Controls without systems are not controls, they are only processes.
In many compliance domains meeting obligations is seen as a controls problem. As a result, documenting, building, managing, and monitoring controls is at the forefront of compliance activities.
This is reinforced if not driven by industry management system standards which conceptualize compliance in the same way and provide a long list of controls that you “should” implement.
However, focusing solely on controls often results in losing sight of the big picture. Many have lost sight of the forest for the trees.
Controls are processes that adjust operating system parameters to maintain output between targeted values. Technically, controls perform the function of regulation needed to achieve compliance to a given standard of performance. This applies to all systems including socio-technical ones.
However, all too often controls are implemented without knowledge of what they are intended to control, how they work, or what they are supposed to accomplish. Many may not be connected to the systems they are intended to control. They may even operate at cross-purposes implemented to work separately and not together. This is definitely a significant source of compliance waste.
Instead of compliance systems, many organizations have control management systems often not doing more than mapping controls to regulatory elements. They might even have all the boxes checked and able to pass an audit.
What many organizations don’t have (but need) are controlled systems to deliver on commitments associated with their obligations. They need systems capable of creating the outcomes of compliance.
Compliance is about regulation and you cannot regulate without a system – you cannot regulate with controls alone.
If you are not realizing desired outcomes from your compliance efforts, check to make sure your controls are connected, operational, and are effective at regulating your safety, security, sustainability, quality, environmental, regulatory and ethics systems.
Don’t lose sight of compliance for the controls.