Why Is This Assessment Necessary?
For compliance to be effective, it must generate desired outcomes. These outcomes may include reducing violations and breaches, minimizing identity thefts, enhancing integrity, and ultimately fostering greater stakeholder trust.
Realizing these benefits requires compliance to function as more than just the sum of its parts. Unfortunately, many organizations focus solely on individual components rather than the whole system – they see the trees but miss the forest, or concentrate on controls instead of the overall program. Too often, compliance teams work hard and hope for the best. While hope is admirable, it's an inadequate strategy for ensuring concrete outcomes.
To elevate above merely a collection of parts, compliance needs to operate as a cohesive system. In this context, operability is defined as the extent to which the compliance function is fit for purpose, capable of achieving compliance objectives, and able to realize the benefits of being compliant.
The minimum level of compliance operability is achieved when:
All essential functions, behaviors, and interactions exist and perform at levels necessary to create the intended outcomes of compliance.
This defines what is known as Minimal Viable Compliance (MVC), which must be reached, sustained, and then advanced to realize better outcomes.
For this to occur, we need a comprehensive approach. We need:
Governance to set the direction
Programs to steer the efforts
Systems to keep operations between the lines
Processes to help stay ahead of risks
All of these elements must work together as an integrated whole.
To use an analogy, an effective compliance system may not need to be as complex as a car, but it should be at least as functional as a bicycle. The key point is that it must be more than just a box of disconnected car or bicycle parts.
This holistic perspective on compliance operability allows organizations to:
Identify gaps with their current compliance
Prioritize areas for improvement
Ensure that all components of the compliance system are working in harmony
Continuously improve and adapt their compliance efforts to meet changing requirements and expectations
By conducting a Compliance Operability Assessment, organizations can move beyond a piecemeal approach to compliance and develop a robust, systemic strategy that is more likely to achieve desired outcomes and create lasting value.
Total Value Chain Analysis
Value Chain Analysis (VCA), introduced by Michael E. Porter in 1985, is a strategic tool that examines how a firm's activities contribute to its competitive advantage. Porter argued that competitive advantage stems from cost leadership and differentiation, and VCA helps understand how various activities affect a company's margin. This concept has been foundational in helping businesses optimize their operations and improve their market position.
In recent years, the increasing complexity and demands of regulatory compliance have necessitated an adaptation of Porter's model. This has led to the development of Total Value Chain Analysis, which integrates compliance activities into the traditional value chain framework. Unlike the original model, which often viewed compliance as a separate, overhead function, this new approach considers compliance as a set of horizontal capabilities that span the entire value chain. The focus shifts from purely optimizing margin to also minimizing overall risk.
Total Value Chain Analysis offers several key insights. It helps organizations understand the true cost of both compliance and non-compliance, illustrates how compliance activities affect risk across different business functions, and demonstrates the value of compliance in terms of cost avoidance, increased trust, and reduction in defects, incidents, and other negative outcomes. This holistic view allows companies to develop more comprehensive strategies for competitive advantage.
Building on Porter's strategies for cost and differentiation advantage, Compliance Chain Analysis introduces the concept of compliance advantage. This new perspective suggests ten principles for driving compliance advantage, including keeping all promises, taking ownership of compliance obligations, integrating compliance into performance processes, and developing a learning culture around compliance. By adhering to these principles, companies can create a robust compliance framework that not only meets regulatory requirements but also contributes to overall business success.
The Total Value Chain concept provides an integrated approach, combining traditional VCA with a strong focus on compliance. While this strategy may not always lead to immediate cost reductions, it offers significant long-term benefits. Companies can avoid future costs associated with non-compliance and differentiate themselves in the market through higher quality products and services, safer operations, and improved stakeholder trust.
In today's highly regulated marketplace, this comprehensive approach to value chain and compliance management provides a powerful tool for creating and sustaining competitive advantage.
Compliance Operability Assessment Process
The Compliance Operability Assessment Process uses the Total Value Chain Analysis as its foundation. This comprehensive approach helps evaluate the level of compliance operability and maturity for all compliance obligations, both mandatory and voluntary.
The process consists of the following steps:
1. Identify Business Requirements
This initial step involves understanding the core business needs, objectives, and strategic goals of the organization. It provides context for how compliance fits into the overall business model.
2. Create Operations Business Model
In this step, we identify and map out the operational functions, behaviours, and interactions within the organization. This creates a clear picture of how the business operates on a day-to-day basis.
3. Identify Compliance Requirements
Here, we determine all relevant compliance requirements that apply to the organization. This includes industry-specific regulations, general legal obligations, along with voluntary commitments made to stakeholders.
4. Create Obligations and Promises Register
This step involves creating a comprehensive register that identifies:
Legal and regulatory obligations along with voluntary commitments made to stakeholders
Promises and policies created associated with meeting obligations and stakeholder commitments
Areas of uncertainty in staying between the lines and ahead of risk
Potential compliance and operational risk associated with meeting obligations and stakeholder commitments
5. Evaluate and Map Compliance Criticality
In this step, we assess what is critical-to-compliance (description below). This helps prioritize compliance efforts and resource allocation to focus on those areas that matter most to staying between the lines and ahead of risk.
6. Create Integrated Operational Compliance Model
This step involves integrating the compliance requirements into the operational business model. It shows how compliance obligations interact with and affect day-to-day business and how obligations will be met and keeping promises associated with them. T
7. Evaluate Compliance Operability
The final step is to assess how well the integrated compliance model functions within the organization. This evaluation helps identify areas of strength and weakness in the compliance program, and guides future improvement efforts.
By following this structured process, organizations can gain a holistic view of their compliance landscape and how it integrates with their business operations. This approach allows for:
Better alignment between compliance efforts and business objectives
Identification of potential gaps or overlaps in compliance activities
More efficient resource allocation for compliance management
Improved ability to anticipate and mitigate compliance risks
Enhanced overall effectiveness of the compliance program
The Compliance Operability Assessment Process provides a systematic method for organizations to move beyond a checkbox approach to compliance. Instead, it fosters the development of a mature, integrated compliance system that adds value to the organization while effectively managing regulatory and stakeholder obligations.
Compliance Criticality Analysis
The concept of compliance criticality is often encountered in various contexts, similar to other "Critical-to-X" frameworks:
Critical-to-Quality (CTQ)
Critical-to-Safety (CTS)
Critical-to-Environment (CTE)
Critical-to-Sustainability
Critical-to-Value
And others
Critical-to-Compliance refers to:
essential structures, functions, behaviours, or interactions that directly impact an organization's ability to meet obligations or keep promises.
Examples include organizational structure, roles, culture, governance, programs, systems, processes, procedures, protocols, resources, capacity, goals, priorities, and strategy.
The importance of Critical-to-Compliance can be understood through several key benefits:
Change Management: By identifying critical-to-compliance elements, organizations can prioritize efforts to mitigate risks and prevent non-compliance when implementing planned changes.
Resource Optimization: Focusing on critical-to-compliance elements helps organizations avoid wasting time and resources on less significant areas, ensuring that compliance efforts are concentrated on what matters most.
Risk Management: Understanding which elements are critical-to-compliance allows organizations to establish necessary controls, reducing the probability of non-conformance and mitigating high-impact risks.
Comprehensive Coverage: Identifying critical-to-compliance elements helps organizations ensure that all essential capabilities are in place to meet relevant regulatory requirements and voluntary stakeholder obligations.
Enhanced Confidence: Recognizing and addressing critical-to-compliance aspects demonstrates an organization's commitment to meeting obligations and keeping promises.
To assess the importance of different elements, a criticality ranking can be applied:
Critical: Discontinuing or substantially changing this aspect will result in a high likelihood of failure to meet compliance obligations or keep promises.
Significant: Discontinuing or substantially changing this aspect will significantly affect the ability to meet compliance obligations or keep promises.
Moderate: Discontinuing or substantially changing this aspect will moderately affect the ability to meet compliance obligations or keep promises.
Not Significant: Discontinuing or substantially changing this aspect will not significantly affect the ability to meet compliance obligations or keep promises.
By utilizing this framework, organizations can effectively prioritize their compliance efforts and ensure they are focusing on the most crucial aspects of their operations.
Operational Compliance Maturity
Regulatory bodies and standards organizations are increasingly expecting companies to utilize capability maturity models to enhance performance and progress towards ambitious targets such as zero incidents, zero fatalities, zero harm, zero emissions, and zero violations. While capability maturity models have been around for some time, their application in compliance improvement has been limited. However, this trend is beginning to change.
One area where capability maturity models have been successfully employed is in software development, particularly in aerospace and defence applications. The CMMI (Capability Maturity Model Integration) Institute, building on research originally conducted by Carnegie Mellon University, continues to develop and publish maturity models.
In response to the shift towards outcome and performance-based regulatory obligations, we have adapted the CMMI model to better support the capabilities needed to advance outcomes over time. It's important to note that certain minimum operability requirements must be met before any significant progress in outcomes can be achieved.
Fundamentally, better outcomes are obtained when processes function more like a purposeful system rather than as individual components. This principle is derived from systems theory, which posits that outcomes are emergent properties resulting from the product of a system's interactions, rather than simply the sum of its parts.
The following model provides a framework for organizations to assess their current compliance maturity level and identify areas for improvement, ultimately working towards more effective and efficient compliance management.
Operational Compliance Maturity Model:
5 - Leading: Advancing Outcomes
Advancing overall compliance outcomes
Reducing risk and ensuring value
Continuous innovation and learning at all organizational levels
4 - Governing: Regulating Effectiveness
Tracking compliance outcomes
Introducing feed-forward processes to improve effectiveness
Focusing on achieving outcomes and improving capabilities
Continuous improvement is ingrained in organizational culture
3 - Managing: Regulating Performance
Standards provide guidance and normative practices and behaviours
Introducing feedback processes to improve consistency
Focusing on compliance performance and risk management
Continuous improvement is intentional and proactive
2 - Controlling: Regulating Conformance
Planning, performing, measuring, and controlling compliance processes
Defining and mostly following compliance procedures
Focusing on inspections, audits, and corrective actions
Continuous improvement is reactive
1 - Perceiving: Recognizing Obligations
Developing obligation and risk awareness
Focusing on prescriptive compliance and training
Work is completed but often delayed or over budget
Procedures are sometimes followed with unpredictable output or outcomes
0 - Avoiding: Unknown
Lack of obligation and risk awareness
Obligations may or may not be achieved
Procedures are rarely followed
Compliance risk is unknown
Conclusion
The Compliance Operability Assessment using Total Value Chain and Compliance Criticality Analysis provides organizations with a comprehensive framework to evaluate and enhance their compliance efforts. By integrating compliance into the broader business strategy and operations, this approach moves beyond traditional checkbox compliance to create a more robust, effective, and value-driven compliance system.
The process outlined - from identifying business requirements to evaluating compliance operability - allows organizations to gain a holistic view of their compliance landscape. This systematic method helps align compliance efforts with business objectives, identify gaps and overlaps in compliance activities, optimize resource allocation, and improve risk management.
Furthermore, the introduction of concepts like Minimal Viable Compliance (MVC), Compliance Criticality Analysis, and the Operational Compliance Maturity Model provides organizations with concrete tools to assess their current state and chart a path for improvement. These individual frameworks enable companies to prioritize their compliance efforts, focusing on the most critical aspects that directly impact their ability to meet obligations and keep promises.
As regulatory environments continue to evolve and stakeholder expectations increase, this integrated approach to compliance management becomes increasingly vital. By viewing compliance as an integral part of the value chain rather than a separate overhead function, organizations can not only meet their regulatory obligations but also create competitive advantage.
This shift in perspective transforms compliance from a cost centre into a strategic asset that contributes to overall business success, fosters stakeholder trust, and drives continuous improvement across the organization.
Please reach out to us if interested in having a Compliance Operability Assessment conducted for your compliance program (or programs). We would love to hear from you.
Comments