“We need to move beyond compliance.”
I used to think that moving beyond compliance was the answer. Many others did too. It seemed like the obvious next step. But after thinking more carefully over the last 10 years, I've realized that's not the solution. In fact, it could make things worse.
When we say, “we need to move beyond compliance” where exactly do we need to move to? This is where the rub lies, and what's bothered me.
Let me explain.
Traditionally, we've viewed compliance through a narrow lens: ensuring adherence to prescriptive rules imposed by law. While it's essential to meet these obligations, it’s also limiting. It implies that compliance is merely a hurdle to clear or a box to check, rather than a cornerstone of responsible business.
While many still view compliance using this narrow lens, the reality is the landscape has changed. Compliance has and continues to expand to encompass a broader spectrum of responsibilities. ISO 37301, for example, defines compliance as fulfilling all obligations, both mandatory and voluntary – those that are compelled by law and others we voluntarily decide to adopt.
This definition recognizes that businesses have a duty to operate ethically and sustainably, beyond what the law requires.
However, what this means is that:
We don’t need to move beyond compliance. We need to catch up to where compliance now is.
This does require going beyond “basic compliance” – adhering to legal requirements – towards “total compliance” – fulfilling all obligations, including those imposed by ethical and beneficial motivations.
This is the next step, motivated by a genuine commitment to doing what's needed to meet all obligations, not just the basics. It's about assurance that organizations will keep the promises they have made.
In fact, on a daily basis, catching up to compliance would look like a continuous process of making and keeping promises (a measure of integrity) associated with organizational, project, and operational obligations:
Macro-ends (outcome-based) - outcomes, values, code of ethics, duties & liabilities
Micro-ends (performance-based) - targets, key results, outputs
Macro-means (management-based) - management standards, plans, processes
Micro-means (prescriptive) - design standards (codes), rules, tasks, work instructions, procedures
Instead of moving beyond compliance, let’s instead strive to keep our promises.