SEARCH

Focusing on non-conformance is the first level of compliance. This involves meeting the prescriptive part of a regulation or industry standard. However, standards and regulations have changed and are now more performance-based focused on continuous improvement and risk. Instead of asking the question, "did we follow the procedure?" Compliance has evolved to answering a different question which is, "how well are we at achieving outcomes such as: zero injuries, zero defects, zero violations, zero environmental impacts, zero ethical misconducts?" The former is reactive, looking at the past. The latter is proactive, anticipating the future.

Turtle diagrams are often used to document processes in support of ISO standards and guidelines. However, they tend not to include compliance and risk as part of process definitions. That's why we created the Compliance Beetle so you can document compliance and risk considerations directly within each process. Download your template here . #RiskAssessment #ComplianceInsights #Complianceimprovement #RiskbasedThinking

The purpose given for companies is often stated as making profit. However, companies can exist for a greater purpose. They can exist to create opportunities for people to work so that their potential can be realized to some degree. The greater the degree, the more humanized the workplace becomes. However, when workers are used like “machinery” the work becomes dehumanizing. There is always a tendency (for the sake of efficiency) to separate humanity from the mechanics of business. Perhaps, when businesses are completely robotic (if that is even desirable) we can achieve total separation and no one needs to worry about values and ethics in the workplace anymore. In fact, we would not have workplace and I wonder if we could still call these businesses either. In a similar way, we can think of compliance in a dehumanizing fashion. Compliance for many companies is seen as a tax on productivity and something that should be reduced. This may lead to viewing compliance roles as something that we want to reduce and replace with technology. However, when taking a closer look we notice that compliance has more to do with managing risks than it does conformance to standards and following rules. Managing risk is a human-centric process that requires people to anticipate, plan and act to prevent or mitigate a threat or enable and exploit an opportunity. In fact, not only is risk management human-centric it is very much an ethical process. For example, safety involves making decisions that involve risk. Risk-based decisions due to their inherent uncertainty are in the category of ethical decisions that a company makes and cannot easily (or at all) be reduced to a set of rules or to a machine. If the risk can be completely eliminated by removing the hazard then rule-based decisions (the kinds that computers can do) might be appropriate. However, should the hazard remain and uncertainty persist then the decision to proceed becomes an ethical choice which is only something humans can do. #Ethicalcompliance #complianceandvalues

For compliance to be effective you need the ability to: (1) demonstrate that you have met your obligations in the past, (2) meet your obligations today, and (3) meet your obligations tomorrow (and every day thereafter). This requires an architecture that is both resilient and adaptive to change over time. Current cloud based architectures are in many cases evolutionary. While this makes change easier, they also suffer in the same way as evolution does in nature (i.e. it is always changing). Each day we read about new platforms that in some cases replace, but in many cases discard what was already there. You might call this survival of the fittest. Companies looking to put their compliance data and processes into the cloud need something more enduring. This is what good architecture provides and something that has been lacking as technology marches on towards something new and shiny. Before you decide to lift and shift your compliance to the cloud, you may want to consider the following: Does the technology platform meet all your compliance standards? Does the platform allow you to tailor processes to meet your higher standards? Do you maintain ownership of your compliance data or is it being monetized by the provider? Is your compliance data adequately protected and secure? What are the risks to you and your stakeholders should your compliance data be breached? Can you transfer your data to another platform and resume operations without loss of compliance? #ComplianceTips

A critical process used in safety, quality, environment, and regulatory programs is the process that manages change. The reason for this is that change creates the opportunity for new risk to be introduced, existing risk to be modified, or latent risks throughout the organization to be exposed. The impacts of change can result in: Mission and Strategic Risk - uncertainty in your ability to achieve short and long-term mission success Performance Risk - uncertainty in your ability ability to achieve performance objectives Value chain Risk - uncertainty in your ability to create existing value Compliance Risk - uncertainty in your ability to achieve quality, safety, environmental, and regulatory outcomes Productivity Risk - uncertainty in your ability to drive down cost and improve efficiencies Systemic Risk - uncertainty in your ability to isolate risk and avoid risk propagation Organizational and Structural Risk - uncertainty in your ability to maintain appropriate resources and systems needed for mission success Reputation and Social Responsibility Risk - uncertainty in your stakeholder's ability to trust you Innovation Risk - uncertainty in your ability to create new value streams Transformation Risk - uncertainty in your ability to transfer new value streams to the performance zone Audit and Certification Risk - uncertainty in your ability to pass an audit or achieve certification That is why highly-regulated companies in high-risk sectors invest in advanced Management of Change (MOC) systems to effectively manage risk. These systems provide companies with the ability to: quickly identify high impact changes, develop and execute change plans tailored to the level the risk, and monitor risk during and after the change is made. The best companies also consider how overlapping and cumulative changes impact mission success. As is often said (but not so often heeded), it is usually not a single change but rather a series of small changes made over time that leads to a serious incident. Make certain this doesn't happen to you. If you have a basic MOC procedure you may want to consider the benefits of an advanced process to make certain risk is properly managed.

The role of compliance should be to help organizations ensure that outcomes are achieved through proper governance and the management of uncertainty. It should operate more like a Project Management Office (PMO) does in helping projects succeed instead of as a traffic cop waiting to pull you over at the next audit. It's time to put compliance at the front of the line where it can show everyone how to ethically contend with regulations. It's time for compliance to say YES we can and here's how rather than no you can't. #LeanCompliance #Compliance

This post is written by our guest blogger Barbara Kephart. Textiles from the Jacquard Loom Museum of Modern Art, New York City Photo by Barbara Kephart I adore all types of technology. My favourite is the selfie toaster that imprints your photo directly onto your morning toast. In my opinion this toaster is a must for every modern kitchen. It is these types of creative automated inventions that make me wonder why was it created, and what problem was it trying to solve? So when I was visiting the Museum of Modern Art in New York City a few months ago I was overjoyed to discover an exhibition called Thinking Machines: Art and Design in the Computer Age, 1959–1989. This exhibit combined art and design to trace back how computers transformed and reshaped our lives. The questions that came to my mind when touring the Thinking Machines exhibit was: what causes ineffectiveness in our processes, and does technology help or make it worse? In the year 1804, a man named Joseph Marie Jacquard asked this same question. Jacquard was born to a family of weavers and strived to improve the textile loom used to create fabrics. The loom at that time was based on earlier inventions by other inventors. Jacquard wanted to improve the manual and labour intensive process to weave existing designs. He created a head that controlled a chain of punch cards laced together in a sequence, and each row of punched holes matched one row of thread in the design. With the Jacquard head attached to existing looms, the time to create a textile was considerably shortened and the loom could be operated by one person instead of multiple people. The Jacquard Loom in operation A Jacquard Loom Weaver Photo: Horace Bristol/Three Lions/Getty Images Jacquard recognized the nature of weaving was repetitive, and his invention changed the way patterns were created. According to The Institute, the Jacquard loom quickly became the standard during the industrial revolution for weaving luxury fabrics. The first punch card computer invented in the early 1880’s by Herman Hollerith was said to be inspired by the Jacquard loom. Hollerith’s new company called the Tabulating Machine Company eventually became IBM. And Charles Babbage, known as the “father of the computer”, was also influenced by Jacquard’s work. Some historians believe the Jacquard loom was the earliest computer as it produced an output (the woven fabric) in response to the input (the string of punch card designs). Many process experts also believe it was the earliest known form of LEAN techniques in the workplace, since this invention and the later power driven loom set in motion a stream of continuous improvements over time. I find it fascinating how Jacquard’s work influenced modern computing and process improvement techniques. However automation of textiles led to mass production of clothing and left many workers unemployed during the industrial revolution. When we fast forward to present day there is an overabundance of clothing choices; I can buy six inexpensive shirts that may never get worn. When I donate these shirts to a charitable organization, they are offered to individuals in a developing nation who find the shirts culturally inappropriate and all six shirts land in that country’s landfill. This is an unintended consequence of automation. A LEAN process is supposed to eliminate waste, but in the case of textile automation we may be creating more waste over time. When considering whether or not to automate, we should be asking the most important question of all: what is the real problem we are trying to solve and will automation always be the answer? No, I do not own a selfie toaster. But to those of you that do, as you gaze at your toast each morning you could ask - has this really solved my problem? #Automation #LeanImprovement #Lean

There is never enough time, knowledge, or resources to contend with all the risks that a company faces. Therefore, they must choose which risks to address. This is not easy and cannot always be determined by ranking based on risk scores. To know which risks are important you first need to have clearly defined outcomes and objectives. This is because the risks that matter are connected to them. Unless you know what outcomes/objectives you are targeting, you cannot improve, you cannot know what changes will hinder or advance yours goals, and you cannot know which risks really matter. #RiskbasedThinking #Compliance #ComplianceExcellence

Every business operates in the presence of uncertainty. This uncertainty creates the opportunity for risk. Compliance programs buy down risk to ensure outcomes are achieved. That is why we have quality, safety, security, environmental and regulatory compliance programs and why they need to move beyond adherence to prescriptive requirements and focus on achievement of outcomes. #ComplianceInsights #RiskbasedThinking

Almost all compliance initiatives depend on management systems to ensure obligations are met. This applies to safety, quality, environmental and regulatory objectives. When it comes to improving the effectiveness of these systems you need to start at the program level. This is where outcomes are evaluated that in turn drives changes at the system level. #ComplianceInsights #ComplianceImprovement #ComplianceEffectiveness

Meeting compliance is critical to those that work in highly regulated industries and specifically to those that are responsible for safety. Today, compliance demands come from many sources and include both mandatory along with voluntary commitments to industry standards, guidelines, and stakeholders. The intention of all compliance programs is to implement how these commitments will be met so that the desired outcomes are achieved. This requires that outcomes are documented, measured and periodically evaluated. Unfortunately, for many companies, their compliance systems are not able to carry the weight of their current obligations, let alone handle increased demand. Here are five reasons why compliance is falling behind. 1. Unsustainable Programs Management programs often do not have clear charters that document compliance commitments, outcomes and the level of obligation.They often are still based on paper paradigms and do not exploit best practices or current technologies. It is common to find that compliance programs do not include adequate support for: Change management Risk management Continuous improvement Compliance assurance Process support Without these capabilities it is not possible to sustain compliance let alone improve. 2. Reduced Workforce The workforce is getting smaller, younger and has less experience knowing how to meet compliance and therefore rely on programs, systems and processes to fill in the gaps. Given the state of compliance programs, workers will often lean on their own ideas of what should be done. This leaves companies vulnerable to unnecessary compliance risk. 3. Increasing Compliance Demand The face of compliance is changing. Regulators are moving away from prescription to performance based specifications. In addition, compliance often now requires additional capabilities to support: risk based methods, evidence based processes, along with advancing program maturity through a model of continuous improvement. These changes affect how a company approaches compliance. At a minimum, this moves the focus from complying to regulatory elements to achieve compliance outcomes driven by risk based commitments. Some standards organizations are softening the impact by publishing umbrella guidelines or making compliance voluntary. However, there should be no mistake, there is a sea change and compliance is changing and for many it already has. 4. Poor Processes Current processes that deliver program objectives tend to be based on activity and not on outcomes. As a result, associated procedures can become overly prescriptive and simplistic in their approach in an attempt to keep things simple. This is a false economy that leads to a one size fits all approach resulting in too much effort for some cases and not enough for others. Processes based on this approach will contain excessive waste as people spend time: entering data that is not needed, waiting for unnecessary work to be done, creating reports that no one reads, and not having the information that is needed to achieve compliance outcomes. 5. Sporadic Improvement Compliance programs do not change very often and only do so when there are findings arising from audits that are conducted yearly or less often than that. In addition, there is often no process in place to improve compliance capabilities in between audit cycles. The pace by which programs improve is far too slow to keep up to current obligations let alone adopt new ones. One year is far too long to wait to find out you are out of of compliance and for improvements to occur. #ComplianceTheats #ManagementProcesses #Risk #OperationalExcellence

In a previous blog, I outlined 5 threats to compliance. In this blog, I will look at how to address them. At first glance, it may seem appropriate to conduct more audits to identify compliance gaps and then make the necessary changes. This is in fact the most common approach across many industries. While the audit-fix cycle can achieve results, it is a brute force approach to improvement. The output from audits tend to create action items and sometimes quite a few. Death by a thousand action items is how many managers feel about this approach. This problem is similar to what happens when instead of fixing potholes the road should be expanded to handle more traffic. In the current business climate of "doing more with less" not only is no one looking for this, the prospects of doing anything other than fixing potholes seems remote. So many go back to fixing potholes only to repeat the process after the next audit. However, this audit-fix cycle while insufficient to address compliance gaps, also leaves companies vulnerable and not able to make required transformations from prescriptive-based compliance evidenced by audits to performance-based compliance evidenced by achieving outcomes. The latter is required more and more from standards and regulatory bodies. 5 Compliance Multipliers To achieve this transformation it is necessary to take existing effort and do more with it. This means that you need some sort of force multiplier to provide, instead of a mechanical advantage, a compliance advantage. The following approach anticipates the impacts arising from the sea-change in compliance along with consideration of the current business climate specifically: the reduction in workforce, loss of compliance knowledge, and years focused on prescriptive compliance. Each multipler takes compliance effort and increases its affect similar to what a lever does when creating a mechanical advantage: 1. Managed Obligations Identify and clarify compliance obligations Identify what is Critical to Compliance (CTC) Identify how progress will be measured Align with strategy, mission, and goals 2. Increased Capabilities Make room for compliance improvement to occur Eliminate Non-Value Added (NVA) activities Free up resources to work on improvements Exploit existing technologies 3. Embedded Compliance Embed Critical to Compliance (CTC) Actions Embed evidentiary actions and documentation Introduce normative standards and best practices 4. Leveraged Rules Break old rules and eliminate work-arounds based on old habits Leverage new rules to maximize compliance outcomes 5. Continuous Improvement Monitor measures of compliance, performance, and effectiveness Establish incremental and continuous improvement process Companies will benefit from using these compliance multipliers to amplify their existing effort so that they can better meet and sustain compliance. #ComplianceImprovementSteps #ComplianceMultipliers #Proactivecompliance