations know why risk controls have been chosen so they can better evaluate their effectiveness and make adjustments when and if necessary.

  • Micro Learning Series - 2022

    Registration is now CLOSED Why is this training needed? Over the last decade regulators have started to modernize their programs to become more risk-based moving towards performance and outcome based designs. The new compliance landscape requires organizations to take a proactive and systems approach instead of the prevailing reactive and siloed approach to compliance. Unfortunately, many organizations are unable to keep up and are falling behind. Adopting the new mindset along with the necessary skills takes time which many find they don't have. That's why we are offering this micro learning series. We have designed each module in bite sized portions. By spending just 1-hour a week over 15-weeks you will gain knowledge and skills to meet the demands of this new compliance landscape. Each module focuses on an essential principle for effective compliance: 1. Develop systems that always keep you in compliance 2. Continuously improve your compliance capabilities and effectiveness 3. Improve the probability of meeting all your obligations. These modules are designed for practitioners across all risk & compliance domains to improve their knowledge and skills. Each module consists of: 5 one-hour "HOW-TO" sessions (40-minute instruction with worked examples / 20-minute Q&A) Worksheets and reference materials Quiz (optional) Certificate after successfully completing all quizzes in the module. Sessions will be hands-on conducted over Zoom on Tuesdays @ 1:00-2:00pm (EDT) following the schedule below. Each session will be recorded and available to participants. Price is $300 (CAD) per module or $750 (CAD) for all three. We encourage you to take advantage of this opportunity to improve your knowledge and skills. The first module starts April 5th so register today. SYSTEMS MODULE - "Keep it Green" In this module you will learn tools & techniques to always stay in compliance. We start with classifying obligations followed by identifying goals and objectives, defining measures for success, and establishing actionable metrics to keep you between the lines. DATE SESSION TOPIC Tuesday, April 5, 2022 SYSTEMS-1 Module Overview - concepts and principles Tuesday, April 12, 2022 SYSTEMS-2 How to define and classify obligations Tuesday, April 19, 2022 SYSTEMS-3 How to define compliance outcomes, objectives and targets Tuesday, April 26, 2022 SYSTEMS-4 How to define measures of conformance, performance, and effectiveness Tuesday, May 3, 2022 SYSTEMS-5 How to define leading / lagging indicators and actions for compliance LEAN MODULE - "Keep it Lean" In this module you will learn how to apply Lean tools & techniques to continuously improve your compliance at the process, systems, and program levels. DATE SESSION TOPIC Tuesday, May 17, 2022 LEAN-1 Module Overview - concepts and principles Tuesday, May 24, 2022 LEAN-2 How to use Lean 5M to identify areas for improvement Tuesday, May 31, 2022 LEAN-3 How to use Lean A3 to conduct compliance Improvements Tuesday, June 7, 2022 LEAN-4 How to use Lean X-Matrix to stay on course Tuesday, June14, 2022 LEAN-5 How to use Lean Startup to achieve operational compliance RISK MODULE - "Keep it Certain" In this module you will learn how to improve the probability of keeping all your promises by contending with uncertainty. DATE SESSION TOPIC Tuesday, June 28, 2022 RISK-1 Module Overview - concepts and principles Tuesday, July 5, 2022 RISK-2 How to evaluate compliance risk Tuesday, July 12, 2022 RISK-3 How to identify risk measures and controls using bow-tie analysis Tuesday, July 19, 2022 RISK-4 How to track compliance risk using risk scores Tuesday, July 26, 2022 RISK-5 How to manage risk due to regulatory change

  • The Dilution of Compliance

    Dilution can be defined as "the process or action of making something less strong or valuable." Over the years I have experienced this effect at work when it comes to compliance systems in support of quality, safety, environmental, and regulatory objectives. The following are steps that many companies follow in hopes to strengthen their compliance but all too often results in the dilution of compliance instead. Step 1: Company decides to adopt a compliance management system As always it begins at the beginning with good intentions to use a management system to raise the standard for a particular set of obligations. This is often triggered by the occurrence of a significant incident, but not always. It may also be legislated, or strongly encouraged as part of membership in an industry association. An organization may just be proactive and choose to raise their standards on their own (wouldn't that be something!). Whatever the motivation might be resources are rallied behind the decision and implementation begins in earnest. Step 2: System elements are mapped to existing functions and activities The next step usually involves learning about the chosen system standard followed by a reductive analysis where each part of the system is divided up and mapped to existing functions and activities within the organization. This is a component-first approach as compared with a system-first approach . The goal of the component-first approach is to divide and conquer, utilize existing practices, identify and address procedural gaps, and realize early wins (i.e. low hanging fruit ). All of these goals are good in and of themselves. However, together they seldom lead to an operational system as we soon shall see. Step 3: Company focuses on the elements and loses sight of the system After the elements have been incorporated into the organizational structure sight of the system and the original purpose is often lost. People go back to their "day jobs" and management processes take on the task of managing the various parts of the compliance system. Reports and scorecards are updated to add such things as key performance indicators, and objectives. It is here that we can start to see the "dilution of compliance." This is the forest for the trees problem. The failure in implementation (which is to come) was not performing the " synthesis " step to work on the interactions of the elements to function as a whole. The performance of compliance systems depends on how the parts interact, not on how the parts perform separately. The parts on their own can never fulfill the purpose of the system. This lack of understanding now sets in motion the "dilution process". Failure is soon to follow. Step 4: The system fades away and only the elements remain The "dilution of compliance" process is now at work. The compliance system as a whole is now lost and perhaps was never really there since it was never implemented. Only the parts and probably only some where incorporated, many just were lost in action management systems. This can be observed by the lack of accountability for the system expressed in the organizational structure. There is no person who has the scope, authority, or resources to contend with ensuring that the overall system is operational and is performing at the levels needed to improve outcomes. At best silos exist for the elements, at worst, the components are fractionated, and dispersed beyond their ability to produce any real value towards system outcomes. Step 5: With the system out of sight even the elements start to fade away as people forget why they were even there The dilution of compliance is now complete. We might still believe that if we double down on audits we might get back to having an operational system. The problem is that we never had one to begin with and dynamics have been set in motion to produce failure. It's just a matter of time. Here is a video animation that stitches all these steps together: When an incident comes (and it will) you will ask yourself how it happened. You will launch an investigation, review findings, and mandate corrective actions. You will try to fix the problems unknowingly with the same behaviours and practices that caused the failure to begin with. You will try to fix the parts of a system rather than the system itself. What makes it worse is that you never had an operational system to start with. This is the trap that many organizations are caught in which we call The Reactive Uncertainty Trap. The good news is that you don't need to repeat this pattern. You can escape this trap and achieve a much better outcome.

  • Creating Space for Compliance

    If you are a Star Wars fan, you could call this "Creating balance in the 'work' force." Finding ways to accommodate new and changing regulatory demands is a challenge for most organizations. Very often I hear that operations is too busy to take on yet another process for their work force to follow. Even when the compliance process is as streamlined as it can be, front line workers may not have the capacity to properly execute and manage, let alone make continuous improvements to a new process. When compliance is layered on top of an already busy work force how could it be otherwise? One step that companies can take to create space is to simplify their existing processes before adding new ones. An effective way to do that is to remove sources of waste from existing processes by: eliminating unnecessary steps, reducing delays in acquiring resources, reducing unnecessary approvals, and no longer collecting information that is not needed By eliminating sources of waste you free up time for everyone to work on activities that are better aligned to the desired outcomes. Plan -Do-Check-Act Questions: What sources of waste do you see in the processes you use? What steps can you take to reduce or eliminate these sources of waste? What step can you take today to create space for compliance?

  • Are you Safe?

    It is often when new recruits are hired that although they are trained on the new processes and procedures (which takes time) they will still have their intuition informed by what they did in their previous jobs. In fact, people will have a predilection to follow the old ways until new neurological paths are created and strengthened by repeated practice. Until that happens the risk of doing the wrong thing persists and why training and testing need to happen often during employee transitions particularly for safety critical positions.

  • Operational Readiness

    Are your systems operational and capable to meet all your performance and outcome-based obligations this year? Companies that take ownership of their obligations know in real-time the status of their compliance. They don't wait for auditors to tell them when and if they are off-side or for something bad to happen before they make improvements. They continually strive to keep their promises to meet all their obligations.

  • Is Risk Real?

    For those who have been to Toronto, Canada you will know that one of the places you are likely to visit is the CN Tower. It remains as one of the tallest structures in the world and affords an unparalleled view of the city, and surrounding areas. On a clear day you can see for miles including all the way from the observation deck to the ground. The observation deck consists of a floor that is partially made from glass blocks. You can walk on them and look all the way down, unless you are like me. No matter how much I try my body will not let me walk on the glass blocks even though in my head I know it is safe. Is there a real risk here to explain my behavior or is there a problem with my perception? There is no doubt that a hole in the floor of the CN tower would be dangerous like many of the other dangers we are taught to avoid. When I was young my parents taught me (among other things) not to put my hands in an open flame, stick my fingers in an electrical socket, or play too close to the edge of a cliff. All of these are dangerous and pose real threats to our well being. Being fearless in the presence of these dangers is not wise and so it is good that we teach our kids and ourselves to have a proper respect for them. However, many of the risks that we face in life and in business are less physical (at least not directly) and do not illicit the same fear response. These risks are anticipated threats predicted by risk models, observations of past events, or other forms of analysis. It is with these that we often find a lack of proper respect, and sometimes even awareness of their existence. As an example, the introduction of mobile devices created the possibility to answer calls, text messages and emails, all while driving. It also created the opportunity for risk. However, for most people the perceived risk is not "real" as demonstrated by continued use of cell phones while driving. Unless involved personally in an automobile accident many are not likely to stop using cell phones. For behavioural change to occur we need to learn that distracted driving is dangerous just like we had to learn to not play too close to the edge of a cliff. Until the perception of risk is changed many will endure the consequences of fines, loss of demerit points and possibly their drivers license all introduced for the purpose of curtailing distracting driving. Although it does not have to be this way, as we instead can choose to change our behaviors and develop a proper respect (you might call this fear) of the dangers involved. The way we deal with the risks of "distracted driving" has similarities with how some companies contend with the risks associated with compliance. Organizations may find that in the pursuit of opportunities they end up being distracted with respect to safety, quality, environmental and regulatory objectives. Just like many who continue to use cell phones while driving they may comfort themselves by saying that they have not yet had any accidents and they can handle it. However, the risks still remain even if not perceived, ignored, or not personally experienced. Until these companies change their behaviors they will also endure the consequences of fines, the loss of reputation and trust, and possibly the loss of their operating licence. Even for them it does not need to be this way – they can choose to be more proactive with their compliance. Now back to me and the CN Tower glass floor. What was going on? In my case the glass blocks created an illusion of danger when none exists. It tricked my perception of reality. While it is good to fear things which are "really" dangerous it is not good to fear things which are not. That is why for some it important to face our fears to discover if they are based on reality. This is another example of how risk perception affects our decisions. My perception of danger was too high rather than too little as in the case with those who continue to text while driving. Both extremes are problematic. However, calibrating risk perceptions is not always easy to do. So it's back to the CN Tower to face the glass floor dragon again. Wish me luck!

  • Are You Neglecting Your Compliance Boundary?

    When it comes to compliance there is a boundary that exists between what is inside an organization and what is outside. This compliance boundary is so important that the ISO standard on Compliance Management Systems (CMS) - ISO 19600 , calls out twelve (12) places where it should be considered: Section 4. Context of the Organization Internal / external issues Internal / external aspects Internal / external obligations Section 5. Leadership Internal / external stakeholders Section 6. Support Internal / external policies Internal / external communications Internal / external reporting Section 7. Performance Evaluation Internal / external inspections Internal / external reporting Internal / external issues Internal / external audit Section 8. Improvement Internal / external notification and escalation Taking external and internal factors into account helps to ensure that compliance is comprehensive and exhaustive across all of its roles and activities. The compliance boundary also helps to identify important factors with respect to where obligations might be found, who is accountable to meet them, and who is responsible to ensure that they are. The internal / external line also signals that different approaches and practices may be necessary depending on which side of the line a particular aspect resides. For example, how one identifies and incorporates internal / external stakeholder expectations might be different as external obligations tend to have regulatory and legal implications whereas internal obligations tend to be more voluntary and require different forms of incentives to achieve. The compliance boundary is a line that should be monitored regularly and not only once as if it was something that is entrenched or static as the physical parts of a business might be. The compliance boundary is more fluid and subject to change with new regulations and when companies take on more or less ownership of their obligations within their organization and across their supply chain. It is often that what is considered as internal or external will have more to do with who is accountable for the risk than who is responsible for providing the service or function. An example of when ownership of obligations is a driving force is when contractors are used and where accountability for safety remains with the company that’s procuring the service. The fact that an external party is responsible for the work doesn't necessarily result in the transfer of accountability for safety obligations. In this case, the line used to separate work packages is not the same as the line used to separate compliance obligations. For compliance to be effective, organizations must pay close attention to the compliance boundary which r equires that they: Define the line between what is internal and external with respect to meeting compliance obligations. Identify the role that internal / external factors have on meeting compliance objectives. Ensure that internal / external account-abilities and responsibilities are clearly defined and there are no gaps in coverage. Establish a process that anticipates and contends with impacts arising from changes to internal / external factors. Continually monitor the internal / external boundary. Lean Compliance helps companies adopt and improve compliance programs to better meet performance and outcome-based obligations. Schedule a call with us today to find out more. You can book your appointment here.

  • Towards an Environmental-First Assurance Framework - Part 2

    In a previous post I introduced the scaffolding for a compliance assurance program that is capable of meeting the challenges of an Environment-First future. This framework focused on operational policy as the means to bridge the gap between environmental intention (i.e. commitments) and action (how commitments are assured). This week I explore the nature of policies themselves and how their designs can make a world of difference between what you intend and what you actually achieve. Policy Designs Let's consider an example policy statement using different design approaches: 1. Environment as an Assumption Based upon principles of quality-first our organization aims to achieve customer satisfaction, job security and company prosperity. This policy statement contains no explicit environmental intentions. This does not necessarily mean that environment objectives are being overlooked. However, without explicit environmental objectives, accountability and assurance will be difficult to achieve. 2. Environment as a Constraint Based upon principles of quality-first our organization aims to achieve customer satisfaction, job security, company prosperity while protecting the environment . In this case, environmental intentions are expressed as a guard rail or constraint on existing direction and goals. This may reduce negative impacts on the environment but most likely not result in substantive change to environmental outcomes. This policy design is commonly used as it allows organizations to make some commitment to the environment without needing to make significant changes to the way they operate. 3. Environment as an Outcome Based upon principles of quality-first our organization aims to achieve customer satisfaction, job security, company prosperity, and better environmental outcomes. This policy expresses environmental intention as a goal. Environmental outcomes can be optimized along side of other objectives which is more likely to result in environmental improvements rather than only environmental protection. This policy design is used by organizations that value environmental concerns at the same level as their other objectives. 4. Environment as a Principle Based upon principles of environment-first our organization aims to achieve customer satisfaction, job security, and company prosperity . In this last example, environmental intentions are expressed as the principles by which outcomes are achieved. Quality-first as an overarching principle is replaced or rather subsumed under an environment-first mandate. In the former case, quality-first is more than just making defect free products or services – it is about creating value. In the latter, environment-first is more than just protecting the environment – it is about creating sustainable value. Which Design is Better? The choice of policy design depends closely on the level of commitment that an organization has made or wants to make towards environmental objectives. The adoption of ESG and increasing environmental regulations will no doubt drive organizations to higher levels of commitments. At the same time, others may voluntarily raise their commitments. Whatever the case, these commitments will need to manifest as policy. You can choose whether or not environmental objectives are expressed as an assumption, a constraint, an outcome, or as a principle, Your choice will guide how your business will operate and the outcomes that will be achieved. So choose wisely.

  • Another Year Under Uncertainty

    As we head into the holiday season, we find ourselves facing another wave of COVID-19 as the Omicron variant spreads across the country and the world. The words from the Lord of the Rings continue to ring true: “It's a dangerous business, Frodo, going out your door. You step onto the road, and if you don't keep your feet, there's no knowing where you might be swept off to.” Over the last couple of years whether we have wanted to or not we have stepped onto that road and found ourselves being schooled on the topics of risk management. We may not have understood what risk was before COVID, but we do now at an experiential level and perhaps even explicitly. We have lived and breathed uncertainty and have had to learn how to deal with its effects. So, what have we learned from our years under the tutelage of uncertainty? We have learned that: 1. Everything happens in the presence of uncertainty Uncertainty may be associated with the news we hear, prediction models, COVID tests, and even with the vaccines we have now received. We will be more certain about some of these than others but there is always some uncertainty. We have had to learn to process information that is incomplete, inaccurate, over or understated, and sometimes even too much. I am sure that many long for the days living in the Shire when we knew what to expect, how things worked, and when life was predictable. 2. We all have different appetites for risk We probably have family members or friends that do not share the same appetite for risk as we do. Some may be risk tolerant and accept everything that may happen good or bad — call it fate or luck, whatever happens will happen. Others may be intolerant and choose not to have any risks whatsoever. They will shape their world the best they can to reduce their exposure to risk. You may even know others who are somewhere in between these extremes. Learning how to negotiate each perspective is not easy but necessary particularly around the dinner table if you want to experience a measure of peace. 3. Risk can be treated Risk in many cases is reducible. We can learn more, we can improve our models, we can develop better risk measures. For example, we can lower our chances of catching COVID by wearing a mask, washing hands, social distancing, getting vaccinated, and so on. We have learned that these are preventive measures. We can also reduce the effects of the virus by using ventilators along with receiving other medical treatments. We have learned that these are mitigative measures. 4. Not all risks matter COVID is the biggest threat and priority for many and perhaps most. However, for those in British Columbia, what is foremost on their minds is dealing with floods caused by atmospheric rivers. This would also be true for those in Texas who are facing the effects from recent tornadoes. For you, risk might be closer to home or your business. How will you make the next payroll, will I have a job in the new year, or one of many other concerns. We have needed to learn how to prioritize and act on the risks that really matter. 5. Risk tolerance is malleable In life and in business we hope for things. We hope to arrive at our destination, for a specific outcome, to complete a project on time, to visit a friend, and many other things. Sometimes it is the magnitude of what we are hoping for that increases our tolerance for risk. When the perceived benefits are high, we often neglect risks altogether. We might call this gambling. We have learned that we need to check our cognitive biases at the door. 6. There will always be some risk When it comes to contending with risk, we will do our part to establish measures with some more effective than others. However, there will always still be some uncertainty or doubt in our defences. This is called residual risk. We have had to learn how to deal with uncertainty that persists. 7. Hope is not a good strategy for risk While hope may not be a good strategy to contend with uncertainty, faith on the hand very well might be. Faith is defined in the Christian Bible as, “being sure of what we hope for and certain of what we do not see.” To some degree this is also what risk management is trying to accomplish. Risk management helps us be sure of what we hope to achieve and certain of what we do not yet see — the desired outcomes of our efforts. However, when risk measures are not enough and uncertainty persists, we often find that we need to put our faith in something or someone else. In the Lord of the Rings, Gandalf came to Frodo to invite him on a journey. It was Frodo’s faith in Gandalf that gave him the courage to step outside his door into a world he did not really know and where his path was uncertain. Many including myself will soon be celebrating Christmas when God came into our world to invite us on a similar journey. Much like Frodo, it has been my faith in this God that has helped me take the steps I needed when things were uncertain and my path was unclear. What I found was that after I took each step of faith my path became clearer, I could see a little further, and the God that I trusted in was proved to be faithful in keeping all his promises.The outcome for me has been an increase in gratefulness, joy but mostly peace. The Year Ahead As this year comes to a close, I want to thank all of you for being part of the Lean Compliance journey with me. It has been an adventure for sure which we plan to continue for years to come. Whatever and wherever you find yourself I hope that you may enjoy an extra measure of peace over the holidays. May you also find joy and in the words from the Hobbit: ‘If more of us valued food and cheer and song above hoarded gold, it would be a merrier world.’ – Thorin Oakenshield Merry Christmas from all us at Lean Compliance

  • The Pursuit of Opportunities in the Presence of Uncertainty

    In this article I want to discuss what is going on with the COVID-19 pandemic with respect to risk. The first risk will be what every one is talking about, the others are only now being discussed. Before we dive in I am not a health care expert and so will be taking the position of an observer of what is happening around me, and to some extent, others who I know. Here are three risks that I see: The COVID-19 pandemic and it's bigger brother the COVID-19 panic, The economic shutdown created by "Flattening the curve", and The loss of rights and freedoms or commonly known as #StayAtHome The last two are risk measures, or controls if you prefer, implemented for the purpose of protecting life against the effects of the first. However, these measures as important as they may be, are not without their own risks against life; as we will find out. Three Risks 1. The COVID-19 pandemic and it's bigger brother the COVID-19 panic, COVID-19 which is a variant of the corona virus has and continues to pose significant threat on life. Some say that this is not a Black Swan which is a risk that could not have been predicted. However, others say that it could have been anticipated and precautions made to deal with its possibility. Whatever the case, COVID-19 is now upon us. The window of prevention has closed and now the focus is directed at mitigating its effects by slowing down its transmission by reducing the number of those infected. This has been called, "flattening the curve," and its purpose is to save lives. You might say that the COVID-19 risk is now a reality and we are now facing the next risk which is, "COVID-19 Infection" The following diagram is a bow-tie analysis (not exhaustive) which we will use to demonstrate the interactions between the uncertain event of being infected by COVID-19, the causes that would bring this about, and the consequences that arise if infected. Preventive controls (or measures) are used to reduce the likelihood of getting infected. Whereas, mitigative controls are used to reduce the impact caused by the infection. Shutting down the economy to essential services is one of the measures to reduce the chance of infection and perhaps an enabler to allow as many as possible to self isolate. These measures are expected to reduce and delay the number who get infected. The forced economic shutdown while needed is itself a source of additional risk to life. 2. The economic shutdown created by "Flattening the curve" Shutting down businesses, public spaces, transportation along with other elements of society is also a risk on life. Preventing this shutdown from happening is not possible. In fact, right now, compliance to these measures is exactly what is needed and critical to flattening the curve. However, the longer this goes on the greater the chance that many, perhaps even more than the numbers of COVID-19 deaths, will lose their business, their livelihood, their marriages, and possibly their lives.The stress associated with financial loss should not be ignored and should be managed. There is a saying that if you remove the means by which someone is paying off their debt you not only take away their livelihood you take away their life. (Deuteronomy 25:6). 3. The loss of rights and freedoms or commonly known as #StayAtHome In attempts to flatten the curve many government institutions are amending by-laws and regulations to enforce public health measures. As and example, in Burlington, Ontario it is now illegal to stand closer than 2m to someone else on public spaces. The majority of people will comply with these measures and do their part to help flatten the curve by self-isolating, shop for food only when needed, and otherwise staying at home. However, there are some who won't and that is why governments have acted to remove freedoms. What has surprised me, and perhaps others as well, is how quickly freedoms have been removed. The question that is on my mind is how quickly will these rights and freedoms be restored. Will we find that governments will use emergency measures more often as a solution to not being proactive in the past? Will they see this as a way of dealing with bad governance? The removal of civil liberties is something that we should not accept lightly. We need to hold government officials accountable and to request from them plans and measures to restore all the freedoms that have been removed, livelihoods that have been lost, and how we will get back to life. Pursuit of Opportunities The pursuit of opportunities is an effective countermeasure to the negative effects of risk including those of COVID-19. Although, there is also uncertainty associated with opportunities as there is with threats. Therefore risk measures should also be used to improve the probability of realizing opportunities in the presence of uncertainty. The following diagram looks at how risks and their measures are connected: We will consider two of the effects: loss of business, loss of livelihood and consider how opportunities can be used to not only mitigate its effects but recover from them. COVID-19 Infection (risk) --> Economic Shutdown (risk measure) --> Loss of business, Loss of livelihood (effects) Here we use the bow-tie once again, but this time to improve the chances of an uncertain positive event which is the opportunites of: a new business, and a new livelihood. We can take measures to enable each opportunity and should it be realized, how it can be exploited to maximize the positive effects or outcomes. NEW BUSINESS Causes that will bring about a new line of business: Innovation New Product Development Pivot Improving your chances of a new business: Digital transformation Customer engagement Accelerate launch windows of NPI Exploiting the opportunity to maximize positive outcomes: Promotion Networking CRM Consequences of a new line of business: Increased sales Increased profits Increased stakeholder value NEW LIVELIHOOD Causes that will bring about a new livelihood: Apply for new opportunites (i.e. jobs) Improving your chances of a new livelihood : Volunteer Retrain Go back to school Network Update CV Exploiting the opportunity to maximize positive outcomes: Mentorship Networking Volunteer Take on new responsibilities Consequences of a new livelihood: Better job Better circumstances Better life Summary We see threats far more easily than we do opportunites particularly when we are in the midst of a crisis. However, that doesn't mean that the opportunities don't exist. In Khaneman's book, Thinking, Fast and Slow, he helps us understand that we need to use a different part of our brain when considering things such as opportunities. Whereas, the fast part of brain is great at dealing with threats, efficiencies, and getting things done. Risk measures can be put in place to prevent and mitigate the effects of uncertainty when they are negative and threaten what we value. However, measures can also be created to improve the probability of opportunities and increase their positive effects to protect and create new value. Be Safe Be Proactive. #lordoftherisks #covid

bottom of page