Compliance management systems are used by organizations for the purpose of helping them first achieve and then maintain compliance which is the outcome of meeting all your obligations (ISO 19600).
The question is what properties or behaviours of a compliance system are needed for this outcome to be created? What is essential for a compliance system to be effective?
How are outcomes created?
To answer this we need to understand how outcomes are created in the first place.
A system outcome is an emergent property that for compliance may be greater safety, quality, security, reputation, or any number of desired objectives.
It is the collective interactions of all essential parts of a compliance system that are responsible for the overall system behaviour and any emergent properties.
Dr. Russell Ackoff defined a system as:
" a whole which is defined by its function in a larger system of which it's a part. For a system to perform its function it has essential parts:
Essential parts are necessary for the system to perform its function but not sufficient
Implies that an essential property of a system is that it can not be divided into independent parts.
Its properties derive out of the interaction of its parts and not the actions of its parts taken separately."
For example, using a transportation system such as a car, transporting someone from point A to B is an emergent property. A car fulfills this purpose when all its essential parts are working together to "transport" someone. It is not the property of any of its parts taken separately.
When you take a car apart it is no longer a car. It cannot perform its function. You can take all the parts and put them on the ground. You can analyze them, improve them, but you still don’t have a car.
There are also no parts on their own that can perform the function of a car. A car engine by itself cannot transport anything including itself.
Another way of saying this is a compliance system is not the sum of its parts. In fact, it is a product of the interaction of its parts. Without the interactions you only have a bin of parts, a collection of components, a set of elements, but you do not have a system.
Building parts
For many organizations, compliance remains an exercise in manufacturing parts which they add to their collective parts bin.
Unfortunately, none of the parts on their own will produce the desired compliance outcome. Audits, obligation registers, controls, risk measures, training; none of these by themselves is enough.
Even if all the parts existed, if they do not work together as a whole you will still not have a compliance system.
As with a transportation system we could have something simple like a skateboard or bicycle or more capable such as a motorcycle, car or a plane. What is important is that they all fulfill the transportation function recognizing that some are more effective than others.
Instead of focusing on building parts organizations need to think about enhancing systems. They perhaps need to start with a skateboard equivalent of a compliance system, then move onto a bicycle, and so on. Each version of the system can produce compliance and will manifest all essential properties.
Compliance system properties
We have found that the following properties contribute to a compliance system's effectiveness:
Operational – must have all the essential parts working together as a whole to produce an emergent property of compliance evidenced by the advancement of outcomes.
Proactive – capable of establishing new goals and measures that continually advance outcomes. (ex. governance)
Viable - capable of being achieved using current technologies. While new technologies may be helpful the system must be operational with the technologies currently available.
Sustainable – capable of consistently achieving targeted levels.
Resilient – consistently performs in the presence of changing conditions. Feed-back controls are used to reduce variation and to create consistency in both performance and outcomes.
Efficient – capable of achieving targeted performance with minimum waste.
Adaptive – capable of learning from the past to improve future outcomes. Performance and outcomes are measured to understand correlation and causation.
Transparent – capable of retrospective investigation and analysis. We are able to know what the rules are.
Compliance systems that have these properties in increasing measure of capability maturity are more likely to fulfill their compliance function.
What is essential?
We can now answer the question as to what properties are essential for a compliance system.
The properties that are essential are those that are needed for the system to be operational.
These are not sufficient for it to be effective but are necessary to perform in such a way to create the emergent property of compliance.
The system may not perform much beyond a skateboard at first but you can still get from point A to B. You can improve capabilities over time to get faster, with less resources, and so on.
Determining what is needed to be operational requires clearly defining the purpose of your compliance system (what are the desired outcomes) and then identifying the capabilities along with their interactions (i.e. the behaviours) to fulfill that purpose.