More companies are becoming aware that they are too reactive when it comes to compliance. In my previous blog, I discussed four misuses of audits that result from a reactive approach. In this blog, I will look at the other side and present four steps that companies can take to move the pendulum from reactive to proactive compliance.
Instead of steering compliance by looking through the rear view mirror at what has already happened, compliance now is looking ahead, deciding where it wants to go and steering towards better outcomes. This change starts with knowing where you want to go.
1. Take ownership of all obligations (mandatory and voluntary)
Taking ownership means more than simply complying with a given guideline, standard or regulation. Ownership means being responsible and answering for the outcomes of compliance obligations (i.e. the promises made to stakeholders). It is therefore necessary to have clear and unambiguous objectives for what you want compliance to accomplish. The following will help clarify compliance objectives so that those accountable will know what and how compliance outcomes will be accomplished:
Document the context and expectations for each obligation
Define what constitutes evidence of compliance
Define how progress against outcomes will be measured
Identify what standard will be used to establish normative processes (ex. ISO 9001:2015, ISO 31000, ISO 37301, etc.)
Identify what is needed (structure, resources, technology, culture, etc.) by the organization to achieve the desired outcomes
Identify and evaluate risks (both threats and opportunities) for each obligation
Embed obligations, controls, and risk treatment into compliance programs, systems and processes
2. Embed compliance into programs, systems and processes
Compliance requirements manifest themselves inside a business in many ways. However there are two contexts that address the majority of a company's compliance obligations: (1) management systems such as: quality, safety, environmental, risk management, and audit, and (2) compliance-critical processes such as: human resources, security, finance, design, manufacturing, maintenance, supplier management, and other processes under regulation (i.e. controlled processes).
In all these cases, compliance benefits from being directly embedded into each process rather than only by means of inspections or audits. Embedding will enable the level compliance to be known at all times rather than after an audit. With this in mind the following are important measures to collect:
Measures of Effectiveness (MoE) – critical to program success, independent of any technical implementation.
Measures of Compliance (MoC) – critical to compliance, where failure maybe cause for reassessment of the program
Measures of Performance (MoP) – measures that relate to the operations of the compliance program, systems, and processes.
3. Monitor in real-time the status and the ability to stay in compliance
Regulators (and proactive companies) are interested in knowing the level of compliance right now, in the past, and more importantly if there is sufficient capability of being in compliance tomorrow. Unfortunately, many companies are not certain of their level compliance until an audit has been conducted. This is far too late to be used as a means of governing compliance programs. Even still, they may not know if they have adequate capacity or capability to sustain compliance against changing and increasing demands.
Companies should establish real-time monitoring so they are always certain of their level and capacity to meet compliance. Many are already spending excessive effort conducting pre-audits, internal audits, and third-party audits only to discover that they have been to some degree out of compliance.
Less effort is expended by achieving and staying in compliance all the time. This the similar to losing weight. It is easier to keep the weight off rather than to gain and lose it time after time. However, what is more important is by keeping the weight off you can experience the benefits of a healthier life-style all the time. You will have the energy to do the things that really matter and are important to you.
Why wait for an audit when you can experience the benefits of being in compliance right now? The reason companies do wait is because they do not understand there are benefits beyond passing an audit. They are not aware that the reason for compliance is to achieve the outcomes which include: greater customer satisfaction, better quality, reduced safety incidents, less impact on the environment, lower risks, and many more. These outcomes are what really matter and who wouldn't want these benefits right now.
4. Improve compliance on an incremental and continuous basis
Improvements of any kind need to be made in a safe manner that maintains compliance. It is easier to make these changes incrementally and on a continuous basis. LEAN has taught us that improvements made this way can add up to substantial savings as well as increased capacity over time. It is no wonder that many standards require continuous improvement and have adopted the Plan-Do-Check-Act (PDCA) cycle introduced first by Deming.
There are several sources for improvements and include:
Proactive strategies (ex. LEAN, process maturity, risk-based thinking, etc.)
Internal continuous feed-back and feed-forward processes
External audits and review
Adopting or modifying existing obligations
Companies that do not take a proactive approach with compliance may find that they are not able to sustain even their existing level of compliance under the weight of increasing regulations. For them, the result will be: increased risk, loss of trust from their stakeholders, and for some, loss of their business.
However, companies that follow the steps outlined above will find they no longer wait for customer complaints to arrive, audit findings to be found, or for issues to mount up before they make improvements. They also will not see compliance as a tax on productivity that must always be reduced. Being proactive will become for them an ethical choice about keeping their promises and embedding them into the DNA of the organization.