The focus on value-based outcomes has become a dominant approach in the health care sector over the last few decades. It has also made inroads in other highly regulated high-risk sectors specifically with regards to regulatory designs and policies associated with safety, security, environmental, as well as public service outcomes.
This outcome-based perspective influences many things including what compliance systems look like and how they need to perform.
The Ends Versus The Means
According to Michael Porter value-based systems derive outcomes from the performance of the capabilities in the value chain. This chain of capabilities can be considered as an operational system that consists of interconnected systems which will include risk and compliance processes. These systems work together to produce the desired outcomes for the organization.
When it comes to risk and compliance obligations they can be described across the dimensions of the ends versus the means depending on a number of factors including:
Who will be accountable for the outcomes
The capability maturity of the industry to address risk
The level of innovation needed to address risk
The desired outcomes to be achieved
When the ends are specified either in terms of the outcomes and performance requirements the organization is accountable for achieving them by means they determine usually based on the level of risk, complexity, and size of the operation.
However, when the means are specified either in terms of management standards and as prescriptive rules then the resulting outcomes and performance remain the accountability of the regulator or standards body. The organization is accountable for providing sufficient evidence of following the standard and applicable rules. Organizations may go above and beyond and some do, however many don't, and therein lies the rub.
As a consequence, it is becoming more common to see regulations and standards use outcome and performance-based specifications to enable more ownership, and innovation in order to achieve better outcomes.
This transformation has not been a smooth transition. Many regulators and standards bodies while changing some of the language are keeping existing regimes in place. This is understandable as it is not possible to change everything all at once. However, this has slowed down the adoption of the modernization of regulatory frameworks and has created much confusion in the process which is itself a risk.
In this post we take a deep dive into one aspect of an outcome-based approach which is how specifications are defined. We will consider outcome-based specifications using the health care sector as an example who have adopted outcome-based approaches over the last few decades and offer important insights that other sectors can benefit from.
Outcome-based Specifications
In the health care sector outcome-based specifications are used to describe the purpose or function that a product, service, or system must fulfill to meet the desired patient outcomes. Implementing protocols and procedures are critical, however, at the end of the day it is the patient outcomes that really matter and to improve them a holistic and risk-based approach can enable innovation and better support continuous improvement.
Specifications for solutions are written in terms of the desired outcomes along with the capabilities needed to achieve them rather than as requirements regarding how things should be done. This affords the necessary flexibility to make design trade-offs so that overall outcomes are advanced rather than only the outputs of processes.
Common principles for outcome-based specifications that are used include:
Ensure specifications describe outcomes rather than prescription for how each might be achieved. Outcomes should be in units meaningful to the stakeholders and not connected with technical aspects. Specifications should allow for both ultimate (aspirational, final, etc) as well as instrumental goals (key results and progress necessary for the solution to be considered effective). Although outcome-based goals tend to be more qualitative than performance goals quantitative measures should still be specified so that effectiveness can be evaluated.
Describe the system in terms of capabilities and the performance needed to achieve and sustain desired outcomes. These should be measurable, realistic, sustainable, and verifiable.
Specify standards where applicable to indicate performance and compliance requirements.
Specify interactions and dependencies that the system will operate within. The system must be more than the sum of its parts and it must participate in the larger context in the same way.
Identify uncertainties related to the outcomes and capabilities. The evaluation of these uncertainties will help to establish necessary risk measures across the life-cycle of the product, service, or system.
Ensure value-based evaluation criteria that validates outcomes and measures success meaningful to the stakeholders.
Specification can flow down from regulations and standards as well as derived from the purpose of collective and individual obligations. The following is a list of fragments of outcome-based specifications for risk & compliance systems:
The safety system shall provide sufficient protection as reasonable practicable to achieve an ultimate goal of zero worker fatalities. The effectiveness of the system will be measured by the advancement of intermediate objectives as outlined by the safety governance program.
The risk management system shall control the level of institutional risk below risk tolerance levels as specified by the board of directors updated quarterly.
Operations shall reduce the emissions of green-house gases at the rate specified within the 2020 environmental policy.
The organization will consistently achieve and sustain full compliance with all legal and regulatory obligations measured by conformance as evidenced by zero audit findings verified by a third party, performance monitored and adjusted monthly as part of proactive management, and effectiveness measured by progress towards compliance objectives and goals.
The compliance management system shall provide real-time compliance status across all compliance obligations made available to all stakeholders of the system.
Risk and compliance systems will provide sufficient transparency to support retrospective investigation and analysis in order to learn how to improve targeted outcomes and capability performance. This will include visibility of all data collected, traceability for decisions made by humans or machines, and measures of compliance, performance, and effectiveness.
All management systems shall protect the privacy of personal data in accordance with data privacy and security policies, regulations, and standards ( state them here) with an ultimate goal of zero breaches verified by third party audit.
The quality management system shall implement effective risk controls as reasonably practicable to address significant uncertainties to ensure achievement of targeted quality outcomes within a 80% confidence level.
The performance of risk and compliance systems shall improve over time at the rate necessary to meet and sustain achievement outcomes as approved by the board of directors.
Risk and compliance systems shall be resilient to material changes in organizational structure or management accountability as demonstrated by zero loss in performance during changes.
Risk and compliance systems shall effectively manage the competency of people, processes, and technology to ensure consistent performance with respect to quality, safety, environmental and regulatory objectives.
Outcome and Performance Verification and Validation
As regulations and standards continue to adopt performance and outcome-based designs the use of outcome-based specifications increasing the need for similar approaches such as those used in the pharma and medical device sector.
While regulations around these have become overly restrictive, which are slowly being addressed, these approaches can provide insights to how outcome-based specifications are described, managed, and used to qualify, verify, and validate products, services, and systems that are outcome-based.
The following are common terms used to qualify, verify, and validate solutions in the health care sector (modified for risk & compliance):
Qualification of Capabilities
Process to demonstrate that the system (people, process, technology, interactions, etc.) is capable, although perhaps not yet performant, of achieving targeted outcomes.
Verification of Design
Confirmation, through the provision of objective evidence, that the system's design meets outcome-based requirements. This will often require traceability of activities, performance, and capabilities to intended outcomes.
Validation of Outcomes
Confirmation, through the provision of objective evidence, that the system is effective at meeting specified outcomes and is able to sustain and improve them over time. This evaluation is against each organization's specific goals and objectives.
Looking Forward
Companies that have managed risk and compliance systems under prescriptive regimes may find that they will need different skills to meet obligations that are described using outcome-based specifications. Instead of audit being the primary function, compliance assurance, risk and performance management will take centre stage. Industry associations will also become more important to provide education, evaluation frameworks and support for member organizations during the transition towards outcome and performance-based obligations.