SEARCH

Properly defining and setting goals is critical to mission success including the success of environmental, safety, security, quality, regulatory and other compliance programs. However, defining compliance goals remains a real challenge particularly for obligations associated with outcome and performance-based regulations and standards. When these goals are ambiguous or ill-defined they contribute to wasted efforts and ultimately compliance risk for an organization. To be more certain about goals we first need to define what we mean by a goal and such things as objectives, targets, and the like. The following are definitions we have used that lay out a framework for goal-directed obligations. Outcomes These are the ends that we expect to attain over time where progress is expected through the achievement of planned goals. These are often described in qualitative terms but may also have defined measures to indicate and track progress towards the desired outcome. An example outcome would be achieving carbon neutrality by 2050. Goals Goals are defined measures of intermediate success or progress. They are often binary comparable to goal lines that are reached or not. Goals are usually connected to outcomes that are long-term in nature whereas targets tend to be associated with performance and are short-term achievements. There are two kinds of goals, terminal and instrumental: Terminal goals are the highest level outcome that we want to reach. They define the "ends" of our endeavours. For compliance these might include: zero defects, zero fatalities, zero violations, zero releases, zero fines, and others. Instrumental goals are intermediate outcomes or results that are critical or that must occur in order to achieve the higher-level outcome. These are often used to define measures of effectiveness (MoE) for compliance programs as they provide clear indication of progress towards terminal goals. Objectives Objectives are the results that we expect to attain over a planned period of time. These results contribute to (or cause) progress towards the targeted outcome. An outcome may require several objectives done in parallel, sequentially, continuously, and some contingent on others. Some form of causation model (deterministic, probabilistic, linear, non-linear, etc.) is needed to estimate the confidence level of creating the desired outcomes using planned objectives. In cases of greater uncertainty these models will be adjusted over time as more information is gathered and correlation between objectives and outcomes are better known. Risk Risk is defined (ISO 31000, COSO) as the effects of uncertainty on objectives which involves having a causation model. In practice, outcomes tend to be more uncertain than the achievement of objectives. However, everything happens in the presence of uncertainty so it is important to properly identify uncertainty and contend with its effects. There are two primary forms of uncertainty: Epistemic uncertainty; lack of knowledge or know how; this risk is reducible. Reducible risk is treated by buying down uncertainty to improve the probability of meeting each objective. Aleatory uncertainty; caused by inherent randomness or natural/common variation; this risk is irreducible. Irreducible risk is treated by applying margin in the form of contingency, management reserve, buffers, insurance and other measures to mitigate the effects of the risk. Targets Targets are a measure of performance (MoP) or progress when connected to an objective. These targets may be a single point or a range (min and max) of performance needed to achieve an objective. Strategy Strategy defines a plan for how goals, objectives, and targets will be obtained. Strategy is the approach to create the desired outcomes as measured by terminal and instrumental goals by achieving planned objectives at the targeted levels of performance, in the presence of uncertainty.

Why Business Managers Should Own Compliance There's a persistent practice in organizational management where compliance is separated from the business—a parallel universe where auditors live and checklists multiply. The segregation of duties, span of control, functional decomposition, job specialization, along with aligning around regulatory frameworks and audit objectivity all contribute to this practice. However, at a basic level, the main reason we separate compliance from the business is that we view compliance as a verification process not as an operational commitment to meet organizational obligations. Whichever the case, this practice results in the creation of silos, inefficiencies, and a fundamental disconnect between what the business does and how it keeps its promises associated with its legal and stakeholder obligations. But what if this organizational divide was closed? The Lines that Separate In traditional models, we draw clear organizational lines. On one side, we have Lines of Business—the revenue generators, the product developers, the operational managers who drive value streams forward. On the other side, we have Lines of Compliance—the functions responsible for ensuring that all obligations connected with safety, security, sustainability, quality, ethics, and finance are met. The problem with this separation is that it treats compliance as something done to the business rather than something that is the business. When we think of compliance as verification, we miss the fundamental point: compliance is about meeting obligations which happens by making and keeping promises. Every regulatory requirement, every quality standard, every environmental commitment, every customer assurance—these are all promises. And promises aren't kept through monitoring; they're kept through deliberate action and accountability. Two Lines, One Owner What if LOB managers owned both: business and compliance obligations? When business leaders are accountable for both delivering value and keeping compliance promises that come with that value creation, something important happens. Compliance stops being a monitoring function and becomes an operational commitment. The person responsible for business outcomes is also responsible for keeping safety promises. The manager driving customer acquisition also owns data privacy commitments. The executive overseeing operations ensures environmental obligations—both mandatory and voluntary—are fulfilled. This isn't about adding responsibility—it's about recognizing what business accountability actually means. It’s about owning all your obligations, not just those connected with meeting growth and sales targets. Integrated Obligations, Integrated Accountability When obligations are integrated so is accountability which makes decisions inherently better. A business manager who owns both value stream and compliance commitments can't rationalize shortcuts or defer difficult conversations. They can't claim ignorance of obligations because those obligations are woven into their mandate. They can't externalize accountability for meeting compliance obligations because they are part of their responsibility. This integration also eliminates wasteful cycles that plague siloed organizations. Instead of separate teams monitoring whether promises were kept after the fact, business managers build operations that maintain integrity by design. Resources that were once spent on checking, remediation, and firefighting can be redirected toward proactive value protection and creation. Perhaps most importantly, this approach fosters genuine ownership. When leaders are accountable for value chain and compliance obligations, they develop a more sophisticated understanding of what it means to operate responsibly. They see mandatory regulatory requirements and voluntary commitments not as constraints, but as integral to how they do business. From Principle to Practice Making this shift is not easy; it requires, among other things— vision— of what an integrative approach looks like. It requires re-imagining job descriptions, rewriting accountability frameworks, and often challenging entrenched organizational habits. But organizations that embrace this integrative model will consistently create better outcomes for the business—not just reducing waste, although that will happen, but also building stakeholder outcomes, most importantly the outcome of trust. Business and compliance functions aren't separate streams that occasionally intersect. They're the same river, flowing in the same direction: toward mission success. When we stop treating compliance as an audit function and instead recognize it as the fundamental means of ensuring mission success—we unlock both better performance and greater assurance. And this can happen with the same people, the same resources, and a clear understanding that every business manager is, at their core, a creator of value. Not just financial value measured by margins, but all the value that stakeholders demand: safety, security, sustainability, quality, ethics, and ultimately trust. That's lean compliance in action.

This post is written as a letter in response to typical inquiries from organizations looking to make improvements to their compliance. While this letter is fictitious it is representative of common situations facing businesses today. How Do I Improve Our Compliance? Dear Business Owner, Thank you for reaching out to me about your compliance situation. I agree with you that the risk and compliance landscape is overly complicated and it makes sense that you now find yourself frustrated, overwhelmed, and unsure you are meeting all your obligations. The advice you received to adopt a management standard and implement a compliance system for every compliance objective: safety, security, sustainability, quality, legal, and so on is not unusual and for large organizations is common practice. At the same time, your comment that your budget does not support this approach is a very real concern shared by many. You also mentioned your organizational culture is mostly negative towards compliance and sees it as a non-value add and a tax on production. This is also commonplace particularly for organizations that are new to compliance or have taken a check-box or reactive approach to compliance. Now, with respect to your specific question as to what you should do; here is what I recommend: Start with making a commitment to own all your obligations . This is necessary before any meaningful change can occur. Ownership of obligations leads to greater levels of accountability and proactivity so its important to start there. Develop an integrative roadmap . This step maps your current capabilities to what is needed to meet all your obligations and keep all your promises on a continuous basis. This will form the basis for an overarching compliance program. During this step you should also learn essential concepts and principles as you create your road map towards greater proactivity and certainty in meeting all your obligations and keeping all your promises. Operationalize your compliance . This step is where you build what’s essential to operationalize your obligations. A minimum level of operability, Minimum Viable Compliance (MVC), is necessary before actual benefits can be realized. During this step your team should establish essential functions, behaviours, and interactions to achieve Minimal Viable Compliance (MVC) to begin enjoying the benefits that come from staying between the lines and ahead of risk. Elevate your compliance. This step focuses on continual improvement raising the bar to new heights of effectiveness and value. This means more than incremental improvements. To advance compliance outcomes you need to advance compliance capabilities. That’s why this step is a game changer. It takes everything to the next level. These four steps will help you develop essential capabilities along with building a culture of compliance that generates compounding benefits over time with lower risk, reduced cost, and greater assurance. I believe this will provide greater value to you than just passing an audit or achieving certification alone. To help work through these steps, we designed “ The Total Value Advantage Program™” which follows these steps in a structured manner facilitated by one of our compliance experts. You don’t have to wait to get started. You can become a member of this program by completing the Total Value Advantage Scorecard and participating in a free orientation session. During this session we will review your results, discuss opportunities to improve your compliance, and decide together if this program is right for you. https://www.leancompliance.ca/the-total-value-advantage-scorecard We realize this program is not for everyone as many are unable to take the first step of owning their obligations. However, for those that do, this program helps them garner greater stakeholder trust and achieve greater business success in the marketplace. I trust I have addressed your concerns and provided a path forward to help you deliver compliance value. I look forward to helping you achieve compliance success. Be Proactive, Raimund Laqua, PMP, P.Eng. Founder, Chief Compliance Engineer Lean Compliance More Value, Less Waste, Greater Assurance

How do we deliver safe AI? This is the question every organization grappling with AI adoption must answer. Yet too often, discussions about AI safety focus narrowly specific aspects of the technology (such as LLMs), as if AI exists in a vacuum. The reality is more nuanced. AI is a technology that operates within existing systems—systems that in highly-regulated, high risk industries already have well-established definitions of safety, existing regulations, industry standards, and proven best practices. Understanding this context is essential to approaching AI safety effectively. From an engineering perspective, I propose three principles that organizations should consider when designing or adopting AI solutions for their business. Principle 1: Protect Existing Safety Systems Do no harm to what already works. The first principle is to ensure that AI technology does not diminish the effectiveness of existing safety measures and controls. Just as we strive not to harm the environment, we must strive to not compromise our ability to deliver existing levels of safety. This requires understanding the impact that AI technology has on established safety systems. When you introduce AI into a manufacturing process, a healthcare workflow, or a financial control system, you must ask: Does this maintain or enhance the safety controls we already have in place? Does it create new failure modes in existing safeguards? Consider two examples from a process safety perspective where Management of Change (MOC) applies to AI deployment: Example 1: AI Technology Evaluated by MOC Process safety regulations require an MOC to be conducted before modifying any safety-critical operation. When an organization introduces AI to monitor equipment conditions or predict failures in a chemical facility, this constitutes a design change that triggers an MOC. The MOC risk assessment must evaluate how the AI system affects existing safety controls. For instance, if operators begin relying on AI alerts instead of conducting scheduled inspections, the organization has effectively changed its detection and mitigation strategy. The MOC process should identify this shift and determine whether compensating controls are needed to maintain safety integrity. Example 2: AI Used Within the MOC Process Itself More subtly, when an organization uses AI to automate parts of the MOC workflow—such as reviewing and approving change requests—this change to the MOC process itself requires an MOC. The original MOC system had segregation of duties: one person requests the change, another reviews technical details, a supervisor approves it. This prevented single points of failure in safety-critical decision-making. Replacing human reviewers with an AI system is simultaneously a design change (new technology), a procedural change (new workflow), and an organizational change (altered roles and responsibilities). Without conducting an MOC on this change to the MOC process, the organization unknowingly degrades a fundamental safety control while believing they've simply improved efficiency. The engineering discipline here is straightforward but often overlooked: Map your existing safety controls. Understand how AI integration affects each one. Verify that safety is maintained or improved, not degraded. Principle 2: Protect Operational Systems Isolate the hazard, then control the risks. AI technology has inherent uncertainties that exceed those of traditional technologies. These uncertainties create opportunities for emerging and novel risks. In the language of systems safety expert Nancy Leveson, AI creates the potential for "hazardous processes" within organizations. The response to any hazard follows a consistent pattern: first isolate the hazard, then handle the risks it introduces. This means establishing guardrails—safeguards that protect the organization, its workers, customers, and stakeholders from the consequences of using hazardous technology which in this case is AI. What makes AI a potential hazard is the nature of its uncertainties: Probabilistic outputs rather than deterministic ones Opaque decision-making in complex models Emergent behaviours that weren't explicitly programmed Dataset dependencies that may not generalize Adversarial vulnerabilities unique to machine learning systems The STAMP (Systems-Theoretic Accident Model and Processes) and STPA (System-Theoretic Process Analysis) methodologies provide systematic approaches to dealing with these kinds of uncertainties. Originally developed for aerospace applications, these frameworks have proven valuable in cybersecurity and are now being applied to AI systems. Using STPA, organizations can identify unsafe control actions, understand loss scenarios, and design constraints that prevent hazardous system states. This is not about preventing all possible failures—that's impossible with any complex system—but about understanding failure modes and designing appropriate controls. Principle 3: Protect Organizational Systems Make AI technology itself less risky. The third principle focuses on reducing risk at the source: designing AI technology that is safer regardless of how it's deployed or used. The 2016 paper "Concrete Problems in AI Safety" by Amodei et al. helped crystallize many of these challenges. It identified specific technical problems such as avoiding negative side effects, reward hacking, scalable oversight, safe exploration, and robustness to distributional shift. Since its publication, we've seen the creation of dedicated AI Safety institutions and the emergence of AI Safety Engineering as a discipline. We now understand that different categories of AI systems present different risk profiles: Narrow AI systems trained for specific tasks have bounded but still significant risks Agentic systems that take actions autonomously introduce new categories of risk Advanced AI systems (AGI or ASI) would present risks of an entirely different magnitude For many organizations, the responsibility for AI safety is a shared risk with companies creating large language models and foundation models. However, organizations are developing their own specialized models for specific use cases. These custom models require their own risk assessment and safety measures tailored to their particular context and application. This means organizations cannot simply rely on foundation model providers to solve all safety problems. If you're fine-tuning models, creating retrieval-augmented generation systems, or deploying AI agents, you have safety engineering work to do. An Integrated Approach From an engineering perspective, all three principles must be considered together, not just the last one. An AI model might be state-of-the-art in terms of its training methodology and robustness testing, but if it's deployed in a way that undermines existing safety controls or without adequate guardrails for its uncertainties, the overall system becomes less safe, not more. This integrated view reflects how safety is actually achieved in mature engineering disciplines. Aircraft aren't safe just because engines are reliable. They're safe because of redundant systems, rigorous maintenance protocols, pilot training, air traffic control, and countless other layers of protection. Similarly, safe AI systems require attention to technology, process, and context. Practical Next Steps For organizations looking to implement these principles: For Principle 1 - Protect Safety Systems Document existing safety controls before AI deployment Conduct impact assessments on how AI affects these controls Establish verification processes to ensure safety is maintained For Principle 2 - Protect Operational Systems Adopt systematic hazard analysis methodologies like STPA Create clear governance structures for AI risk management Implement monitoring systems to detect emerging risks Design guardrails appropriate to the level of uncertainty and consequence For Principle 3 - Protect Organizational Systems Engage with AI safety research and best practices relevant to your sector Conduct thorough testing including adversarial and edge case scenarios Participate in industry collaborations on safety standards Budget for ongoing safety evaluation as systems and understanding evolve Conclusion The question of how to deliver safe AI is indeed the question of the day. But it's not a question that can be answered by focusing on AI technology alone. Safety emerges from the interaction between technology, systems, processes, and people. By preserving existing safety systems, managing AI-specific uncertainties, and designing inherently safer AI, organizations can move beyond the hype and fear that too often characterize AI discussions. They can adopt AI in ways that are both innovative and responsible. This is the work of engineering: not making perfect systems, but making systems that fail safely, that operate within understood bounds, and that deliver value without unacceptable risk. It's work worth doing, and doing well. Raimund Laqua, P.Eng is Founder of Lean Compliance, and Co-Founder of Professional Engineers.AI.

When mission success requires compliance success Every organization is on a journey. Ahead lies your vision—the total value you're working to achieve. Your mission is getting there, but the path winds through complex terrain and risk is always present.  The question isn't whether you'll face this journey. You already are. The question is:  how well are you navigating it? Three Essential Principles to Practice To improve your probability of success, the following principles should be part of your practice: Stay on Mission Your vision isn't just about more growth and profit. Quality IS the value. Safety IS the value along with Security, Sustainability, Ethics, and Trust. These aren't just guardrails. They ARE what you create for your stakeholders, your employees, your customers, and the world. When every decision drives toward these outcomes, you don't just succeed—you create something that matters - Total Value. Stay Between the Lines The path has boundaries—regulations, standards, policies. These aren't restrictions. They're the proven route that keeps you moving forward while others veer into costly mistakes and waste. Organizations that see compliance as burden miss the point. The lines show you where the cliffs are and what does not add to value creation. Stay Ahead of Risk Risk doesn't wait. Cyber threats, regulatory changes, operational failures, reputational damage—they're always pursuing. You can't always eliminate them, but you can maintain enough distance to see what's coming and respond with intelligence instead of panic. What This Delivers When you master these three principles, something shifts. You stop fighting fires and start building momentum. Resources flow to what creates real value. Waste disappears. Confidence grows. Your team knows the mission, trusts the process, stays ahead of what could go wrong, and focuses on doing what needs to go right. This is the Lean Compliance Way to More Value, Less Waste, and Greater Assurance. Your journey is worthwhile and success matters. However, the terrain is complex and there is always uncertainty. Every step you take can improve the probability of mission success or the probability of failure.  The choice is yours.  Choose the Lean Compliance Way. Are you ready to turn compliance into a competitive advantage?   Lean Compliance helps organizations always stay on mission, between the lines, and ahead of risk towards Total Value.

Michael Porter was right. You need capabilities to create value which he outlined in his Value Chain Analysis (VCA) from which competitive advantage can be determined. So the question is, what capabilities does compliance have to create value for the organization, and how does this generate competitive advantage? Integrated Balanced Scorecard The value chain's ultimate outcome is value as perceived by customers and stakeholders. While Michael Porter's value chain framework creates and delivers value, it cannot do so effectively in isolation. Total value creation requires integrating productivity and compliance programs. Productivity Drives Margins Organizations implement productivity programs to enhance value chain efficiencies and increase margins. This operational excellence domain encompasses methodologies such as Lean, Six Sigma, TQM, and digital automation. Performance is measured by efficiency, while effectiveness is measured by improved margins. Better margins create value both financially and as protection against unavoidable external and internal risks. Margins can offset losses from market disruptions and operational risks—instances where organizations fail to meet goals and objectives. However, operational risk is best managed through risk and compliance programs. Compliance Drives Certainty To address operational risk, organizations establish programs ensuring (to make certain) objectives are achieved. Management traditionally handles common variation, while risk and compliance functions address specialized threats and opportunities. Performance is measured by the level of certainty (or confidence) in achieving objectives—what might be called assurance—and risk amelioration. Effectiveness is measured by compliance: meeting obligations manifested through safety, quality, security, privacy, reputation, and other value properties. Managing operational uncertainty helps organizations stay within boundaries, protecting the value chain along with employees, assets, shareholders, customers, the environment, and communities. Integrated Balanced Scorecard Protecting value creation fundamentally means contending with two types of uncertainty. Aleatory uncertainty (irreducible randomness) is handled by applying margins to cover unavoidable losses. Epistemic uncertainty (reducible through knowledge) is managed through compliance controls and measures. Adequate margin and certainty are both necessary for effective value chain creation. An integrated balanced scorecard improves visibility of strategic initiatives related to value, margin, and compliance targets. It also facilitates appropriate trade-offs between opportunities to improve margins and measures to contend with threats. When establishing an integrated balanced scorecard, map strategic objectives and initiatives to appropriate categories. Using categories from Geoffrey Moore's "Zone to Win" alongside functions from Michael Porter's Value Chain Analysis helps capture objectives according to time horizon, risk appetite, and compliance priorities. Productivity and compliance activities each have objectives for positively affecting the value chain while including initiatives to improve one another. For example, productivity improvements can benefit compliance programs, and productivity initiatives benefit from objective risk-based approaches. Greater uncertainty and risk characterize incubation and startup activities, which may require different strategies focused on pursuing opportunities rather than avoiding losses. Compliance as Competitive Advantage Organizations that excel at compliance create sustainable competitive advantages beyond mere risk mitigation. Strong compliance capabilities build trust with customers, regulators, and stakeholders, enhancing brand reputation and market position. They enable faster market entry by streamlining regulatory approvals and reducing time-to-market for new products and services. Robust compliance frameworks also attract premium customers and partners who prioritize working with reliable, trustworthy organizations. Moreover, proactive compliance reduces the cost of crisis management, legal disputes, and remediation efforts that plague competitors with weaker systems. By embedding compliance into strategic planning rather than treating it as an afterthought, forward-thinking organizations transform regulatory requirements into differentiators that strengthen their competitive moat and create barriers to entry for less disciplined competitors.

What GRC Should BE Traditionally, GRC activities were centered around integrating the siloed functions of Governance , Risk , and Compliance (GRC). While this is necessary, it is based on an old model where meeting obligations (the act of compliance) is a checkbox activity reinforced by audits. Similarly, risk management was building risk registers and heat maps, and governance was providing oversight of objectives completed in the past. All this to say: This was all reactive, misaligned, and focused on activity not outcomes. However, when you start with an integrative, holistic, and proactive approach to meeting obligations, a different model emerges where the bywords are: Govern , Regulate , and Ensure (GRE). These are essential capabilities that, when working together, improve the probability of success by governing, regulating, and ensuring the ends and the means in the presence of uncertainty. There is no need to integrate disparate functions, as these are already present in their proactive, integrative, and holistic form to deliver the outcome of mission success. If you're interested in learning more about transforming reactive GRC functions into proactive GRE capabilities, explore T he Total Value Advantage Program™

EPA - Lean and Environment Toolkit Lean is well known for its focus and effectiveness to reduce waste specifically in production processes. The 8 sources of lean waste: defects, excess processing, overproduction, waiting, inventory, transportation, motion, and non-utilized talent have helped practitioners “see lean waste” in their processes and identify areas of improvement. A tool that is most often used is Value Stream Mapping (VSM) which adds a temporal dimension to visualize where, when, and how much waste is being used in every step of value creation. It's no wonder that this same approach is increasingly being used to “see environmental waste” in business processes. Although not considered part of Lean’s deadly wastes, environmental waste are embedded in and related to wastes targeted by lean strategies. Over the last decade Lean tools and practices have expanded to consider quality, safety, and environmental aspects. Instead, of quantifying waste only in terms of financial costs the quantification of such things as carbon footprint is becoming the new calculus by which processes are measured. One of the most comprehensive toolkits that combines lean and the environment is available is from the US Environmental Protection Agency (EPA). This toolkit provides practical strategies and techniques to: “improve Lean results—waste elimination, quality enhancement, and delivery of value to customers—while achieving environmental performance goals” Organizations that adopt this toolkit can better answer the following questions: Why should I identify environment waste in my processes? How will I know when I see environmental waste? Where should I look for environmental waste? How do I measure the environmental impacts of a process? Where can I find environmental preferable alternatives to my current process? One of the tenants of Lean is: if you can’t see it you can’t improve it. To begin to see environment waste in your organization, EPA recommends the following: Add environmental metrics to the metrics considered in Lean efforts to better understand the environmental performance of production areas. Show management commitment and support for improved Lean and en­vironmental performance by holding collaborative meetings and providing resources and recognition. Integrate environmental wastes into Lean training programs. This can be as simple as adding a few additional slides to a presentation or as ad­vanced as holding a special Lean training for EHS personnel. Make environmental wastes visible and simple to eliminate by using signs and other visual controls in the workplace. Recognize and reward environmental success accomplished through Lean. Identifying environmental wastes, calculating and optimizing for carbon footprint, and learning how to reduce environmental waste will become standard practice for Lean practitioners in an Environment-First future. Lean practitioners will need to work more closely with EHS professionals and become more knowledgeable and skilled on how to incorporate environmental aspects into their practices. These resources from the EPA are great places to start: The Environmental Professional's Guide to Lean and Six Sigma Lean and Environment Toolkit Lean and Energy Toolkit Lean and Chemicals Toolkit Lean and Water Toolkit

The Compliance Charter In project management, we don't start without a charter. Yet in compliance—where the stakes are often higher and the obligations more complex—many organizations dive in without establishing their foundational document. It's time we borrowed this proven practice and applied it where it matters most: keeping our promises to stakeholders. What Is a Compliance Charter? Drawing from both project management best practices and the structured approach of I SO 37301 , a compliance charter serves as the formal authorization and roadmap for your compliance program—the initiative that will create new organizational capabilities to improve your underlying compliance systems. Just as projects create new capabilities (a new product, system, or service), your compliance program creates new capabilities to advance compliance operability—the organization's ability to consistently deliver on all obligations across safety, quality, environmental, regulatory, and other domains. The charter provides the planning foundation that transforms compliance from scattered activities into integrated operational capability. Think of it as your organization's commitment contract to building the systems, processes, and culture needed to keep promises consistently. The Anatomy of an Effective Compliance Charter Based on proven project charter structures and compliance management principles, your compliance charter should include: Purpose & Business Case : Why this compliance program exists and what new capabilities it will create to improve how your organization manages obligations across all domains. Scope & Boundaries : Which compliance systems and processes will be enhanced or created, and which organizational areas will benefit from these new capabilities. Success Criteria : How you'll measure the effectiveness of your new compliance capabilities—not just audit pass rates, but improved ability to identify, track, and fulfill obligations consistently. Capability Goals : The specific operational competencies your program will build—integrative obligation tracking, real-time compliance monitoring, predictive risk management, or systematic compliance operability across all domains. Leadership Commitment : Top management's demonstrated commitment to building these new compliance capabilities and sustaining them over time. Resource Allocation : The people, budget, technology, and time required. If you're limited to spreadsheets and emails, you'll struggle to maintain any reasonably sized compliance management system. Risk Context : Understanding your organization's internal and external context to identify compliance risks and management approaches. Timeline & Milestones : Key deliverables and checkpoints that demonstrate progress toward operational readiness. Why Your Organization Needs This Organizations face multiple obligations simultaneously across legal, regulatory, and voluntary commitments. Without a charter, compliance efforts become reactive firefighting rather than proactive capability building. The charter forces crucial conversations: What promises are we making? To whom? How will we keep them consistently? Who's accountable? What happens when we don't? Our mission is helping organizations increase stakeholder trust by improving their ability to meet ALL their obligations. That starts with clarity about what you're trying to achieve and how you'll get there. Moving From Charter to Capability Your compliance charter isn't a document you write once and file away. It's a living commitment that guides your program's evolution as it builds the organizational capabilities needed to manage increasingly complex obligations. The charter should drive decisions about which systems to integrate first, what processes to standardize, and how to sequence capability development toward full compliance operability. As your compliance program matures, the charter helps ensure each phase builds operational strength while maintaining focus on the ultimate goal: seamless, reliable compliance delivery at organizational scale. As ISO 37301 emphasizes, effective compliance management requires principles of good governance, integrity, transparency, accountability, and sustainability. Your charter embeds these principles into your organizational DNA from day one. The question isn't whether you need a compliance charter—it's whether you can afford to operate without one. In highly-regulated, high-risk industries, the cost of unclear commitments and scattered efforts far exceeds the investment in getting this foundation right. Start with clarity. Build with purpose. Operate with confidence. Ready to develop your compliance charter? Our T otal Value Advantage Program™ helps organizations establish the essential capabilities needed to achieve compliance operability—the integrative ability to consistently meet all obligations while driving continuous improvement. Because operational compliance isn't just good practice—it's competitive advantage.

The Dual Nature of Compliance Over the years working with companies in highly-regulated industries, I've observed that organizations often struggle with compliance because they fail to distinguish between two fundamentally different types of work. They treat everything as equally urgent, pushing all work through the system regardless of actual need. This creates inefficiency and waste while failing to prevent the risks that matter most. The solution lies in recognizing that compliance involves two distinct flows requiring opposite strategies— pull for promises, push for risk. The Push of Obligations Let's start with what we cannot control. Obligations are pushed onto organizations from the outside world. Regulators don't wait for organizational readiness before issuing new requirements. Legislators pass laws on political timelines. Industry standards evolve. Customers demand certifications according to their procurement schedules. This external push is inevitable—organizations are demand-receivers in the compliance landscape. However, not all obligations come from outside. Organizations regularly push obligations onto themselves through voluntary commitments—sustainability pledges, ethical sourcing standards, diversity targets, voluntary certifications. While theoretically discretionary, competitive pressure and stakeholder expectations often make them feel just as mandatory as regulatory requirements. The critical difference: pull systems can reveal when voluntary obligations create unsustainable bottlenecks, providing data-driven insight to modify or discontinue them—a strategic flexibility that doesn't exist with mandated requirements. Pull for Promises: Making Bottlenecks Visible Obligations and Promises Once obligations exist—whether mandated or voluntary—organizations can use pull principles to fulfill them efficiently. Instead of immediately mobilizing resources when a new requirement appears, compliance work is pulled through the system based on level of commitment and applicability to the organization. A regulatory change announced with a two-year implementation window doesn't need immediate action—it needs a clearly defined trigger point that pulls appropriate resources when action becomes necessary. Pull systems excel at revealing where promise-keeping breaks down. When documentation requests accumulate before audits, when certifications expire before renewals complete, when regulatory deadlines are consistently missed—these visible accumulations pinpoint where capacity is insufficient. Pull systems reveal more than just delays. They also expose excess work from over-commitment, such as redundant reporting requirements that consume resources without adding value. They reveal duplicate delivery on promises due to lack of coordination—different departments doing similar work, preparing parallel compliance reports, or responding independently to the same stakeholder requirement. A compliance kanban board that shows work backing up, the visual management system that highlights both delays and redundancies—these are diagnostic tools that make constraints and waste obvious and actionable. This visibility enables continuous improvement. You're not guessing where to add resources or improve processes; the pull system shows you precisely where promises are falling behind to from obligation to fulfillment. Push for Risk: Prevention Requires Forecasting Risk management operates on entirely different logic. You cannot wait for a data breach to occur before implementing security controls. You cannot pull a response to a compliance violation after it has created regulatory liability. Prevention requires pushing controls, safeguards, and capabilities into place before they're needed—often for events that may never occur. This is fundamentally forecasting-based work. What regulatory changes are on the horizon? What emerging technologies might create new compliance challenges? What systemic vulnerabilities could cascade into organizational crises? Risk management demands horizon scanning, scenario modelling, and proactive deployment of countermeasures. The push approach accepts what appears to be inefficiency or waste as the necessary price of resilience. You build redundant capacity, invest in monitoring systems that may never detect an incident, and create response capabilities that might go unused. These are insurance premiums paid in organizational resources rather than money. Integrative Systems: Using Each Approach for What It Does Best The sophistication lies in connecting these two approaches. Pull-based promise-keeping generates valuable data about where compliance obligations concentrate and where failures occur most frequently. This historical pattern data should inform push-based risk investments. If pull systems consistently reveal bottlenecks in privacy compliance, that's a signal to push additional preventive controls into data governance. If promise-keeping regularly fails during regulatory transitions, that indicates a need to push more change management capability into the organization. The pull system provides the diagnosis; the push system delivers the prevention. From Reactive Chaos to Proactive Capability Organizations that lack this distinction scramble reactively when obligations arrive, pushing emergency work through systems where every new requirement feels like a crisis. There's no differentiation between what needs immediate execution and what requires long-term preparation. Organizations that understand this dual nature use push to build capability ahead of demand, then use pull to execute efficiently when obligations require action. The balance isn't about choosing between push and pull—it's about using each approach for what it does best. Pull for the promises you must keep today. Push for the risks you must prevent tomorrow. When external obligations are pushed at you—and they will be—you'll have pushed sufficient capability into place that you can pull work through efficiently. That's not just effective compliance. It's organizational resilience built on systems thinking. Raimund Laqua is founder and Chief Compliance Engineer at Lean Compliance Consulting, Inc. His focus is helping ethical, ambitious companies in highly-regulated, high-risk industries improve the effectiveness of their compliance programs.

By Raimund Laqua, Founder of Lean Compliance Why Risk Assessments Should Start with Uncertainty Walk into most organizations today, and you'll find risk management teams armed with comprehensive checklists, detailed taxonomies, and colour-coded matrices that promise to capture every conceivable threat. These frameworks are seductive in their apparent completeness—neat categories for operational risks, financial risks, strategic risks, compliance risks. Everything has its place, and every place has its thing. But here's what I've learned after years of working with organizations on their risk frameworks: these traditional risk assessments are treating symptoms, not the disease. The Symptom vs. The Disease Think of risk assessments as medical diagnoses. When a patient presents with a fever, a competent doctor doesn't simply prescribe aspirin and call it a day. The fever is a symptom—an indicator of something deeper that requires attention. The fever might signal anything from a minor infection to something far more serious. To provide effective treatment, you must identify and address the underlying cause. Traditional risk assessments operate like symptom-focused medicine. They catalogue the visible manifestations of risk—the potential for data breaches, supply chain disruptions, regulatory violations, market volatility. These are indeed risks worth considering, but they are symptoms of a more fundamental condition: uncertainty. Uncertainty is the root pathogen in the risk ecosystem. It's the fertile ground from which all risks grow. And just as effective medicine requires understanding the pathogen before prescribing treatment, effective risk management demands that we first understand and contend with uncertainty in all its forms. The Anatomy of Uncertainty Uncertainty isn't monolithic. It comes in distinct varieties, each requiring different approaches and interventions. Understanding these differences is crucial to developing effective risk strategies. Aleatory uncertainty represents the inherent randomness in systems—the fundamental unpredictability that exists even when we have complete information about a process. Think of rolling dice or the precise timing of radioactive decay. No amount of analysis will eliminate this uncertainty because randomness is built into the fabric of the system itself. Epistemic uncertainty , by contrast, stems from our lack of knowledge or understanding. This is the uncertainty that exists because we don't know enough about the system, haven't collected sufficient data, or lack the models to make accurate predictions. Unlike aleatory uncertainty, epistemic uncertainty can potentially be reduced through research, data collection, and improved understanding. But the uncertainty landscape extends beyond even these well-established categories. There's model uncertainty —the risk that our fundamental assumptions about how systems work are flawed. There's ambiguity uncertainty —situations where even the nature of the problem itself is unclear. And there's emergent uncertainty —the unpredictability that arises from complex interactions between multiple systems and stakeholders. The Strategic Response to Uncertainty Once we recognize uncertainty as the source rather than just another item on our risk checklist, our strategic options become clearer and more nuanced. Different types of uncertainty demand different responses, and understanding this matching is where sophisticated risk management begins. Some uncertainties demand isolation. When facing massive, systemic uncertainties that could fundamentally threaten an organization's existence, the wisest course may be complete avoidance. These are the uncertainties so vast and potentially catastrophic that no amount of mitigation can adequately prepare you for their impact. Think of a small technology company choosing not to enter markets dominated by nation-state actors, or a regional bank avoiding exposure to global derivatives markets. Sometimes the best risk management is recognizing when not to play the game at all. Some uncertainties require cushioning. These are the uncertainties that create inevitable risks—situations where negative outcomes will occasionally occur, but where the timing and magnitude remain unpredictable. Here, the strategy isn't prevention but resilience. You build buffers, create redundancies, establish reserves, and develop rapid response capabilities. A manufacturing company that maintains diverse supplier relationships isn't eliminating supply chain uncertainty—they're cushioning themselves against its inevitable manifestations. Some uncertainties can be actively reduced . This is where traditional risk mitigation shines, but only when applied with precision. When uncertainty stems from lack of knowledge or inadequate processes, you can invest in research, data collection, training, and system improvements. When uncertainty arises from insufficient controls, you can implement monitoring and governance mechanisms. The key insight is recognizing which uncertainties are genuinely reducible and focusing your mitigation efforts there. Most uncertainties require mixed strategies. The real world rarely offers pure cases. Most significant uncertainties contain elements that can be reduced, aspects that require cushioning, and components that might necessitate partial isolation. Sophisticated risk management involves decomposing complex uncertainties into their constituent parts and applying the appropriate strategy to each component. Transforming Risk Assessment Practice In my work developing lean approaches to compliance and risk management, I've seen how this uncertainty-first approach fundamentally changes how we conduct risk assessments. Instead of beginning with predetermined risk categories, we start by systematically identifying and characterizing the uncertainties that pervade our environment. Instead of immediately jumping to mitigation strategies, we first classify uncertainties by type and reducibility. The questions change too. Rather than asking "What risks do we face?" we begin with "What don't we know, and what can't we predict?" Rather than "How likely is this risk?" we ask "What type of uncertainty creates this risk, and what does that tell us about our strategic options?" This shift in perspective often reveals blind spots in traditional assessments. It highlights uncertainties that don't fit neatly into conventional risk categories. It exposes assumptions we didn't realize we were making. And it opens up strategic options that symptom-focused approaches might overlook. The Path Forward Through years of consulting with organizations struggling with traditional risk frameworks, I've found that improving risk assessment isn't about abandoning existing frameworks entirely—many traditional tools remain valuable for specific purposes. Instead, it's about establishing uncertainty analysis as the foundation upon which all other risk activities build. This means developing organizational capabilities to identify uncertainties systematically, classify them accurately, and match them with appropriate strategies. It means training teams to think like epidemiologists of risk—tracking uncertainties to their sources rather than just cataloguing their symptoms. Most importantly, it means accepting that effective risk management is less about predicting the future and more about building adaptive capacity to handle whatever uncertainties that future might hold. The organizations that thrive in an uncertain world won't be those with the most comprehensive risk checklists. They'll be those that best understand the uncertainties they face and have developed nuanced, strategic approaches to contending with them. After all, in a world where uncertainty is the only certainty, shouldn't our risk management reflect that fundamental truth?

AI Risk Containment Architecture Industrial leaders in safety-critical, highly regulated sectors like energy, chemical processing, oil&gas, and nuclear face an important challenge: how to harness the transformative power of A I—such as predictive maintenance, process optimization, and deep analytics—without compromising the safety systems, regulatory compliance, and operational integrity that protect people and infrastructure. Direct integration of AI into operational or enterprise systems introduces unacceptable risks, as even minor algorithmic errors can lead to regulatory violations, safety incidents, or catastrophic disruptions. To address this, industries can draw from proven frameworks like ICH Q8 in pharmaceuticals and ISO PAS 8800 in automotive safety, which emphasize containment and isolation of experimental technologies. This paper proposes a similar architecture for AI: one that separates Artificial Intelligence Technology (AIT) into bounded domains with controlled interfaces to Operational Technology (OT) and Information Technology (IT), enabling innovation while preserving compliance and operational excellence. Download our free white paper here: