SEARCH

A simple test to bust through the hype These days, AI providers, leaders, and evangelists claim that AI technology will transform any organization's operations. Just add AI to what you're doing, and everything gets better – like adding ketchup to your food. But here's what I discovered after reviewing AI implementation plans: most aren't actually about AI at all. They're generic digital transformation playbooks with "AI" replacing whatever technology was trendy last year. ⚡ The Ketchup Test The Ketchup Test I recently reviewed an AI plan from a major organization. It looked comprehensive at first – clear values, comprehensive strategies, concrete actions. Then I tried an experiment: I replaced every occurrence of " AI" with “ KETCHUP .” Original: Accelerate the integration and utilization of AI at scale Empower staff with knowledge, skills, and tools to rapidly deploy AI Grow an AI -first workforce to oversee and integrate AI throughout the enterprise After the Ketchup Test: Accelerate the integration and utilization of KETCHUP at scale Empower staff with knowledge, skills, and tools to rapidly deploy KETCHUP Grow a KETCHUP -first workforce to oversee and integrate KETCHUP throughout the enterprise Both versions read like legitimate strategic initiatives. That's the problem. ⚡ Why This Matters Real AI strategy requires addressing AI-specific challenges that don't apply to other technologies: How will you handle AI hallucinations in critical decisions? What's your approach to algorithmic bias detection? How will you maintain explainability for regulators? What happens when your models degrade over time? If your strategy doesn't address questions like these, you're not planning for AI – you're planning for generic technology that happens to be called AI. ⚡ AI Isn't Ketchup Too many organizations treat AI like a condiment – something you add to existing processes to make them "better." But AI isn't ketchup. It fundamentally changes how decisions are made and how humans interact with systems. It requires new governance, different risk management, and entirely new expertise. Adding AI to a poorly designed process doesn't improve it – it amplifies existing problems at machine speed. Ketchup won't turn a badly cooked steak into a good one. It just makes it worse, faster. ⚡ The Challenge Try the Ketchup Test on your AI strategy today. Replace "AI" with "KETCHUP and read it again. If it still makes sense, you have boilerplate, not an AI plan, and you have work to do. What you need is deep understanding of what AI actually is, how it works, its limitations, and its genuine benefits. Not everything is better with ketchup – and not everything needs AI. The organizations that succeed with AI won't be the ones with comprehensive plans taken from last year’s playbook. They'll be the ones that understand the technology well enough to know when and how to use it appropriately.

The distinction between Enterprise Resource Planning (ERP) and Governance, Risk, and Compliance (GRC) platforms reveals a fundamental difference in operational philosophy that has significant implications for organizational effectiveness. While both systems aim to ensure organizational obligations are met, they approach this goal from opposite directions. Proactive versus Reactive Compliance ERP: The Feed-Forward Compliance System Enterprise Resource Planning ERP systems exemplify feed-forward compliance architecture. They are operational systems designed around planning, forecasting, and ensuring product delivery by orchestrating all necessary resources at the right time, with the right specifications, and through the right processes. This forward-looking approach means ERP systems actively prevent problems before they occur. The feed-forward nature of ERP manifests in several ways. Production planning modules ensure materials are ordered and available before manufacturing begins. Financial planning components forecast cash flow needs and trigger procurement decisions. Human resource modules anticipate staffing requirements and initiate hiring processes. Each function is designed to identify requirements and deploy resources proactively, creating a continuous cycle of planning, execution, and adjustment that keeps operations flowing smoothly. GRC: The Feed-Back Compliance System Governance, Risk and Compliance In contrast, most GRC platforms operate as feed-back systems, focusing primarily on reporting and monitoring what has already occurred. These systems are fundamentally reactive rather than proactive, concentrating on audits, compliance reporting, and risk assessment after events have transpired. While this backward-looking approach provides valuable insights for accountability and learning, it often fails to prevent compliance failures or operational disruptions. The feed-back nature of traditional GRC systems creates inherent limitations. By the time a compliance violation is detected and reported, the damage may already be done. Risk assessments become exercises in documenting past failures rather than preventing future ones. Governance frameworks become bureaucratic reporting mechanisms rather than operational guidance systems that actively steer organizational behavior. The Operational Gap What becomes apparent when examining many GRC implementations is that they are not operational in the systems sense of the word. They lack the forward-looking, resource-orchestrating capabilities that make ERP systems effective operational tools. Instead of ensuring continuous meeting of obligations through proactive planning and resource allocation, GRC platforms often become elaborate documentation and reporting systems that react to problems after they manifest. This reactive posture explains why many organizations struggle with GRC effectiveness. When compliance and risk management are treated as reporting functions rather than operational imperatives, they become disconnected from the daily flow of business activities. The result is often a compliance program that exists parallel to, rather than integrated with, actual business operations. A Path Forward: Operational Compliance Operational Compliance GRC would benefit significantly from adopting more ERP-like characteristics. An Operational Compliance system would function as a feed-forward compliance engine, using planning and forecasting to ensure all obligation requirements and commitments are met, risks are mitigated before they materialize, and governance objectives are achieved through proactive resource allocation and process design. Such a system would anticipate compliance deadlines and automatically trigger necessary actions, allocate resources for risk mitigation activities before threats become critical, and integrate governance requirements directly into operational workflows. Instead of asking "Are we in compliance?" an Operational Compliance system would continuously ask "How do we meet all our obligations in the presence of uncertainty?” What's Next? The fundamental difference between feed-forward ERP systems and feed-back GRC platforms reflects deeper philosophical approaches to organizational management. While ERP systems actively shape future outcomes through proactive planning and resource orchestration, traditional GRC platforms remain trapped in reactive reporting cycles. Organizations seeking more effective governance, risk management, and compliance outcomes should consider how to make their GRC capabilities more operational and forward-looking, drawing inspiration from the proven effectiveness of ERP system design principles. The most successful organizations will be those that transform GRC from a backward-looking reporting function into a forward-looking operational capability that actively ensures continuous compliance and proactive risk management.

Minimal Viable Compliance / Performance Outcomes are the effects of capabilities which means that if you want to advance your outcomes you need to advance your capabilities. The purpose of a management program is to adjust system set-points to the values needed (i.e. Minimal Viable Performance - MVP) to achieve the desired outcomes. This works the same way that a thermostat works in your home. If you want to feel warmer you need to increase the thermostat to a higher value. It is then the responsibility of the heating system to first achieve and then maintain that value. This is called a persistent achievement obligation. You may find your compliance systems do not have the capabilities you need to achieve and then to maintain your higher standards. There are three categories of measures to help you know if your systems are operating at levels to meet persistent achievement obligations. These are: Measures of conformance - evidentiary artifacts that demonstrate conformance to requirements Measures of performance - abilities to meet compliance objectives Measures of effectiveness - progress against compliance outcomes towards zero: non-conformance, injuries, violations, emissions, etc. Internal and external audits mostly focus on verifying conformance. However, the purpose of the compliance function goes further to ensure that safety, quality, environmental, and regulatory systems are operating at the levels needed to achieve targeted outcomes. This requires an integrated approach focused not only on conformance to each element but also how each element performs in the context of the entire system.

Understanding compliance mindsets using set theory TLDR Those involved with compliance will eventually observe two different mindsets at work. Each one is concerned about compliance yet differ in their focus, goals, objectives and almost everything else. Both of these groups have something to offer but when not understood can create confusion and misalignment with respect to compliance. The first one is concerned with protecting the organization by staying between the lines. This one follows Compliance 1 practices as discussed in our recent post . The other wants to change the lines to achieve higher standards and better outcomes for all stakeholders. This one follows Compliance 2 practices. The first is all about following the rules and keeping things the same, the second one invites change to make progress. This has all the makings of conflict unless a way can be found for each to work together. Organizations that desire to meet all their stakeholder obligations will need to effectively contend with each compliance group. An integrative approach offers a path forward that recognizes the benefits of both when combined may increase the probability of an organization keeping all its promises. In this article, we will use the concept of social sets to better understand these two groups to see how they might work as one for the benefit of the organization as a whole. Social Sets Bounded-Set and Centred-Set The concept of sets and set theory is well established and used to describe collections of objects from which much of our mathematics is derived. Set theory is also used to better understand social groups and communities specifically using the concepts of bounded and centred sets. Roughly speaking, bounded-sets are defined by boundaries and our relation to them (in or out). Whereas centred-sets are defined by a centre (e.g. values) and our direction of movement relative to it (advancing towards or retreating away). For the purpose of discussion bounded and centred sets can be mapped to Compliance 1 and Compliance 2 practices as shown in the next figure: Bounded-Set Compliance versus Centred-Set Compliance We will explore each one in turn except the Fuzzy-set (C0) which describes a group not concerned about compliance. Bounded-set Compliance (C1) A bounded-set can be defined by these characteristics: A focus on boundaries - are we in or out? Static - evaluated at a fixed point in time Homogeneous practices, variety of values "Adherence” mindset Some say we tend to think mostly in terms of bounded-set categories. We think of characteristics that define one group compared with another. This seems to be the case for Compliance 1 which thinks of compliance in terms of passing a boundary (e.g. an audit) that defines whether or not we are in compliance or out. Boundaries in compliance consist of such things as: inspections, controls, management reviews, governance, obligations & risk registers, and so on. Evaluation is done at a point in time by identifying minimum thresholds and standards with respect to these characteristics. The bounded-set is hard at the edges and soft in the middle. It requires substantial training and discussion to create consistent behaviours conforming to desired standards. It also requires an “adherence” mindset. Community is created by adhering to common practices. Improvement is hard to define in the bounded-set. There is no change to see. Once you are "in compliance" what else is there to improve? Transformation if it exists at all is more about repairing the fences than moving the boundaries towards a higher standard or ideal. All this makes getting "in compliance" a barrier that is difficult for many to obtain. However, once it is achieved many consider the hard part to be done and what is left to do is only maintenance. Monitoring the boundaries and making repairs (i.e. closing gaps) are key activities for bounded-set compliance that are in the "in" group. Centred-set Compliance (C2) A centred-set can be defined by these characteristics: A focus on a centre (values, an ideal, etc.) - are we heading towards or away? Dynamic - evaluated using multiple points over time Homogeneous values, variety of practices “Progress” mindset Centred-set compliance is concerned by the direction you are heading towards or away from the centre or ideal. For compliance the direction either advances or hinders the creation of compliance outcomes identified by goals, targets, and objectives to create what we don't already have. Evaluation is based on measuring progress towards an ideal over a period of time. This requires multiple data points to confirm direction and progress. The centred-set is soft at the edges and hard at the middle (the ideal). Community is created by bringing people together based on commonly-shared interests and values. You might call this a “missional” mindset. Centred-set compliance requires educating stakeholders who are assumed to have a “bounded-set” mindset which creates additional challenges. Centred-set compliance is all about change which is necessary to make progress. However, transformation is less about improving what is and more about creating what isn't which is a riskier endeavour. Centred-set compliance has lower barriers to get started. All you need is a group of people who are passionate about creating stakeholder value. However, that is harder than it might seem. Passion alone is seldom enough. Trying to achieve ambitious (perhaps, even necessary) goals without a critical mass of support often will lead to failed initiatives. In addition, without structure and discipline these initiatives are often poorly managed which also contributes to failure. Is it one or the other or both or something else? When organizations begin to take ownership of their obligations they start their compliance journey usually with bounded-set compliance. The belief is that organizations benefit from structure and discipline to change values and behaviours. By repeating common practices a compliance culture and community is created. As organizations mature in their compliance they may find that they don’t need the structures as much to be their tutor. Organizational and personal conscience informed by previous habits and practices may replace adherence to prescriptive rules. Organizations may also now benefit from having a community to help keep them in line. However, a key problem is that values, beliefs, and community have all been shaped by practices around the boundaries. Organizations in the bounded-set face the wrong direction for advancing compliance outcomes. They are looking for holes in the wall and are not facing the direction they should be heading to meet all their obligations. No wonder this can be a source of conflict with centred-set compliance groups. Bounded-set compliance groups often do not realize that passing and maintaining the boundary was never the end but rather the beginning. There is a higher standard to obtain. Unfortunately, those in the bounded-set are often overwhelmed and preoccupied maintaining the boundaries (the walls) that they don’t have the resources to make any progress towards a "centre" no matter how important that may be. Conversely, organizations that start with a centred-set approach have their own advantages and disadvantages. One key advantage is that it attracts those who are passionate about the end goals although perhaps not so much about how to get there. Nevertheless, centred-set compliance groups can bring needed energy and enthusiasm to drive compliance to higher levels and achieve more. Centred-set compliance largest challenge is contending with bounded-set compliance groups. Centred-set compliance groups are often asked to metaphorically fit a square peg in a round hole with the hole being in the boundary and nowhere near the centre that they want to move towards. You may as well be speaking a different language. Transforming one group to the other appears to have many challenges many of which are similar to the challenges associated with combining two cultures. Left to themselves they will operate as silos independently and not benefit from the other. The solution for compliance may not be to add one to the other but have something else altogether. Integrative-set Compliance (C3) Clearly, compliance needs to stay between the lines AND change the lines simultaneously if it wants to meet all of its stakeholder obligations: mandatory and voluntary. What is needed is another set that is integrative in nature focused on the whole. Integrative means combining two or more things to form an effective unit or system – precisely what compliance needs. We can define this set by: A focus on the connections - are we working as a whole? Continuous assessment Integrative values and behaviours “Holistic” mindset It is by managing connections that organizations can harness the power of both bounded-set and centred-set compliance. This is not about achieving balance or adding one to the other. Instead, it is about establishing essential capabilities that work together to reinforce each other to achieve the objectives of both. Not simple, but not impossible either. Organizations that desire to meet all their stakeholder obligations will need to effectively contend with bounded-set and centre-set compliance groups. An integrative approach offers a path forward that recognizes the benefits of both when combined may increase the probability of an organization keeping all its promises.

By Raimund Laqua, PMP, P.Eng., Founder and Chief Compliance Engineer at Lean Compliance I've spent 30 years in the trenches of compliance, and one question keeps coming up: "Are all compliance obligations implemented as controls?" This isn't just a theoretical question. It has real consequences for safety, operations, and organizational success. I've walked through facilities where managers proudly showed me comprehensive compliance documentation, yet their controls weren't effectively addressing the risks they were designed to manage. Many organizations treat compliance as a simple equation: identify requirements → implement controls → document everything → pass audits. But when I look at what actually happens in practice, I see something different. Organizations can check all the right boxes and still fail to achieve what matters most: the outcomes that regulations were intended to achieve. In this article, I'm sharing what I've learned from three decades helping companies move beyond procedural to operational compliance. This shift isn't just about better compliance—it's about safer operations, improved efficiency, and sustainable success in regulated industries. The Problem with Controls Early in my career, I worked with a pipeline company that was dealing with issues across several areas: their management systems had gaps, they were experiencing worker safety incidents, pipe handling problems were occurring, and there were environmental protection concerns. They had implemented control systems with procedures covering these areas, but the controls weren't effectively preventing these issues from recurring. This illustrated a pattern I would see repeatedly—having controls in place doesn't automatically translate to the protection those controls were intended to provide. This is a pattern I've seen repeatedly across industries—oil & gas, healthcare, manufacturing, you name it. Companies invest in comprehensive control systems, create detailed procedures, and maintain voluminous records. Then they're shocked when incidents occur or when regulators issue findings. The reality is that traditional control-based approaches often emphasize implementation over effectiveness. They're built around passing audits rather than achieving outcomes. And they typically react to problems rather than preventing them. I've seen this reactive cycle play out hundreds of times: A finding or incident occurs The organization implements more controls and documentation Things look better on paper Another issue occurs in a different area Rinse and repeat This approach isn't just ineffective—it's exhausting. It burns out compliance professionals across all domains, frustrates operations teams, and wastes resources. Worst of all, it doesn't adequately protect what matters – it doesn't actually work. Companies that break this cycle take a fundamentally different approach. They focus on what actually works in the field, not just what controls are documented in the office. They build systems that detect problems before they manifest. Most importantly, they design their programs around the outcomes they need to achieve, not just the controls they need to implement. When companies make this shift, something remarkable happens. They create an upward momentum where better outcomes lead to increased stakeholder trust, which supports more effective compliance, which delivers even better outcomes—a virtuous cycle that creates real value. What Regulators Actually Want Working alongside regulatory professionals for decades has given me an interesting perspective. While many people have a narrow view of regulators, the reality is much more nuanced. Modern regulatory frameworks contain four distinct types of obligations which are often overlooked: Rules-based requirements  tell you exactly what to do When a regulation states "pressure vessels must be inspected every 36 months," there's no ambiguity. You either did the inspection on schedule or you didn't. Practice standards  define approaches you need to follow Requirements to "implement management of change procedures" don't prescribe exact steps, but they do require specific processes to be in place and functioning. Performance-based requirements  specify what you need to achieve When regulations require "99.95% availability of safety systems," they don't specify how you achieve it—what is important is that you do. Outcome-based obligations  focus on the protection you need to provide. Requirements to "prevent releases" or "ensure process safety" focus on the ultimate goal without specifying methods or performance standards. I've watched this evolution unfold over my career. Twenty years ago, most regulations were prescriptive rules. Today, regulators increasingly focus on performance and outcomes, giving organizations flexibility in how they achieve compliance while holding them accountable for results. Here's the thing: the approach that works for rules-based requirements fails miserably for outcome-based ones. This disconnect explains something I've observed repeatedly: organizations can be simultaneously "in compliance" according to their documentation but failing to deliver the outcomes regulations were intended to ensure. Matching Your Approach to Your Obligations Over time, I've developed a practical framework for matching compliance approaches to the primary types of obligations: For rules-based requirements : Traditional controls with verification work fine When regulations specify exact inspection frequencies or precise parameter settings, implementing those specific controls and verifying they happened is appropriate. I worked with a medical device manufacturer who needed to document specific quality checks. For these clear requirements, we implemented straightforward controls and verification processes. This worked perfectly for these types of obligations. For practice standards : You need functioning processes, not just documented ones For requirements specifying management systems or processes, having documentation isn't enough—those processes must function effectively in practice. At an energy company, we moved beyond just documenting their management of change process to ensuring it actually managed the risks resulting from planned changes. This shift from "having a process" to "having a process that works" made all the difference. For performance-based requirements : You need monitoring and adaptive approaches When regulations specify performance targets, you need systems that continuously monitor performance and adapt when targets aren't being met. A refinery implemented real-time monitoring of their safety-critical systems rather than just periodic checks. This allowed them to address potential issues before they affected system reliability, consistently meeting their 99.9% availability requirements for emergency shutdown systems. For outcome-based obligations : You need integrated programs that address all factors For requirements focused on outcomes like safety or environmental protection, you need comprehensive programs that address technical, human, and organizational factors. With a pipeline operator, we helped develop a holistic approach to process safety management that went beyond inspections to address all factors affecting pipeline safety. This program-based approach delivered much better protection than their previous control-centric system. This framework isn't just another approach to compliance—it's what's needed to meet all your obligations not just the ones you are most familiar with. In addition, the further you move from rules toward outcomes, the more you need to shift from documentation to operational effectiveness. Four Practical Steps to Transform Your Approach Based on my experience helping organizations make this transition, I've developed a four-step process at Lean Compliance called The Proactive Certainty Program™ . It's designed to help companies move from procedural to operational compliance: 1. ORIENT Start by understanding which direction you are heading: This begins with a comprehensive scorecard assessment that evaluates 10 essential aspects of operational compliance. This reveals gaps in your compliance approach and readiness for transformation that typical reviews often miss. During this activity: Identify your highest-risk areas and greatest improvement opportunities Evaluate your operational compliance across the 10 essential aspects Determine what's preventing you from being more proactive Assess your readiness for transforming your approach This step is about honest assessment. Many organizations believe their compliance programs are more effective than they actually are. The orientation phase provides clarity on the true starting point. 2. MAP With a clear understanding of the current situation, develop a practical roadmap: This 13-week process includes structured learning objectives that teach you what you need to know about operational compliance, combined with hands-on work to create a viable pathway from the current state to where you need to be. During this phase: Learn essential concepts and principles that drive effective operational compliance Current approaches are evaluated against what actually works in similar organizations A roadmap is designed toward what's called "Minimal Viable Compliance" A clear pathway is created from the current state to operational compliance This mapping creates the blueprint for transformation. It's not about theory—it's about establishing a practical path forward based on specific situations and resources while building the knowledge foundation needed for success. 3. OPERATIONALIZE Implementation is where many transformations fail. The focus must be on building what's essential: This phase is about establishing practices that keep organizations between the lines and ahead of risk in their operations rather than creating more documentation. During this step: Establish the essential practices required for operational compliance Implement the minimum necessary foundation rather than trying to boil the ocean Create operational mechanisms that make compliance part of regular work Develop monitoring systems that provide early warning of potential issues This activity ensures building a foundation that delivers real protection before expanding to address less critical areas. It's about focusing resources where they matter most to stay between the lines and ahead of risk. 4. ELEVATE With the essentials in place, performance can be elevated and outcomes advanced: This phase involves implementing continuous improvement cycles that steadily advance capabilities beyond minimum requirements. During this activity Systematically raise standards beyond minimal compliance Advance capabilities to achieve better outcomes with less effort Implement improvement cycles based on lean principles Realize the full benefits of proactive compliance This elevation phase transforms compliance from a cost center into a value creator. Organizations that reach this level consistently outperform their peers in both compliance and operational metrics. These four steps—ORIENT, MAP, OPERATIONALIZE, ELEVATE—aren't academic. They've guided dozens of organizations from reactive, procedural-focused compliance to proactive, operational-oriented programs. The transformation doesn't happen overnight, but each step delivers tangible benefits that make the journey worthwhile. The Path Forward So, let's return to our original question: Are all compliance obligations implemented as controls? After 30 years in the field, my answer is clear: While controls are essential for rules-based requirements, they're insufficient for performance and outcome-based obligations. Those require operational approaches focused on what actually happens in the field, not just what's documented in the office. I've seen organizations waste millions on compliance efforts that look good on paper but fail to deliver real value. I've also seen organizations transform their approach and achieve better outcomes with fewer resources. The difference comes down to recognizing that compliance isn't primarily a procedural challenge—it's an operational one. It's about ensuring that what happens in the field consistently delivers the outcomes regulations were intended to protect. The organizations that thrive in today's complex regulatory environment are those that: Take ownership of their obligations rather than just reacting to audits Establish real-time monitoring systems rather than waiting for periodic checks Continuously improve their approach based on operational feedback This transformation isn't just about better compliance—it's about safer operations, improved efficiency, and sustained organizational success. It's about protecting what matters while eliminating activities that don't add value. In my experience, this isn't a journey you can skip or shortcut. There's no magical tool that will transform your compliance program overnight. But by following a structured approach and focusing on what actually works, you can steadily move from where you are to where you need to be. The companies I've seen make this journey successfully share one characteristic: they're committed to doing the right thing, not just checking the right boxes. They see compliance not as a burden to be minimized but as a capability to be developed. If that describes your organization, you're already on the right path. And if you're struggling with compliance that feels heavy on procedures but light on effectiveness, there's a better way forward. I've seen it work repeatedly across industries, and I'm confident it can work for you too. Raimund Laqua, PMP, P.Eng. is Founder and Chief Compliance Engineer at Lean Compliance Consulting, Inc., which he founded in 2017. With over 30 years of consulting experience across North America, he focuses on helping ethical, ambitious companies in highly-regulated, high-risk industries improve the effectiveness of their compliance programs. His expertise spans safety & security, quality, regulatory and environmental objectives across multiple sectors including oil & gas, energy, pharmaceutical, medical device, financial, technology, and government. He is the author of weekly blog articles, an upcoming book on operational compliance, and regularly speaks on topics of risk, compliance, lean, and responsible and safe AI.

Working with AI over the past year opened my eyes to a systemic problem: AI systems are stuck in the past. This creates both a serious blindspot and bias. It's a blindspot because AI systems literally cannot "see" emerging trends, innovations, or approaches that aren't well-represented in their training data. They have a gap in their perception of what's happening at the leading edge of any field. It's also a bias because these systems are statistically weighted toward dominant patterns in their training data. They're biased toward what was common, established, or traditional, and against what's novel, emerging, or revolutionary—even when the newer approaches might be superior. The two problems reinforce each other: the blindspot creates the bias, and the bias makes it harder to overcome the blindspot - a vicious cycle that keeps it anchored in the past. ⚡️ What I Discovered in Practice Every time I ask ChatGPT about risk and compliance, I get the same old story—procedural compliance with its reactive, audit-focused approach. No surprise there. That's how most companies still operate, and that's what fills the training data. But here's the thing: forward-thinking organizations are already moving toward something different. They're embracing operational compliance—integrative, proactive, and risk-based—to meet modern regulatory demands that focus on performance and outcomes. This shift might be the future, but it barely exists in AI's world. The data doesn't show it enough, so the AI rarely mentions it. I've tried everything. Even when I spell out operational compliance in my prompts, the AI keeps drifting back to the old ways. It's frustrating to watch traditional approaches seep into responses about the future simply because they're what the system has seen most often. Sure, some principles remain constant—like laws of physics. But strategies and methodologies evolve. That's the painful irony here: the very tool I hoped would help generate fresh insights is handcuffed by yesterday's patterns. Maybe Hume had it right all along. Data shows what is—not what should be. ⚡️ Breaking Free From Out-dated Approaches To get past this limitation, I've learned to: Question the responses. "What emerging shifts might you be missing here?" Add my own knowledge about current transitions that haven't made it into the data yet. Build better reference materials focused on innovative approaches. Look for tools that flag when responses are stuck in outdated thinking. Remember that AI shows what was common, not what's becoming common. We need the past to learn, but we can't let it trap us there. By pushing against the limits of probability-based responses, we can use these tools while hanging onto our uniquely human ability to imagine what's never existed before.

Following these principles has and will increase the probability of compliance success across all domains (safety, security, sustainability, quality, regulatory, cyber, environmental, etc.) by helping organizations develop and execute credible program plans. To achieve compliance success we recommend you work through these principles with your team to come up with compelling answers for each question. PRINCIPLE PLANNING QUESTIONS EVIDENCE PRINCIPLE IS FOLLOWED ​1. Define what compliance looks like. Where are we heading? What are our goals and targets? What are our obligations & promises? How will we know when we are in compliance and when we are not? Program Scope & Context Obligation / Promise Register ​2. Develop strategy and create plan to realize and sustain compliance. ​How will we meet all our obligations? How will we keep all our promises? How will we always stay between the lines? How will we manage change? How will we improve? ​Concept of Operations   Integrated Master Plan 3. Resource the plan. ​Do we have enough resources (people, technology, knowledge, capabilities, capacity etc.) to satisfy the plan? Program Resource Plan 4. Estimate and handle uncertainty. ​What impediments or opportunities will we encounter? What could go wrong? What needs to go right? How will we recover when boundaries are breached? What is the nature of uncertainty (aleatory, epistemic, ontological, etc.) What is our risk appetite? What is our risk tolerance? Risk and Opportunity Register Risk Management Plan Risk-adjusted IMP 5. Measure progress. ​How will success be measured? (MoE) How will performance be measured? (MoP) How will conformance be measured? (MoC) How will risk be measured? (MoR) How will assurance be measured? (MoA) Benefits realized Outcomes advanced Risk ameliorated Promises kept Obligations met If you are looking to improve your compliance program we offer four strategic Rapid Improvement Engagements  (RIE) – Kaizens – to help you elevate your compliance and stay ahead of risk. Each Compliance Program Kaizen improves an essential aspect of compliance for vital programs that include Safety, Security, Sustainability, Quality, Ethics, ESG, Regulatory, AI, and others. Find out more here:

AI Assurance isn't just about checking boxes before deployment. As the European Defence Agency shows us, it's now a continuous journey involving rigorous engineering and real-time monitoring. With today's AI systems, we simply can't predict everything in advance—we need to stay vigilant while they're running in the real world. This shift is especially crucial in high-risk, mission-critical applications where failure isn't an option. In the paper published by the European Defence Agency (EDA), entitled “Trustworthiness for AI in Defence”, they discuss the difference between Development and Runtime Assurance. ⚡️ Development Assurance: “Traditionally in system engineering (including software and hardware), the term assurance defines the planned and systematic actions necessary to provide confidence and evidence that a system or a product satisfies given requirements. A process is needed which establishes levels of confidence that development errors that can cause or contribute to identified failure conditions (feared events defined by a safety/security/human factor assessment) have been minimized with an appropriate level of rigor. This henceforth is referred to as the development assurance process.” ⚡️ Runtime Assurance: “When the system is deployed in service, runtime assurance refers to a set of techniques and mechanisms designed to ensure that a system behaves correctly during its execution. This involves monitoring the system's behaviour in real-time and taking predefined actions to correct or mitigate any deviations from its expected performance, safety, or security requirements. Runtime assurance can be particularly important in critical and/or autonomous … systems where failures could lead to significant harm or loss.” The evolution of the balance between development assurance and runtime assurance is shown in the following figure: Trustworthiness for AI in Defence - Figure 14 The introduction of AI technologies and autonomy capabilities has tipped the balance towards needing greater runtime assurance, as comprehensive a priori development assurance activities become increasingly challenging. These same definitions can be used for AI assurance in commercial applications, particularly for high-risk, mission-critical applications: AI Assurance involves: planned and systematic actions necessary to provide adequate confidence and evidence that the AI system satisfies the intended function (System Assurance) a process to establish levels of confidence that design/development errors (risk) have been minimized with appropriate level of rigour. (Development Assurance) a set of techniques and mechanisms designed to ensure the system behaves correctly during its execution. (Operational Assurance) The paper is available here: https://eda.europa.eu/docs/default-source/brochures/taid-white-paper-final-09052025.pdf

Compliance 1 life in a Compliance 2 world Edwin A. Abbott published a book in 1883 called, “Flatland" where he explores a two- dimensional world with A. Square as the narrator. Imagine a vast sheet of paper on which straight Lines, Triangles, Squares, Pentagons, Hexagons, and other figures, instead of remaining fixed in their places, move freely about, on or in the surface, but without the power of rising above or sinking below it, very much like shadows - only hard and with luminous edges - and you will then have a pretty correct notion of my country and countrymen. Alas, a few years ago, I should have said "my universe": but now my mind has been opened to higher views of things. In such a country, you will perceive at once that it is impossible that there should be anything of what you call a "solid" kind; but I dare say you will suppose that we could at least distinguish by sight the Triangles, Squares, and other figures, moving about as I have described them. On the contrary, we could see nothing of the kind, not at least so as to distinguish one figure from another. Nothing was visible, nor could be visible, to us, except Straight Lines; and the necessity of this I will speedily demonstrate. Flatland: A Romance of Many Dimensions A. Square's world gets flipped upside down (well, sideways?) by encounters with higher dimensions. First, a being from a one-dimensional world (Lineland) confuses A. Square. Then, a Sphere from a three-dimensional world (Spaceland) changes his perspective forever. A. Square tries to explain this new reality to his Flatland  friends, but they can't grasp the concept. This satirical twist turns Flatland  into a story about the difficulty of accepting new ideas and the dangers of a rigid, unchanging society. Complianceland: Compliance 1 Life in a Compliance 2 World Those who work in Compliance and who have come to understand other dimensions may find it's very much like living in Flatland . Lineland They will find their counterparts, as they themselves once were, without the necessary perspective, context, or holistic thinking. And why should they? After years under the tutelage of prescriptive regulations they will not know what it’s like for compliance to be anything other than rules driven by audits and inspections, and reinforced by reactive behaviours and reductive practices. They will remind you that life in Complianceland is a state of in or out. And if anyone cares to ask – we are always in. The idea of continuous improvement would seem very strange when you are already in compliance. What’s there to improve? The notion of elevating compliance to higher standards would sound fantastical. What do you mean by higher? Meeting obligations and keeping promises would be considered as nonsense, something made up from Thoughtland . Can you describe this in terms we understand using rules and audits? These were the same questions that our friend the Square from Flatland was asked after visiting Spaceland : After I had concluded my defence, the President, perhaps perceiving that some of the junior Circles had been moved by my evident earnestness, asked me two questions: 1. Whether I could indicate the direction which I meant when I used the words "Upward, not Northward"? 2. Whether I could by any diagrams or descriptions (other than the enumeration of imaginary sides and angles) indicate the Figure I was pleased to call a Cube? Complianceworld Being a compliance leader requires convincing others to travel to other dimensions as A. Square attempted in Flatland . However, unlike A. Square who was left to hope for brighter moments having nothing more to say, my hope is for better outcomes for compliance and I still have very much that needs to be said. There are more dimensions to compliance than many can see. That's why I have spent the last several years creating diagrams and illustrations to help describe Complianceworld – a world where compliance has sufficient dimensions to protect and ensure Total Value. Complianceworld: Compliance with Sufficient Dimensions It takes time to understand something new and then to change. It will always seem easier to just go along with what many others are doing and stay in Compianceland . However, with all that's at stake, can we afford to continue to live in Complianceland – a place where compliance has insufficient dimensions to protect all that is valued?

In my three decades as a compliance engineer, I've watched our profession's obsession with check-boxes undermine effective risk management. Today, as AI reshapes our field, there's a new reality we must confront: compliance is probabilistic.   This revelation isn't cause for alarm—it's an opportunity. By embracing Bayesian probability, we can transform how we measure, report, and improve compliance assurance.   In this article I challenge conventional compliance wisdom by asking: What will you do when AI predicts your compliance probability is less than perfect.   The answer might revolutionize how you approach assurance altogether.   If you're ready to move beyond audit check-boxes and embrace the power of probabilistic thinking, this perspective may challenge—and potentially transform—your compliance A Bayesian Approach to Compliance Assurance As a compliance engineer with over 30 years in the field, I've seen how limited single-point, audit-based assessments can be. Today's compliance landscape demands a more sophisticated probabilistic approach. Current Probability Usage in Compliance Probability concepts already permeate modern compliance programs: Risk-Based Programs : Financial institutions routinely express compliance risk as probability metrics ("70% probability of meeting regulatory expectations"), while pharmaceutical companies apply statistical probability to clinical trial compliance. Sampling-Based Testing : Organizations use statistical sampling to generate statements like "95% confidence that controls are effective" or "90% confidence that compliance exceeds 95%." Advanced Analytics : Predictive models assign probability scores to potential violations, with machine learning systems flagging transactions that exceed specific non-compliance thresholds. Industry Applications : From AML suspicious transaction scoring in financial services to statistical confidence levels in healthcare billing and probabilistic assessments in environmental compliance, industry-specific applications abound. Moving Beyond Single Points with Bayes Despite these uses of probability, most programs still rely on periodic audits that produce single-point estimates of compliance. Bayes' theorem provides a framework to synthesize these various probability measures into a cohesive, dynamic approach: P(C|E) = [P(E|C) × P(C)](#) / P(E) Where: P(C|E) is the probability of compliance given new evidence P(E|C) is the probability of observing the evidence if compliant P(C) is the prior probability of compliance P(E) is the probability of observing the evidence This formula allows us to: Start with prior observations from various sources Continuously update our assurance levels as new evidence emerges Express assurance as distributions rather than single points The Practical Advantage By applying Bayesian methods to existing probability measures, we gain significant advantages: Integrate sampling results with predictive analytics and risk-based assessments into a unified view Update assurance continuously rather than waiting for audit cycles Express uncertainty explicitly through probability distributions Allocate resources based on the full distribution, not just central tendencies   So What Will You Do? So what will you do when AI predicts that the confidence level (assurance) in meeting your obligations is less than 1? This isn't a theoretical question—it's the practical reality facing every compliance program. Perfect assurance is a mathematical impossibility in complex systems. The answer lies not in pursuing the unattainable perfect score, but in making informed decisions under acknowledged uncertainty. You'll prioritize interventions based on probability distributions, communicate transparently about confidence levels, and create a compliance function that values honesty about uncertainty over false precision. In the end, effective compliance isn't about claiming perfect assurance—it's about understanding exactly how imperfect your assurance is, and acting accordingly.

Across the world we're witnessing a profound transformation: the continual mechanization of human work, now accelerated by the integration of Artificial Intelligence (AI) and Agentic AI. Organizations, in their relentless pursuit of efficiency and cost-effectiveness, are not only turning the workforce into living machines but are increasingly replacing human workers with AI-powered systems, algorithms, and digital agents. From Human to Machine This trend, insightfully explored by Dan Davies in "The Unaccountable Machine," is creating a new challenge that extends beyond traditional organizational risk. AI systems are being deployed to handle everything from customer service inquiries to complex data analysis, replacing work previously done by “Knowledge workers.” We've become adept at streamlining operations and automating processes, while falling short in fostering the wisdom and genuine intelligence needed to advance mission success, never mind – human flourishing . The result is a workforce caught in a paradox – highly skilled in specific tasks but increasingly disconnected from the broader purpose and impact of their work. We now have AI systems to make decisions and perform work with far-reaching consequences without the nuanced understanding of human context. This shift raises critical questions about accountability, ethics, and the future of work itself. As we navigate this new terrain, we must grapple with the challenge of maintaining human wisdom and oversight in a world where machines are increasingly calling the shots and doing the work. The Middle Management Conundrum One might argue that this is where middle management comes in - to bridge the gap between organizational outcomes and operational objectives. However, the reality is often far from ideal. Middle managers have long since become redundant and for those who are left are caught between the strategic vision of upper management and the day-to-day realities of operations. They often struggle to effectively translate high-level goals into actionable objectives for their teams along with the digital systems and processes that are being used in increasing measure. This disconnect creates a vacuum where critical decisions about risk, purpose, and effectiveness fall through the cracks. The result? An accountability and perhaps even a wisdom gap that can lead to misaligned priorities, overlooked risks, and ultimately, organizational ineffectiveness. The Promise and Peril of Digital Agents and AI As we grapple with these organizational challenges, many are turning to technological solutions. Agentic AI and digital agents promise increased efficiency, 24/7 availability, and the ability to process vast amounts of data, make informed decisions and conduct the knowledge-based work. However, we must ask ourselves: Are we simply replacing human cogs in the machine with digital ones? While these technologies may offer increased utility, they don't inherently provide the wisdom and real intelligence needed for business success. The Machine Mindset Perhaps the most concerning trend is our tendency to treat human workers as machines, focusing solely on efficiency and output, only to replace them with actual machines when the opportunity arises. This approach not only dehumanizes the workforce but also fails to leverage the unique qualities that humans bring to the table - creativity, empathy, and the ability to make nuanced ethical judgments. As we continue to advance technologically, we must remember that: power without wisdom is a dangerous combination. True organizational effectiveness isn't just about having the most advanced systems or the most efficient processes. It's about having the wisdom to use these tools in ways that promote mission success along with human flourishing, both within the organization and in society at large. Reversing the Trend To address the challenges facing today’s workforce and create truly effective organizations in the digital age, we need to: Empower employees at all levels to make meaningful decisions about the work they're doing. Reinvent middle management to truly bridge the gap between strategy and operations. Approach AI and digital agents as tools to augment human wisdom, not replace it. Foster a culture that values and develops human qualities like creativity, empathy, and ethical reasoning. Continuously question and reassess our organizational structures and processes to ensure they're serving their intended purpose. With wisdom, foresight, and a commitment to human values, we can embrace new technologies and create organizations that are both effective and responsible. The choice is ours to make.

A Review of Dan Davies' Exploration of Algorithmic Decision-Making Dan Davies' The Unaccountable Machine is a compelling exploration of the profound shift in decision-making from human judgment to algorithmic systems. In his book, Davies delves into the rise of cybernetics, the science of control and communication in animals and machines, and its impact on organizations and society.     From Human Judgment to Algorithmic Decision-Making   Davies begins by tracing the historical context of this transition, highlighting the increasing complexity of the problems faced by organizations and the allure of automated solutions. He argues that the shift from human decision-making to algorithmic systems is a result of several factors:   Efficiency : Algorithms can process vast amounts of data quickly and accurately, making them more efficient than humans in many tasks. Objectivity : Algorithms can be designed to be unbiased and free from personal biases that may influence human judgment. Scalability : Algorithmic systems can be easily scaled to accommodate growing workloads and expanding operations.   The Rise of Cybernetics   A central theme in Davies' book is the role of cybernetics  in shaping the development of algorithmic systems. Cybernetics, which emerged in the mid-20th century, is the study of control and communication in animals and machines. It provided the theoretical foundation for the development of artificial intelligence and automated decision-making systems.   Davies explores how cybernetic principles have been applied to a wide range of fields, including finance, healthcare, and criminal justice. He argues that the adoption of cybernetic systems has led to a fundamental shift in the way organizations operate, with algorithms playing an increasingly important role in decision-making.   The Accountability Sink   A particularly insightful concept introduced by Davies is the "accountability sink." This refers to the phenomenon where accountability for decisions made by algorithms becomes increasingly diffuse. As algorithms become more complex and interconnected, it increasingly becomes difficult to identify who is ultimately responsible for their outcomes.   Davies argues that the accountability sink can lead to a number of negative consequences, including:   Reduced transparency : When it is unclear who is responsible for a decision, it becomes more difficult to understand how that decision was made. I ncreased risk of bias : If it is not clear who is accountable for the outcomes of an algorithm, there is a greater risk that biases will be introduced into the system. Diminished trust : When people do not trust that decisions are being made fairly and transparently, it can erode trust in institutions and organizations.   The Impact on Organizational Accountability and Compliance   The transition from human judgment to algorithmic systems raises significant questions about organizational accountability and compliance. While algorithms have become increasingly sophisticated and capable of making complex decisions, human oversight remains crucial for several reasons:   Ethical Considerations : Algorithms may not always align with human ethical values or consider all relevant factors. Human oversight can help ensure that decisions made by algorithms are morally sound and in line with societal norms. Unforeseen Circumstances:  Algorithms may struggle to adapt to unexpected or unforeseen circumstances. Human judgment can be essential for making decisions in situations that deviate from the patterns and data that algorithms are trained on. Accountability : Human oversight can help ensure that there is someone accountable for the decisions made by algorithms. This can help to prevent unintended consequences and mitigate risks. Trust : Human oversight can help to build trust in algorithmic systems. When people know that there are human beings involved in overseeing the decisions made by algorithms, they may be more likely to trust the outcomes.   In essence, while algorithms can be powerful tools, they should not be seen as a replacement for human judgment. Human oversight is essential for ensuring that algorithms are used responsibly and ethically, and that their decisions are aligned with human values and goals.   The Unaccountable Machine is a thought-provoking exploration of the implications of the shift from human judgment to algorithmic decision-making. Davies' book provides valuable insights into the challenges and opportunities presented by this technological revolution.