SEARCH
Find what you need
608 results found with an empty search
- Is Your Motivation Holding You Back?
One of factors that hold companies back from improving their compliance is ambivalence; having mixed feelings or contradictory ideas about what goals to have and what approach to follow. This uncertainty contributes to the lack of motivation to act which is a significant cause for failing to achieve operational and effective compliance. Knowing where you are going Having somewhere positive to go to that is well articulated and realistic will help motivate change. We need to know what the pot of gold is that we are going after. However, all too often, we find that companies have vague ideas of what compliance should do and what the outcomes should be. The opposite is also common. Many companies are very specific and clear about their compliance destination. In fact they have already arrived as stated in their declaration that they are following all applicable laws and regulations. Where else is there to go when you believe that you are already there? What we need to understand is that the compliance landscape has changed and so has the destination and the measures to get there. Compliance has moved beyond prescriptive specifications to outcome and performance targets that requires continuous improvement and the effective management of risk. Compliance is not measured by whether you are comply or not but instead is measured by the level of certainty you have in achieving your compliance goals and objectives. As risk is never static continuous risk management is needed to keep companies operating between the lines in the presence of uncertainty. All of this changes the goals and objectives for compliance. Knowing what is behind Knowing where you are going is not enough to be properly motivated. You also need the motivation that comes from being aware of the danger of staying where you are. You need be aware of the dragon that is chasing you from behind as well as the the pot of gold that is in front of you to sustain proper motivation for change. The dragon facing companies these days are the effects that come from not addressing all their stakeholder obligations. These have a negative impact on mission success, reputation and ultimately trust. As a result, you may still be left with a regulatory licence to operate but you may not have a business that investors want to invest in or customers want to buy from. If ESG (Environmental, Social, and Governance) investing and the downstream impact on environmental programs continues to gain traction learning how to navigate the broader compliance landscape will be a decisive factor in avoiding the dragon that is behind. Knowing how to get there So how to you move from ambivalence to action? Here are three steps you can follow to improve and sustain your motivation: Describe what your compliance destination looks like in realistic and specific ways – the piece of heaven that you are striving for. Describe what your designation looks like if you don’t improve – the slice of hell that you want to avoid. Establish a program that continuously advances your business towards its destination and avoids the dangers of staying where you are. Making progress is a huge motivation for even more progress. Everyday is a chance to improve your compliance so let's not waste it.
- Surprise me now, surprise me later, but never say I am not surprised.
When it comes to risk & compliance no one wants to be surprised. That’s why organizations put in place controls of various kinds to avoid them. While surprises are not desirable and cannot always be avoided there is something that can be far worse which is not being surprised at all. When something bad occurs it is not uncommon for someone to say, “I am not surprised that this happened.” Hearing this offers little comfort to those negatively impacted by the surprise. But why? When preventable incidents occur associated with safety, environmental, quality or regulatory objectives not acting when it was possible to do so is perhaps more concerning than the impact of inaction. Finding out that something could have been done and wasn't is often an indication of a failure in duty of care, negligence, or simply not caring at all. It is no wonder that we might feel anything other than comfort after hearing that someone was not surprised. To avoid the surprise of not being surprised organizations need to ensure that their risk management does more than just create a list of what might or could go wrong. They also need to act to create the outcomes that an organization wants and avoid the ones that it doesn't.
- How to Make Compliance Soar
Compliance is often considered as a hindrance more than a help. Many organizations believe that they might do better if they were less encumbered by having to meet obligations. The philosopher Emmanuel Kant pondered the same kind of thing using the following metaphor: “The light dove, in free flight cutting through the air the resistance of which it feels, could get the idea that it could do even better in airless space. “ Without the resistance of air to contend with the dove thought it might soar higher. There is an art to flying. Too much drag or not enough resistance will prevent flight from occurring. However, removing the air altogether is removing what is essential for the dove to fly. It is the very act of contending with air that enables the dove to soar. The same might be said about compliance. It is the process of meeting obligations that a business develops the art of compliance. Removing the need to meet obligations is removing what is essential for companies to achieve its goals. Without obligations to contend with organizations would not get off the ground. Resistance is not always a hindrance. Resistance can be the very thing that strengthens our abilities. It helps the dove to fly higher and an organization to achieve higher standards. We know that when it comes to meeting safety, quality, and environmental obligations that it is by meeting standards that a company develops the capability to be safe, to create quality, and to reduce its impact on the environment. This is what vision zero objectives are all about. It is not the goals so much as the struggle to get closer to them that matters most. It is the striving that creates excellence not in spite of these goals but because of them. Obligations are the air beneath an organization’s wings. It provides the resistance needed for flight. What does this means for organizations that want to improve their compliance? Perhaps, instead of trying to remove obligations or doing the minimum, invest in your people and processes to learn how to become excellent at the art of compliance. You may end up not only getting off the ground but you may actually start to soar.
- Mission Report: 3 Years Later
Over 3 years ago we launched Lean Compliance in response to the lack of sustainable compliance effectiveness across mostly ever sector as organizations struggled under the weight primarily of existing and changing prescriptive regulations and standards. The compliance landscape was also starting to transform as regulators were modernizing their programs to become more risk-based as they moved towards performance and regulatory designs. While the impact of this transformation would ultimately reduce the weight of regulation it would require different skills and a new mindset; something that many organizations did not have or have time to learn. To navigate this new landscape companies would need to become more proactive, own their obligations, and commit to continual improvement. Instead of inspection and audit regimes as the trigger for improvement, companies would need to set obligation goals, measure progress, and manage risk. Performance rather than checkbox compliance would become the new mandate. However, organizations were too busy being reactive, fighting fires, and had little time to be proactive and for the most part didn't know how. Space also needed to be created for improvement to occur. This is where LEAN would help to eliminate waste and create capacity to escape the reactive uncertainty trap and allow companies to begin their journey towards proactive certainty of their compliance objectives and goals. This birthed The Proactive Certainty Program ™ which we launched to effect our mission to help companies lift the weight of regulation and improve their compliance effectiveness in a sustainable way through continuous improvement over time. As our mission continued we quickly realized that not much had been written about effective compliance and specifically how performance and outcome-based obligations might be managed. So we started to do research and explored what this all might look like which we wrote about in blog posts every week. With every post (over 200 at this point), presentation, webinar, and consulting engagement we begain to lay the foundation for Effective Compliance. We started at the source of the obligations and worked our way to the outcomes that companies committed to achieve. This resulted in the formulation of: A regulatory classification model An obligation taxonomy The Compliance Value Chain The Proactive Certainty Model™ The 10 Rules for Effective Compliance A proactive accountability management framework A proactive model for governance risk and compliance (GRC) Strategies to apply systems & risk-based thinking, and lean & performance management to improve the probability of meeting obligations. A system of measures: effectiveness, performance and conformance to help govern (i.e. steer) towards better outcomes Digital strategies to improve the probability of mission success and numerous other methods and practices. Many of the concepts and principles we presented were in the form of diagrams to help describe behaviors, relationships, and elements as we worked towards a comprehensive operational model to effectively manage obligations. Several have commented and indicated how much you have benefited from the insights communicated in these diagrams and blog posts over the last three years. This has been instrumental by providing valuable feedback which we have used to improve the utility of our models. This has been very satisfying for us and a source of much encouragement which we are truly grateful. It has been a fantastic journey so for but there is still much to do. We would love to help more companies escape the reactive uncertainty trap and realize the benefits that come from effective compliance programs. One of the things we are working on is compiling all our work and creating an Effective Compliance Handbook . We will keep folks posted as we get closer to publication. If you want to launch your own mission towards effective compliance compliance, consider our 12-week virtual boot camp. Through weekly coaching sessions we help you develop a detailed improvement roadmap for one of your compliance programs: quality, safety, security, environmental, regulatory, risk, process safety, or pipeline safety. To learn more contact us at bootcamp@leancompliance.ca (individual and team rates available). Continue to be safe and proactive.
- How Do We Manage Cyber Safety - Part 3
This blog post continues our series on Cyber Safety where we have explored various standards, frameworks and guidelines to address management vulnerabilities with respect to achieving cyber safety objectives. In this week's post we consider steps you can take to select which approach is best for you to start improving your cyber safety. Steps to Strengthen your Defences 1. Evaluate Defences & Develop Improvement Roadmap The framework or standard you choose depends on the risks your organizations are currently facing or anticipating. So the best place to start is with an assessment of what you want to keep safe, your safety goals, and your cybersecurity objectives. To help you answers these we recommend first conducting a Cyber Resilience Review (CRR) which is a non-technical assessment of your current situation. This review will provide the parameters you need to formulate an improvement roadmap you could work on in a stepwise fashion over time. If you currently do not have a formal cybersecurity program you might consider a facilitated CRR assessment. Although CRR is a self-assessment that you could do yourself you will benefit from having someone facilitate the review, create an assessment summary with recommendations, and develop a cyber safety improvement plan based on the CRR results. 2. Select Standard and Conduct Detailed Assessments Conducting a CRR will place you in a better position to select a management standard that best suits your business if you don’t already have one. You will also know if and which detailed technical assessments may be necessary to address serious holes in your defences. Cybersecurity Standards and Frameworks In our last post in this series we looked at three frameworks: Cybersecure Canada Program - this is great place to start if your exposure to cyber risk is moderate and your organization is just getting started with a cyber safety program. NIST Cybersecurity Framework - this framework has a strong technical component and best suits organizations with a significant sized IT component, infrastructure, and governance. ISO 27001 - this family of standards is particularly useful for organizations that have already adopted other ISO standards where they can leverage existing management processes and infrastructure. The results of a CRR will help you make a determination if which approach is best for you. 3. Develop and Implement Detailed Improvement Roadmap Once a framework has been selected additional detailed assessments can conducted based on the kinds and level of risk identified in the CRR along with additional considerations suggested by the given framework. The goal is to: Identify the risks that really matter. Uncover strategies and plans that already exist that contend with these risks. Evaluate if these defences are strong enough to keep what you value safe. Develop a comprehensive improvement roadmap that meets your cyber safety objectives. If you currently do not have a formal cybersecurity program you might consider a facilitated CRR assessment and roadmap development process. Although CRR is a self-assessment that you could do yourself you will benefit from having someone facilitate the review, create an assessment summary with recommendations, and develop a cyber safety improvement plan based on the CRR results. If you are interested in having a cyber safety improvement roadmap for your organization please reach out to us. Also, if you missed Part 1 of this series you can find it here.
- 2017 Compliance Program Survey
Help us better understand the state of compliance programs in your industry by participating in our 2017 Compliance Program Survey. This will take 10 minutes of your time and by participating you will receive a copy of the final report. If you are involved with PSM, HSE, Security, Quality, Regulatory, IT / Cyber Security, or any other compliance program we want to hear from you. Click here to take part of our survey. Thank you in advance for taking part to help advance compliance outcomes. #Survey
- How Do We Manage Cyber Safety - Part 2
This blog post is a continuation in our series on Cyber Safety. In this article we explore several guidelines, standards, and frameworks available to help organizations realize their cyber safety goals. We will begin with a framework from The Canadian Centre for Cyber Security followed by three from the US, and one from the International Standards Organization (ISO). Let’s start with the Canadian program. CyberSecure Canada Program The Canadian Centre for Cybersecurity is a valuable source for companies of any size who want to strengthen their defenses. On their site you will find a Cyber Secure Canada Program which is a federal cyber certification program that aims to raise the cyber security baseline among small and medium enterprises (SMEs) in Canada. The desired outcome of this program is to increase overall confidence in the digital economy, and promote international standardization that better positions organizations to compete globally, and I would add locally as well. Certification requires an implementation of a set of baseline controls (v1.2) . These provide an excellent set of initial risk measures specifically designed for small and medium sized operations. You will also need to develop a management framework to advance your cybersecurity capabilities beyond the baseline, but otherwise this an excellent place to learn and get started with cybersecurity, Next we will consider what I call, the triple threat against cyber risk: CISA CRR NIST CF DOE C2M2 Cyber Resilience Review (CRR) The Cybersecurity & Infrastructure Security Agency (CISA) created what is called the Cyber Resilience Review (CRR) assessment. This assessment is a no cost, voluntary, non-technical review to evaluate an organization’s operational resilience and cybersecurity practices. The assessment covers 10 activity areas or what you might call capabilities and is available as a self-assessment tool. It is also designed to measure existing organizational resilience and provide a gap analysis for improvement based on recognized best practices. The self-assessment tool and practice guidelines are available for free on-line. A CRR will help organizations scope out what is needed to create a roadmap for improvements along with a determination if more detailed assessments should be conducted. It is compatible with other frameworks from NIST discussed below. Next we will look at what is probably the most common framework used to manage cybersecurity. NIST Cybesecurity Framework In response to a presidential executive order issued in 2013, the National Institute of Standards and Technology in collaboration with government and private sectors developed a cybersecurity framework that focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s overall risk management process. NIST CF consists of three parts, the core, the profiles, and implementation tiers covering 5 functions: Identify, protect, detect, respond, and recover. This is a very popular framework, particularly if you are a technology and information sectors. It is risk-based and not a one-size fits all strategy intended to be adapted by organizations based on their level of risk and safety obligations. Cybersecurity Capability Maturity Model (C2M2) Program The Department of Energy (DOE) developed what is known as C2M2 which is becoming one the most important tools in assessing the cybersecurity posture of organizations in the energy sector and organizations in highly-regulated, high risk industries. C2M2 focuses on the implementation and management of cybersecurity practices associated with the information technology (IT) and operations technology (OT) which are often managed separately within these industries. C2M2 provides descriptive rather than prescriptive guidance. The model content is presented at a high enough level, so that it can be interpreted by organizations of various types, structures, sizes, and industries. C2M2 differentiates between technical and management objectives across 10 domains which provides organizations with a holistic perspective and assessment of their cybersecurity program. The overall intent of C2M2 is to help organizations assess and advance their cyber safety capabilities over time. Self assessment tools and practice guidelines are also available online. Lastly, we look at what the International Standards Organization (ISO) has to offer. ISO / IEC 27001 If you already have adopted other ISO programs then this one may align better to your existing management practices. This management standard is widely known, providing requirements for an information security management system (ISMS) along with supporting standards in the 27000 family providing guidance on individual capabilities and practice domains. This standard provides the ability to leverage your existing management structure (assuming that it already aligns with other ISO standards) to support technical processes needed to address cybersecurity risk. Third party certification is attractive to companies as it provides some evidence that they are treating their cybersecurity seriously. Summary We have looked at various standards, frameworks and guidelines to address management vulnerabilities with respect to achieving cyber safety objectives. Now, which one should you use and if you are already are using one, how do you improve your effectiveness and improve your cybersecurity performance? Answering these questions will the topic of our next blog post on cyber safety so stay tuned.
- Compliance Helps Companies Stay Within The Lines
Someone once asked the question, "why do cars have brakes?" The answer given was, "so they can go fast!" What brakes do for cars is what compliance does for companies. They allow companies to go fast by helping them stay between the lines. In recent years, many companies have invested significant effort in ways to help them go faster. Several strategies have been used including Agile and LEAN techniques and methods. These approaches have functioned as an accelerator for business processes and have in many cases produced remarkable results. While a faster engine may help you to go fast, you also need a braking system that is just as capable. The faster you go the better the brakes need to be. However, brakes are only one part of what makes a car effective and safe. A car also needs (among other things): A driver to choose the destination and pilot the vehicle A guidance system to identify optimal routes Limits (speed, traffic lights, etc.) to keep everyone safe Guard rails to minimize injury Lines that tell us when we are off-side Newer vehicles have the ability to tell drivers when they have crossed the line, when it is safe to make a lane change, and when they are no longer on course. Intelligent braking systems also keep cars from losing traction so they can safely slow down. However, getting to your destination safely requires more than these, it also depends on the skills and actions of the driver. When I first learned to drive we were taught what is still called, "defensive driving skills." These were skills defined as, "driving to save lives, time, and money, in spite of the conditions around you and the actions of others." Its aim was to reduce the risk of collision by anticipating dangerous situations. We practiced these skills until they became second nature. I have continued to use these skills ever since and by doing so kept me and my family safe for over 30 years. This is what it means to be a good driver. Not that you never have an accident but rather that you have the skills and mindset to reach your destination safely. Just as we need drivers to be good we also need companies to be the same. Similar strategies as "defensive driving" can be learned and applied to meeting and maintaining compliance. Unfortunately, many companies have only the equivalent of guard rails to let them know when they are off-side. They need to crash into a rail before they realize they crossed the line and lost control. This is what happens to those that only use audits to manage compliance. Audits are necessary but ineffective at protecting our businesses and keeping everyone safe. Drivers that practice defensive driving skills plan and act in such a way to arrive at there destination on time and safely. It is not a choice between one or the other. Companies must also meet multiple goals with regards to compliance whether they include: safety, security, quality, environmental, financial or otherwise. They do not need to sacrifice one for the other and neither should they. This is what it means to take ownership of all your compliance obligations which is necessary for companies to be ethical. The cybernetic law of Inevitable Ethical Inadequacy (introduced in a previous blog) states, “If you don’t specify that you require a secure ethical system, what you get is an insecure unethical system." Without including ethical goals in your systems they will regulate away from being ethical towards other goals predominately being financial and short term. We know that most companies want to be ethical as stated in their mission and value statements where words such as: integrity, respect, safety, quality, and social responsibilities are often used. Unfortunately, many of these same companies use a reactive compliance model that was developed only to verify the integrity of financial statements and protect against fraud. However, the dynamics of the systems needed to achieve non-financial goals are different and require proactive strategies that anticipate conditions in the same way that we use defensive driving skills to anticipate dangerous situations. Next to audits, training is the predominate method used by companies to achieve compliance. This training tends to be technical in nature similar to learning how to drive a car and rarely includes "defensive skills." There are areas such as safety where defensive skills are taught and reinforced. However, for the most part, compliance for many is about checking off boxes to meet prescriptive standards. Companies can improve their compliance by teaching their workers defensive skills rather than only focusing on compliance actions. In addition to defensive skills, we can also consider greater degrees of automation and embedded compliance in our work processes. Current advancements in autonomous driving provide helpful insights into how automated compliance can work. Understanding that we may never want full automation as compliance decisions are ethical in nature since they involve risk trade-offs and that is something that cybernetics does not address. For example, safety involves making decisions that involve risk. Risk-based decisions due to their inherent uncertainty are in the category of ethical decisions that a company makes and cannot easily (or at all) be reduced to a set of rules. If the risk can be completely eliminated by removing the hazard then rule-based decisions (the kinds that computers can do) might be appropriate. However, should the hazard remain and uncertainty persist then the decision to proceed becomes an ethical choice which is only something humans can do. In 2014, SAE International published their standard for driving automation (J3016) that defines six levels of autonomous driving: This chart provides a means to compare against similar automation in compliance systems and processes. What we find is that many companies are only operating at a level 0 as they provide little to no automation to assist workers in meeting compliance obligations. In fact, many do not even provide the equivalent of defensive skills training and only teach workers to follow prescribed steps. No wonder the effort applied to audits is so high and increasing. Levels 3 and above do not have a human monitoring the environment and in the case of Level 4 and 5 do not have a human to fall back on should highly ethical decisions need to be made. Therefore, these levels may not be suitable for compliance support and arguably not desirable for autonomous vehicles either. Nevertheless, partial automation and compliance assist systems are helpful in providing workers with greater visibility of compliance obligations either in terms of objectives that need to be met along with limits that need to be observed. Looking forward, companies that want to see more of their ethical values realized in their organizations will benefit from applying proactive strategies such as defensive skills to help workers better meet compliance obligations. In addition, increasing the level of automation while maintaining human accountability will provide greater and immediate certainty of compliance and reduce the spiraling increase and dependence on audits. It is better to know that you might cross a line so you have the opportunity to make course corrections. The alternative, is hitting the guard rail and reading a police report that states the obvious. The first is proactive and the latter is reactive compliance which is preventable.
- Risk Based process Safety During Disruptive Times
The Center for Chemical Process Safety (CCPS) recently published a monograph that provides insights for managing Process Safety during the COVID-19 pandemic and other similar crises. It incorporates input from many CCPS member company representatives. It is organized by the RBPS elements and human factors impact is addressed in multiple areas. The top three elements of highest importance are: Process Safety Culture, Asset Integrity & Reliability and Management of Change. Occupational safety and health aspects are not the focus in this document. You can download this monograph using this link CCPS also has published a BowTie for Covid-19 analysis which you can also find here #managedsafety #covid
- Continuous Value requires Continuous Compliance
Increasingly, companies are adopting continuous improvement driven by several methodologies that include LEAN and AGILE. However, the overarching driver is the desire to achieve continuous delivery of value. These approaches fundamentally change how a business operates and impacts all aspects of the value chain including the processes that support them such as productivity and compliance programs. Production processes have moved towards continuous flow by applying LEAN principles. IT has done the same by combining development and deployment (ie. DEVOPS) to support continuous delivery. However, compliance for the most has lagged behind and still functions using the old factory model using an audit-fix cycle which is too slow to keep up with continuous change. A major contributor to why companies haven not taken a proactive approach to compliance is that they do not know exactly where they are going with their compliance. The lack of clear and concise goals makes it difficult to select strategies and to measure effectiveness. In fact, most companies do not even measure the cost of compliance. However, even knowing the cost, without goals you cannot know if you are over or under investing. To properly establish goals you need to first define your compliance obligations and this means specifying: outcomes - what you want to accomplish, objectives - how you intend to accomplish them, risks - what are the threats and opportunities to meeting objectives and achieving outcomes, critical to compliance - evidence of compliance measures of performance - ability to achieve system objectives measures of compliance - key compliance results or indicators critical to compliance success measures of effectiveness - progress towards program outcomes Compliance obligations serve to properly align programs, systems and processes and makes it possible to apply proactive strategies to continuously meet them. Defining compliance obligations increases the certainty compliance can be met, but as importantly, that compliance outcomes are advanced on a continuous basis. Continuous value requires continuous improvement which requires continuous compliance . #ContinuousImprovement #continuouscompliance
- 4 R's of Continuous Performance
The purpose of a compliance management system is to maintain state which is achieved through consistency, reduction of variation, and achieving objectives. However, the purpose of a compliance management program is to change the state or condition with respect to compliance outcomes. This is achieved by adjusting the underlying systems to improve performance and maintain a higher standard. Continually advancing performance is required to meet "persistent achievement" obligations specified by performance / outcome-based regulations and standards. In order to continually advance quality, safety, environmental and regulatory outcomes there are 4 changes you must continually make: Re-orient policies to support continual advancement of outcomes Re-calibrate values to match the outcomes that will be achieved Re-engineer systems to create the capabilities needed to reach new performance targets Re-align processes to achieve compliance objectives #continuousimprovement
- Mismatched Systems
The administration problem is primarily that of reducing uncertainty within the organizational system (Organizational Strategy, Structure, and Process - 1978). Solving it involves more than simply rationalizing systems and processes already developed (uncertainty reduction); it also involves formulating and implementing those processes which will enable the organization to continue to advance outcomes. This necessarily impacts how risk & compliance systems are implemented. For managed compliance programs (i.e. safety, quality, environmental, regulatory) to be effective they must align with the specific goals, objectives, and strategies of the organization. These will be different based on each organizational type: Defender, Prospector, and Analyzer. Each type will also influence your approach to meeting obligations. Any mismatches in systems architecture will end up hindering the advancement of both business and compliance outcomes. Which organizational type best matches your business posture? Does your approach to risk & compliance align with this posture? #effectivecompliance #grc #managedrisk #managedsafety












