top of page


Why Compliance Must Change

Over the years working for companies in highly-regulated high-risk industries we learned that many were not able to advance or sustain their risk & compliance programs.


The challenges were many and multi-faceted that included such things as competing values, culture, behaviours, policies, goals, objectives, standards, processes, technology, resources and the like.


However, these were only the downstream impacts triggered by something else. The compliance landscape had changed and the traditional approach to compliance was not able to keep up and this affected everything.

A Changing Landscape

Over the last decade regulators have started to modernize their programs to become more risk-based; moving away from prescriptive rules towards performance and outcome based designs. The goal was to improve public safety beyond what prescription could provide.


To accomplish this, regulators began to focus more on the risks rather than rules. This would result in regulatory designs moving away from macro-means towards macro-ends requirements.

outcome-based compliance

Adopting these new regulations would come at a cost and would take time. Organizations under regulation would need to adopt a different mindset, skills, and practices which many did not have or have the time to learn.


At a fundamental level organizations would need to become more proactive with their compliance. They would have to anticipate rather than merely react. This new mindset would be closer to managing risks rather than managing audits.


Instead of inspection and audits as the trigger for change, organizations would now be expected to set their own compliance goals and objectives, establish risk measures, and measure progress towards targeted outcomes.


The role of regulators would also change as they would now need to validate outcomes instead of conformance to procedures. However, more importantly, they would need to take on a different role to help establish targets and foster industry support. Regulators would be, in a manner of speaking, more concerned about the "ends" rather than prescribing the "means".

Effects of Reactivity

The downstream effect of these changes in regulatory designs would catch many organizations off guard and ill prepared. They were too busy fighting fires to have any time to be proactive and adopt new risk-based approaches. However, even if they wanted to, they did not know what being proactive looked like.


Compliance for many had focused on managing actions coming from audits rather than proactively preventing non-conformance or pursuing targeted outcomes. Even still, given that it is impossible to inspect everything, management in most organizations would prioritize efforts on only a portion of their mandatory requirements and ignoring most if not all voluntary commitments.

obligation debt

This left a significant number of obligations unaccounted for and mostly hidden.


Becoming more productive at reactive tasks also did not work. Going faster and working harder just made most more efficient at being reactive.  It never addressed the real problem.

Need for a New Approach

To adapt to modern regulatory frameworks organizations would require a transformational change in how they approached compliance. They would need to become proactive.


However, to do these improvements funding would need to come from existing budgets and not new allocations. As a result changes were at best low hanging fruit and not considered as investments towards better outcomes. Not the best conditions for a successful transformation.


Fortunately, LEAN has for years helped industries with similar constraints such as automotive and health care and is starting to gain traction in construction, oil&gas, and other sectors.


Could LEAN also work to transform compliance and help it become more proactive?

A Case for Lean

To better understand how LEAN could help with compliance we need to go back to the early days of LEAN when it was first introduced by Taiichii Ohno at Toyota in the1950s. Taiichi Ohno, the father of LEAN, taught about the removal of waste, standard work, and continuous flow. However, that is only part of his story.


Ohno also taught that a leader is the one who "breaks" the standard. When you make an improvement, you take out your very best person from the line. It's what that person did next that is truly transformational.


The freed up resources would work on further improvements resulting in even more people removed from the line. In the end, Ohno would have enough resources to start an entire second production line.


Instead of fractional improvements he was able to double his capacity.


“Making an improvement that can take one person out results in just one person's cost being saved. If you take that person and have her make improvements, you start getting savings of two, three, four, and five people and so forth. Taking out the best person and making her improve the rest is really effective."


Now, imagine if organizations followed the same process for compliance. They would still reduce waste, standardize work, and streamline the work flow. However, that too would only be part of what is possible.


Freed-up resources from the reactive side of compliance could be moved over to the proactive side. They could anticipate changes, address root causes, and introduce new capabilities to always stay in compliance.


If organizations did this they could also double their capacity to meet compliance obligations.


This is exactly what compliance now needs, but not without first addressing LEAN’s blind-spot.

LEAN's Blindspot

LEAN is well known for improving productivity. However, when it comes to compliance and such things as inspections and audits these are seen as waste and something to be eliminated.


For LEAN to have a transformational effect on compliance it needed to understand that compliance and production have more in common than most realize.


LEAN fundamentally is concerned with removing variation from processes. Compliance is also concerned with this but calls in uncertainty. Instead of defects as the effects of variation, compliance focuses on non-conformance as the effects of uncertainty.


Variation and uncertainty are really two sides of the same coin.


Instead of eliminating waste by contending with variation, LEAN Compliance eliminates risk by contending with uncertainty.


In fact, we can say, waste is the outcome of ineffective compliance and is indeed something to eliminate.

compliance waste

Adding Risk to LEAN

Reducing these wastes (i.e. risk) now becomes the mandate for LEAN practitioners working in compliance domains including environmental, safety, security, quality, ethics and regulatory programs.


ISO 31000 defines risk as the effects of uncertainty on objectives. Broadly speaking, uncertainty takes the form of epistemic (lack of knowledge) which you buy down and aleatory uncertainty (having to do with chance and variability) which you treat with margins.


This differentiation can be visualized using a modified version of Michael Porter's Value Chain Analysis (VCA).

Total Value Chain Analysis.png

LEAN applied across the organization helps improve efficiencies which improves margins which buffers or guards against aleatory uncertainty – the outcomes we don't want.


This buffer can be used to fund proactive, risk-based compliance to drive down risk by improving the certainty of meeting obligations. In other words, it helps organization stay between the lines and achieve the outcomes it does want.


To realize these benefits we need to operationalize obligations which starts with making compliance operational.

Operational Compliance

For compliance to be operational it must be more than a disparate set of practices or something tacked onto the end of a process. Instead, it must be a system of processes that work together to increase the certainty of achieving compliance objectives and outcomes.

Operational Compliance Model

To do this compliance must implement all essential behaviours and properties of a goal-driven system.


Compliance needs to encompass feed-forward processes that steer towards goals and objectives. It must also have feed-back processes to correct for deviations from planned targets. It must be capable of meeting obligations at the necessary performance levels to achieve the intended outcomes. It must also be continuously improved across all levels. If this looks like a production system you are getting the idea.

Operational Readiness

When organizations endeavour to achieve compliance many take a by-the-element approach. This comes from years of prescriptive regulations and a focus on implementing "shall statements" in order to pass certifications and audits.


When the focus is on meeting "shall statements" rather than advancing compliance outcomes we find these familiar steps:

  1. Understand the elements of the regulation or standard.

  2. Map existing practices to the elements.

  3. Identify where current practices do not meet the standard.

  4. Engage these deficiencies in a Plan-Do-Check-Act (PDCA) cycle.

  5. Target these deficiencies for compliance with the standard.


This approach is not without limitations, notably that it often fails to deliver operational systems fast enough or at all.


Organizations usually run out time, money, and motivation to move beyond the parts of a system to implementing the interactions that are essential for a system is to be considered operational.


For compliance to be effective in today's landscape another strategy is needed that:

  • Achieves operational status sooner,

  • Creates and advances benefits over time,

  • Provides a platform to build-measure-learn with the least cost


We know from systems theory that systems are never the sum of its parts but rather the product of its interactions. It is these interactions that cause emergent properties to be created. For compliance systems these are the outcomes we are targeting: zero incidents, zero violations, zero fatalities, zero emissions, and so on.


Lean Compliance's approach emphasizes system interactions to achieve operational status sooner than traditional approaches. Our methodology includes the following objectives:

  1. Identify and evaluate mandatory and voluntary: prescriptive, performance, and outcome-based obligations.

  2. Map obligations to existing governance, programs, systems, and processes.

  3. Identify and evaluate measures of conformance, performance, and effectiveness.

  4. Identify and evaluate uncertainties to meeting targeted goals and objectives.

  5. Identify and evaluate capabilities, capacity, and performance to meet and sustain obligations.

  6. Establish minimal viable compliance (MVC) based on essential behaviours and properties that can be improved on over time.

  7. Elevate compliance effectiveness by improving MVC using a build-measure-learn process.


Compliance might start off looking like a bicycle but will soon look like a motorcycle, and then a car.


Instead of an assortment of disparate compliance parts not working together that might someday deliver on your commitments, you will have a system that delivers benefits right from the start and improves over time.

Our Mission Towards Total Value

Organizations of all shapes and sizes are struggling to meet all their regulatory and stakeholder obligations. Traditional approaches to compliance have not delivered or kept up with changes to regulatory designs and the adoption of stakeholder commitments. This exposes organizations to significant non-conformance risk but more importantly reduces the probably of mission success.


A different approach is needed that is able to protect value but also help to create it.


The application of LEAN has produced transformative results for many organizations in the manufacturing sector. We are applying these same principles and practices to compliance to free up resources and implement proactive strategies to keep up with the speed of risk and keep organizations on-side and between the lines.


LEAN can improve efficiency and with a new focus on risk also improve the chances that organizations meet all their obligations in the presence of uncertainty.

Finally, compliance could deliver on it's purpose to protect and ensure total value creation.

bottom of page