SEARCH

Not all obligations are the same or require the same capabilities or approaches to satisfy. Knowing the differences can help you better understand how best to allocate resources, invest in technologies, and prioritize management objectives to consistently meet them. One way to understand obligations better is to consider them as a hierarchy of needs between commitments associated with accepting legal responsibility and those connected with accepting stakeholder responsibility. These levels create increasing but separate needs to: Comply to minimum requirements Conform consistently to procedures and practices Improve performance to reach and sustain targets Advance stakeholder outcomes Each level builds on previous ones. However, the behaviours from one may not always apply to the next. For example, the behaviours at lower levels tend to be predominately reactive, waiting for incidents to happen. At the higher levels these behaviours will shift to be more proactive where goals are set and plans to achieve them are implemented. There are other differences so let's consider each level in turn. 1. Need to comply to minimum requirements Organizations most often begin their compliance journey by focusing on legal requirements associated with regulations. These represent the basic or minimum requirements needed to satisfy the conditions by which a regulatory license is given for a company to operate. These tend to be prescriptive written in the form of “shall statements” and subject to external inspection and audits. Compliance is addressed by closing gaps found in audits or when incidents arise. 2. Need to conform consistently to procedures and practices When companies begin to internalize their external commitments they start to improve how they meet these basic requirements. They also have an increased desire to accept greater social responsibilities. In a manner of speaking the more a company looks outwards at how they interact and affect others the more they internalize external obligations. This introduces new obligations which requires taking on more ownership often manifested by adopting industry standards to improve the consistency of meeting basic obligations. These standards will include both technical as well as management standards. Non-conformance in practices or outputs are identified and addressed through corrective and preventive actions. 3. Need to improve performance to achieve and sustain targeted goals The next level of needs is often associated with Vision Zero requirements and involves accepting industry objectives towards zero incidents, zero harm, zero breaches, zero fatalities, zero emissions, and so on. These obligations are aspirational goals that require organizations to continually improve their performance to achieve higher standards over time. In the same way that pursuing zero defects helps to drive operational excellence, vision zero helps organizations improve other important aspects of their business. To meet vision zero requirements an organization must be intentional, proactive, and consistently demonstrate progress. It also requires leadership and accountability at all levels within an organization. 4. Need to advance stakeholder outcomes The highest level of the Obligation’s Hierarchy of Needs is directly connected with the vision and mandate of an organization with respect to stakeholder interests. These will no doubt include financial outcomes but increasingly will involve social interests such as ESG (environmental, social and corporate governance) requirements. It is here that we see the use of GRC (governance, risk, and compliance) strategies to help ensure that an organization does what it has promised and is creating the desired outcomes for all stakeholders. Stakeholders are not only “shareholders” but are also: workers, investors, suppliers, customers, and the communities that are impacted or have a stake in a company' success. Effectiveness is best measured by the level of trust engendered needed to maintain a social license to operate. This is not something that an organization can apply for; it is granted not purchased. However, without it many companies could not operate even when they have a regulatory license to do so. The Path Up the Mountain Deciding to take the path up the mountain towards greater social responsibility is not easy as it brings with it more and different kinds of obligations as outlined above. Organizations that are ethical and have a culture of compliance will find the decision easier to make. These are companies that in general are not harming the environment, exploiting its workforce, or producing products that are harmful or dangerous. Ethical companies exhibit a high degree of integrity with respect to keeping the promises they have made. Integrity provides the motivation for climbing the mountain. Instead of being motivated by staying out of jail they are motivated by doing the right thing, the right way, all the time, every time. For companies that do decide to climb the mountain and stay the course they will notice sign posts that mark the transition from: Gap Closing to Goal Seeking External to Internal Obligations Reactive to Proactive Behaviours Completing Actions to Optimizing Systems Creating Outputs to Advancing Outcomes Conducting Audits to Improving Performance Executing Mitigative Procedures to Implementing Preventive Controls Command & Control Structures to Resilience & Preparedness Structure Shareholder focus to Stakeholder focus (i.e. accepting social responsibility) With ever sign post they pass these companies will gain an increased measure of trust from their investors, shareholders, workers, and communities in which they operate. They will be the kind of business that customers want to buy from, workers want to work for, and communities want to have in their midst.

One of the strategies that forward looking and proactive organizations use to protect people and the environment is the Precautionary Principle . While there is no single or generally accepted definition of the Precautionary Principle the concept behind it can be traced back to German environmental law: 1972: Germany: Vorsongeprinzip (“Fore-caring principle”) enacted in the Federal emission Control Act 1982: UN Charter for Nature 1987: Ministerial Declaration of the Second International Conference on the Protection of the North Sea 1987: Single European Act 1992: Rio Declaration, principle 15 2000: Communication of the European Commission Broadly speaking the principle is often used where there is the possibility of harm from making a certain decision and conclusive evidence is not yet available. This is a form of epistemic risk (lack of knowledge) which given enough time, knowledge, and resources is reducible. However, the problem is that there may not be enough of those to buy down the risk in time, at an affordable cost, and with sufficient efficacy. And yet, a decision must still be made. In this case, it may be better to err on the side of caution. Over the years this Precautionary Principle has become a fundamental aspect of many international treaties along with safety and environmental regulations including The Canadian Environmental Protection Act (CEPA) which states: Precautionary principle: The government's actions to protect the environment and health are guided by the precautionary principle, which states that "where there are threats of serious or irreversible damage, lack of full scientific certainty shall not be used as a reason for postponing cost-effective measures to prevent environmental degradation." Why is this principle so important and why now? Purpose of the Principle In everyday language the Precautionary Principle is about being safe rather than sorry. In the case of environmental decision-making measures are often too slow and too late to effectively contend with risk which makes this principal of significant importance. Even more so now as organizations contend with climate change, biodiversity, green house gas, and other environmental risks. The Precautionary Principle is a preventive measure against catastrophic or serious harm in the presence of significant uncertainty. If harm is “certain” then preventive measures commensurate with the level of risk is expected. However, in cases where significant harm is uncertain but possible preventive measures may still be required. This approach is similar to risk management practices used in energy and oil & gas sectors when contending with high consequence low probability events. In this case the probability is known – it is just low. The guidance is to treat this risk as if it was certain to happen. However, when the probability is unknown but not zero then what do you do? This is where the Precautionary Principle comes in. Precautionary Measures While the application of the Precautionary Principle can be open to interpretation it is not intended to be a zero-risk approach to prohibit development. Instead, it is a matter of degree as an Australian court described in the following: The type and level of precautionary measures that will be appropriate will depend on the combined effect of the degree of seriousness and irreversibility of the threat and the degree of uncertainty... The more significant and the more uncertain the threat, the greater the degree of precaution required. Applying the Precautionary Principle is not as straightforward as many would like. To help with that the commission of the European communities in 2000 published a communication of the Precautionary Principle where they outline that measures based on the precautionary principle should be (among other things): proportional to the chosen level of protection, non-discriminatory in their application, consistent with similar measures already taken, based on an examination of the potential benefits and costs of action or lack of action (including, where appropriate and feasible, an economic cost/benefit analysis), subject to review, in the light of new scientific data, and capable of assigning responsibility for producing the scientific evidence necessary for a more comprehensive risk assessment Proportionality means tailoring measures to the chosen level of protection. Risk can rarely be reduced to zero, but incomplete risk assessments may greatly reduce the range of options open to risk managers. A total ban may not be a proportional response to a potential risk in all cases. However, in certain cases, it is the sole possible response to a given risk. Non-discriminatory means that comparable situations should not be treated differently, and that different situations should not be treated in the same way, unless there are objective grounds for doing so. Consistency means that measures should be of comparable scope and nature to those already taken in equivalent areas in which all scientific data are available. Examining costs and benefits entails comparing the overall cost to the Community of action and lack of action, in both the short and long term. This is not simply an economic cost-benefit analysis: its scope is much broader, and includes non-economic considerations, such as the efficacy of possible options and their acceptability to the public. In the conduct of such an examination, account should be taken of the general principle and the case law of the Court that the protection of health takes precedence over economic considerations. Subject to review in the light of new scientific data, means measures based on the precautionary principle should be maintained so long as scientific information is incomplete or inconclusive, and the risk is still considered too high to be imposed on society, in view of chosen level of protection. Measures should be periodically reviewed in the light of scientific progress, and amended as necessary. Assigning responsibility for producing scientific evidence is already a common consequence of these measures. Countries that impose a prior approval (marketing authorization) requirement on products that they deem dangerous a priori reverse the burden of proving injury, by treating them as dangerous unless and until businesses do the scientific work necessary to demonstrate that they are safe. Application of the Principle It is expected that the legal aspects of the Precautionary Principle will continue to be argued and debated in the courts in the foreseeable future. However, the adoption of the principle is still expected to increase across industries, sectors, and government specifically those contending with environmental risk. Organizations will need to learn when and how to apply the Precautionary Principle to their decision-making. This will require organizations to: Incorporate the Precautionary Principle in policy development Integrate the Precautionary Principle with existing policies and programs Operationalize the Precautionary Principle by defining clear and concise operational measures Improve the effectiveness of using the Precautionary Principle through continuous learning and improvement.

"Pipeline process management includes determination of needs throughout the pipeline life-cycle, provision of sufficient human and financial resources, identification of the proper sequence of a series of activities, monitoring and measuring the effectiveness of the activities performed, and applying changes or corrections to those activities as needed. " – API RP 1173 Managing the Safety of Complex Processes API RP 1173 is a recommended practice introduced by the American Petroleum Institute that defines requirements for a holistic approach to pipeline safety. Companies that adopt these requirements can improve their safety efforts and achieve greater levels of safety performance. To accomplish this, companies must first define their obligations before they can successfully implement their pipeline safety system. The goal for API RP 1173 is not to implement all aspects of the practice but rather to use it as a framework on which to build or review a safety program to determine how better to achieve safety objectives (i.e. zero incidents). There are several aspects of this framework that makes a traditional check-box approach to compliance ineffective. In fact, it is the wrong way to look at applying this practice. Here are three key characteristics of API RP 1173 that companies should keep in mind: 1. API RP 1173 is a recommended practice API RP 1173 requirements are not mandatory nor are they the full extent of what a pipeline safety program should do. Each company needs to determine what they want their safety program to accomplish and to what extent API RP 1173 will be used and if other practices or standards should also be adopted. "In all cases, operators are intended to have the flexibility to apply this RP as appropriate to their specific circumstances" – API RP 1173 2. API RP 1173 is performance-based API RP 1173 is not prescriptive in terms of how requirements should be met and in some cases what needs to be accomplished. At a minimum, it is up to each company to determine the "how" necessary to achieve the goals and objectives of their pipeline safety program. As the practice is a framework, each implementation may look different in the details from one company to the next. Several of the approaches I have seen use a gap analysis as part of the implementation process. This is common particularly when dealing with prescriptive standards. However, API RP 1173 is not prescriptive so it creates a challenge for those that are looking for a simple check-box approach to compliance. This may result in adding prescriptive requirements so that there is something to be assessed. While prescription may be necessary, there can and often is a significant difference between what is prescribed and the obligations themselves. They are not one and the same. Instead, companies need to separate the "ends" from the "means" with their implementations. This distinction is critical and affects how audits should be conducted to assess compliance. It is common for performance-based standards to separate those things that verify the means from those that validate the ends (i.e. outcomes). An effective safety program will do both. 3. API RP 1173 is risk-based Safety programs are often described as being all about risk reduction and you could say the same about API RP 1173. However, it also means using a risk-based approach to achieving safety outcomes given that there are limited funds, resources, and time to accomplish the goals. Tailoring the means by which safety is done while at the same time coordinating efforts to address systemic risk is one of the hallmarks of API RP 1173. Using a risk-based approach to identify the extent of this tailoring is an effective strategy that is gaining traction as better way to establish compliance objectives. Build your safety program on obligations instead of requirements All of the reasons previously stated contribute to why it is first necessary for companies to identify and define their obligations. This will help ensure that appropriate levels of effort are directed to meeting each obligation. In addition, it allows the means by which they are met to improve and mature over time which is recommended by API RP 1173. The following steps are well suited for companies who are looking to establish their API RP 1173 compliance obligations: Document the context and expectations for each obligation Define what constitutes evidence of compliance Define how progress against outcomes will be measured Identify what standard will be used to establish normative processes (ex. ISO 9001:2015, ISO 31000, internally defined, etc.) Identify what is needed (structure, resources, technology, culture, etc.) by the organization to achieve the desired outcomes Identify and evaluate risks (both threats and opportunities) for each obligation Embed obligations, controls, and risk treatment into compliance programs, systems and processes The output from these steps can be used as input to create a compliance map to help steer the API RP 1173 program. Instead of the typical compliance map that looks like this: you will end up with an obligations-based compliance map that looks like this: This may appear to be a subtle and insignificant difference in approaches, however, this is far from the truth. An obligation-based compliance map is focused on identifying and meeting obligations. These are commitments that management makes and it is these commitments that are used to determine the means by which outcomes are achieved. Compliance is built into the means and verified through measures of: effectiveness (MoE), compliance (MoC), and performance (MoP). This affords companies the ability to be certain of their compliance and their capacity to always stay in compliance. Whereas, the previous approach is a remnant of prescriptive-based compliance focused on audits where for the most part documents and records substitute for evidence of compliance. It is well understood (yet not often heeded) that you can have a documented procedure that is not being followed or is ineffective at achieving the outcomes of the program. The only thing you do know is that you met the requirement to have a procedure and this is the crux of the matter. Compliance to prescriptive requirements while important is no substitute for programs that continually advance compliance outcome by maturing capabilities. #APIRP1173 #ManagementofChange #PipelineSafetySystem #ObligationsbasedComplianceMap

I have spent most of my career building information and management systems in support of engineering, compliance, and mission critical processes for highly regulated, high risk companies. In many cases, these systems were deployed following a process which would roughly follow these steps: Create a project team Identify requirements Select technology Implement system Train Users Disband project team After these steps were done the system would move into "maintenance mode" as is typical for other equipment in the organization. For that is how management and information systems were considered – as equipment. The thought of improving the capabilities of a system after it had been installed did not cross anyone's mind. The only thing that did was to make sure the system remained operational and continued to perform according to how it was originally designed. When the system could no longer do that it would be replaced. In some circles this is called, "run to fail" and fail they always did for all kinds of reasons that included the effects of: Changes in compliance requirements Lack of training Lack of support Changes in technology Changes in leadership priorities Changes in organizational structure Business process changes Changes in culture Improvements were few and far between and were seldom able to keep up. You might patch the software, upgrade the hardware, or even move to the cloud but eventually the system would need to be replaced. Improvement of the system might then be entertained. However, what I have observed is that even then improvement did not always come for the following reasons: The people who knew how things worked no longer work for the company The constraints of the old technology would became "requirements" for the new technology which would mostly negate any improvement Moving to the "cloud" and cost reduction would be a higher priority than improving system effectiveness Different leadership would have different priorities Run to fail created an urgent response instead of a planned one with sufficient time to consider options Resistance to change (what we did in the past is good enough for the future) And many other reasons ... When it comes to quality, safety, environmental, and regulatory systems where the goal is to reach a certain level of performance over time it is no wonder that one of the contributors to lack of overall progress is due to the effects of a "run to fail" or "set and forget" mode of system operations. The phrase, "two steps forward, three steps back" comes to mind and aptly describes the current state of many systems in place today. Continuous improvement and maturity of capabilities is extremely difficult when a system is thrown out and replaced every 3-5 years and always starting over. As compliance is now heading towards performance and outcome based standards the way in which systems operate must change to a new mode of operation. This new way of managing systems requires the ability to improve on a continuous basis but as importantly the ability to steer which is what compliance governance is responsible for and the function of a compliance program. The steering function must continually adjust system capabilities to achieve increasing and changing standards either from mandatory or voluntary obligations. Governance is what proactively drives this continuous improvement. It is important to note that this differs from continuous improvement at the process level which tends to focus on cost reduction by eliminating waste and improving efficiencies. While this is better than re-actively addressing non-conformance its purpose is still to improve consistency against current standards. Whereas, improvement at the system level directed by a compliance program focuses on advancing capabilities to advance overall outcomes: A compliance program is fundamentally a system in its own right consisting of proactive processes that anticipates, plans, and acts to improve compliance outcomes. An effective compliance program will steer the continuous improvement of processes, technology, and people so as to increase the probability that outcomes will be advanced. This is very different than the "run to fail" and "set and forget" mode of operations that assume that compliance obligations are mostly prescriptive and never change. In a world measured by the continuous increase in value, compliance must also be continuous and advancing in capabilities to keep up. This changes the role of governance away from "run to fail" and "set and forget" to one that proactively steers towards better outcomes. Instead of two steps forward three steps back, compliance governance needs to always be steps forward.

" Proactivity is a process that can be applied to any set of actions through anticipating, planning, and striving to have an impact." ​ Source: Research in Organizational Behavior, "The dynamics of proactivity at work", Adam Grant, Susan Ashford To help meet your quality, safety, environmental, and regulatory compliance objectives being proactive is essential and best done by incorporating feed-forward processes between functions as well as implementing learn / improve cycles in your feed-back path. These become proactive mechanisms when used to achieve goal-directed objectives where progress is made over time by advancing process capabilities not by conformance to prescriptive requirements.

Many companies run out of time, money, and motivation before results are achieved and outcomes are improved. This is often the case when it comes to adopting managed safety, quality, environmental and regulatory systems. Traditional component-first approaches fail to deliver an operational system on which real improvement in outcomes can occur. The good news is there is a better way.  Read more here

When it comes to systems the goals we choose greatly affect the outcomes that are obtained. This is particularly true when it comes to the goals of feedback processes those used for correcting or reinforcing behaviors. When these goals are ill defined, the system will faithfully continue to produce a result, however, it may not be the one intended or wanted. Donella H. Meadows, in her book "Thinking in Systems" provides an illustrative example: The Goal of Sailboat Design Once upon a time, people raced sailboats not for millions of dollars or for national glory, but just for the fun of it. They raced the boats they already had for normal purposes, boats that were designed for fishing, or transporting goods, or sailing around on weekends. It quickly was observed that races are more interesting if the competitors are roughly equal in speed and maneuverability. So rules evolved, that defined various classes of boat by length, and sail area and other parameters, and that restricted races to competitors of the same class. Soon boats were designed not for normal sailing, but for winning races within the categories defined by the rules. They squeezed the last possible burst of speed out of a square inch of sail, or the lightest possible load out of a standard-sized rudder. These boats were strange-looking and strange-handling, not at all the sort of boat you would want to take out fishing or for a Sunday sail. As the races became more serious, the rules became stricter and the boat designs more bizarre. Now racing sailboats were extremely fast, highly responsive, and nearly unseaworthy. They need athletic and expert crews to manage them. No one would think of using an America's Cup yacht for any purpose other than racing within the rules. The boats are so optimized around the present rules that they have lost all resilience. Any change in the rules would render them useless. Meadows suggests a way out of the trap of seeking the wrong goal: "Specify indicators and goals that reflect the real welfare of the system. Be careful not to confuse effort with result or you will end up with a system that is producing effort, not result." These principles are not new, although they are easily forgotten and something we must always be reminded of. This can be seen by the number of companies that define their indicators and goals mostly by counting the things they are doing (i.e. measures of effort) without evaluating the effects of these efforts (i.e. measures of effectiveness). Many companies have created policies to optimize the production of numbers which when it comes to compliance looks something like this: The number of compliance issues open The number of hours of training per employee The number of internal audits completed on-time The percentage of outstanding post-audit issues The number of complaints And so on. As a result, companies have become experts (or now require hiring them) to support the business of auditing rather than the business of meeting obligations. They have created the equivalent of an America's Cup yacht optimized for one purpose - winning the audit game within the rules they have created. The compliance function is now so optimized around passing audits that it is unable to adapt to changes in regulations from prescriptive to performance and outcome-based designs. Compliance has created a high-performing yacht to win a race, but not the race that now matters. #systemsthinking

When it comes to business, life, and of course compliance, there are dragons that come across our path that cannot or should not be avoided and instead must be faced head on. Dragons may appear first from a distance and when viewed from afar may appear more or less dangerous than they really are. Until the threat arrives we have time to improve our vision to understand its nature and devise strategies to successfully contend with it. Most threats are a manifestation of uncertainty which is the root cause of risk (ISO 31000). This uncertainty may come in different forms the most common of which are aleatory uncertainty, having to do with randomness, and epistemic uncertainty, having to do with lack of knowledge. However, threats often will not be limited to either one but will consist of all forms of uncertainty in varying measures over time. When risk behaves mostly like aleatory uncertainty (random, chaotic, complex): Assume the threat is serious and its effects cannot be controlled. Accept that negative outcomes will happen. Treat uncertainty by using margins such as reserves, contingencies, insurance, savings, etc. Introduce broad level safeguards and life saving practices Goal is amelioration (to make better, to improve) When risk behaves mostly like epistemic uncertainty (lack of knowledge): Assume the threat is serious but its effects can be controlled if better understood. Accept that negative outcomes may happen Treat uncertainty by buying down risk Develop capabilities to increase knowledge of the threat and learn how to prevent or reduces its effects. Introduce targeted level safeguards and life saving practices Goal is mitigation (to reduce, lesson, or decrease) Although when it comes to uncertainty, nothing stays the same: The threat may change The effectiveness of measures may change Our understanding of the threat may change Conditions may change Therefore the path to certainty will seldom be a straight line which can be frustrating for some. As our knowledge of the threat increases and effectiveness of risk measures is better understood our path will necessarily change to focus on the uncertainty that remains. For this reason risk & compliance will always be a continuous endeavor, seldom a straight path but always working toward taming the dragon of uncertainty. More articles on dragons, uncertainty and risk can be found here

Everything happens in the presence of uncertainty, and this uncertainty creates the opportunity for risk.

Outcomes are the effects of capabilities which means that you if you want to advance your outcomes you need to advance your capabilities. The purpose of a management program is to adjust system set-points to the values needed (i.e. Minimal Viable Performance - MVP) to achieve the desired outcomes. This works the same way that a thermostat works in your home. If you want to feel warmer you need to increase the thermostat to a higher value. It is then the responsibility of the heating system to first achieve and then maintain that value. This is called a persistent achievement obligation. You may find that your compliance systems do not have the capabilities you need to achieve and then to maintain your higher standards. There are three categories of measures to help you know if your systems are operating at levels to meet persistent achievement obligations. These are: Measures of conformance - evidentiary artifacts that demonstrate conformance to requirements Measures of performance - abilities to meet compliance objectives Measures of effectiveness - progress against compliance outcomes towards zero: non-conformance, injuries, violations, emissions, etc. Internal and external audits mostly focus on verifying conformance. However, the purpose of the compliance function goes further to ensure that safety, quality, environmental, and regulatory systems are operating at the levels needed to achieve targeted outcomes. This requires an integrated approach focused not only on conformance to each element but also how each element performs in the context of the entire system.

When life is uncertain things are unclear, you don’t know what to expect, and you react to things when they happen. So you walk slowly, as if on-egg-shells, testing every step to make sure it is not a hole or the edge of a cliff. Life under uncertainty is a slow process. This is what it is like for many organizations with their compliance. They are uncertain of their obligations, they don’t know what to expect, and they react when non-conformance happens. So they create more rules to walk slowly, check every step to make sure that everything and everyone stays within the lines. Compliance under uncertainty is also a slow process. So how does one make progress and move faster? Some may decide to throw caution to wind and just press ahead hoping for the best. This happens in life and in compliance. This approach appeals to risk takers but perhaps those that like risk too much. Given a chance they will gamble their life and their companies away. All of these approaches fail to address the root cause which is the lack of knowledge or what is called epistemic uncertainty. If one wants to make progress it is important to contend with this uncertainty. This means identifying risk and then establishing measures to buy-it-down so that it doesn’t slow-you-down. If you want to stop compliance from slowing your business consider joining The Proactive Certainty Program™ . This program helps you move faster by reducing risk so you don’t have to walk as if on-egg-shells any more.

Compliance creates value by building trust when obligations are met and protects against the erosion of value when they are not. To achieve this compliance needs to operate as a business. It must create value, advance goals & objectives, and manage resources and systems to deliver a return on investment. ISO 19600 provides a framework to manage all your obligations under one governance system. It does this by establishing processes to identify, implement, evaluate, and maintain all mandatory and voluntary obligations covering: quality, safety, environment, security, regulatory, and other risk-based obligations. The goal of ISO 19600 is to promote compliance effectiveness. An important first step is establishing an obligations registry where you can manage: performance / outcome goals, threats & opportunities, controls, improvement objectives, and measures of compliance, performance and effectiveness. This will help you to know the status of your compliance, and as importantly, whether you have the capabilities you need to be effective at creating trust and protecting against loss.