SEARCH

This is the perfect time of year to evaluate your compliance programs and make adjustments so that you achieve your objectives. However, to make that assessment you need to know where you are heading and then you can consider what paths will help and which ones to avoid. To help with your assessment here is a list of characteristics of what an Ideal Compliance Program might or even should look like. An Ideal Compliance Program will: Focus on outcomes Define comprehensive, clear and concise obligations Specify unambiguous goals and objectives Utilize standards to ensure normative behaviors Embed compliance to always keep you out of danger Be friction-less (doesn't add drag to your work processes) Effectively meet all required and voluntary obligations Consistently perform to your higher standards Easily adapt to meet new compliance obligations Implement systems that always keep you in compliance Be ethical, transparent, and have a high-degree of integrity Always improve Compliance is not just what you do at the end of everything else. It is instead, a competency that you improve over time to ensure that you achieve your business outcomes. #IdealCompliance

Rule # 2 - Take Ownership of All Your Obligations Being proactive with your compliance begins with taking ownership of all your obligations and this includes defining program outcomes and objectives. You may argue or debate what compliance program outcomes and objectives could or should be. What you cannot be is uncertain as to what they are. If your program goal is zero incidents then you know what your commitment needs to be. If your goal is to achieve a higher standard of quality then you also know what you need to do to achieve that. The outcomes you choose will direct where you are aiming, the strategies to get you there, and the capabilities you need to make progress towards them. Research shows that companies who adopted ISO 9001 Quality Management System (QMS) standard for the purpose of certification achieved just that – certification. These companies rarely saw an improvement in their quality. However, companies that wanted to improve their quality and chose to implement ISO 9001 as a means to get there, not only achieved certification, but they also improved their quality. They got both. The difference with these two companies was where they aimed. Where are your quality, safety, environmental, or regulatory compliance programs aiming at this year?

This is a work of fiction. Names, characters, businesses, places, events, locales, and incidents are either the products of the author's imagination or used in a fictitious manner. Any resemblance to actual persons, living or dead, or actual events is purely coincidental. We thought we were doing OK. We really did. I guess we were wrong. We consider ourselves an ethical company and take quality very seriously. We have someone assigned to all the typical compliance areas: quality, safety, environmental, and regulatory. We thought we had it all covered. We always conduct our periodic audits and pass all our certifications. However, auditors always found something, but that's normal. Auditors always need to find something, right? Nothing big mind you. Just little things for our people to work on; something to improve. The point is that by every measure we were doing just fine. We didn't expect that something would go this wrong. We had no idea, it was only a small change. We just needed to pass an emissions test. We had a timeline and time was running out. We had to do something. Some of the staff worked around the clock and came up with a software work-around that would fix the issue. Great! It was tested, it worked, and we were good to go. I guess we didn't expect that a small change would blow up in our faces. We never imagined this would expose a fault that was always there and something that we should have addressed long ago. What was that fault? Well, its not what you might think. It was a fault in our communication. When senior managers asked if the emissions issue was addressed, the answer given was yes. This was true (kind of). They were glad to hear that we could ship on time. That's all they cared about, at least that's what all their communication had indicated. Everyone who worked on the solution was considered a hero and were even given extra time off. I think in retrospect they would give all that time back if they could. It wasn't too long that this would blow up in our faces – big time. Hero to goat overnight. We are not sure if we will even survive this. You see, what happened was we took a short cut. Some might call it cheating although we didn't think of it that way at the time. The staff were just trying to solve a problem. They figured out they could adjust how our product works to lower the emissions while it was being tested. The product could ship on time and everything would be good – right? No, wrong! Once what we did was discovered, our reputation was in the toilet. Only a few people actually knew how the issue was solved. Frankly, nobody really cared how it was done. As long as we could ship, that's all that mattered. We were wrong about that. Apparently, it does matter – it matters a lot. Who was at fault? At one level it was the coders. However, that's the wrong way to think about it. It was the whole company's fault. We ask our staff too often to perform miracles so that production targets are met. We should have never asked them to do "whatever it takes" to solve problems like this, or any problem for that matter. I hope we get a chance to learn from what happened. However, our reputation is badly damaged that I am not sure if we will get the chance. It's going to take a long time to earn back the trust we lost with our customers. We could have done better. We should have done better and now we are paying for it.

Focusing on non-conformance is the first level of compliance. This involves meeting the prescriptive part of a regulation or industry standard. However, standards and regulations have changed and are now more performance-based focused on continuous improvement and risk. Instead of asking the question, "did we follow the procedure?" Compliance has evolved to answering a different question which is, "how well are we at achieving outcomes such as: zero injuries, zero defects, zero violations, zero environmental impacts, zero ethical misconducts?" The former is reactive, looking at the past. The latter is proactive, anticipating the future.

Turtle diagrams are often used to document processes in support of ISO standards and guidelines. However, they tend not to include compliance and risk as part of process definitions. That's why we created the Compliance Beetle so you can document compliance and risk considerations directly within each process. Download your template here . #RiskAssessment #ComplianceInsights #Complianceimprovement #RiskbasedThinking

The purpose given for companies is often stated as making profit. However, companies can exist for a greater purpose. They can exist to create opportunities for people to work so that their potential can be realized to some degree. The greater the degree, the more humanized the workplace becomes. However, when workers are used like “machinery” the work becomes dehumanizing. There is always a tendency (for the sake of efficiency) to separate humanity from the mechanics of business. Perhaps, when businesses are completely robotic (if that is even desirable) we can achieve total separation and no one needs to worry about values and ethics in the workplace anymore. In fact, we would not have workplace and I wonder if we could still call these businesses either. In a similar way, we can think of compliance in a dehumanizing fashion. Compliance for many companies is seen as a tax on productivity and something that should be reduced. This may lead to viewing compliance roles as something that we want to reduce and replace with technology. However, when taking a closer look we notice that compliance has more to do with managing risks than it does conformance to standards and following rules. Managing risk is a human-centric process that requires people to anticipate, plan and act to prevent or mitigate a threat or enable and exploit an opportunity. In fact, not only is risk management human-centric it is very much an ethical process. For example, safety involves making decisions that involve risk. Risk-based decisions due to their inherent uncertainty are in the category of ethical decisions that a company makes and cannot easily (or at all) be reduced to a set of rules or to a machine. If the risk can be completely eliminated by removing the hazard then rule-based decisions (the kinds that computers can do) might be appropriate. However, should the hazard remain and uncertainty persist then the decision to proceed becomes an ethical choice which is only something humans can do. #Ethicalcompliance #complianceandvalues

For compliance to be effective you need the ability to: (1) demonstrate that you have met your obligations in the past, (2) meet your obligations today, and (3) meet your obligations tomorrow (and every day thereafter). This requires an architecture that is both resilient and adaptive to change over time. Current cloud based architectures are in many cases evolutionary. While this makes change easier, they also suffer in the same way as evolution does in nature (i.e. it is always changing). Each day we read about new platforms that in some cases replace, but in many cases discard what was already there. You might call this survival of the fittest. Companies looking to put their compliance data and processes into the cloud need something more enduring. This is what good architecture provides and something that has been lacking as technology marches on towards something new and shiny. Before you decide to lift and shift your compliance to the cloud, you may want to consider the following: Does the technology platform meet all your compliance standards? Does the platform allow you to tailor processes to meet your higher standards? Do you maintain ownership of your compliance data or is it being monetized by the provider? Is your compliance data adequately protected and secure? What are the risks to you and your stakeholders should your compliance data be breached? Can you transfer your data to another platform and resume operations without loss of compliance? #ComplianceTips

A critical process used in safety, quality, environment, and regulatory programs is the process that manages change. The reason for this is that change creates the opportunity for new risk to be introduced, existing risk to be modified, or latent risks throughout the organization to be exposed. The impacts of change can result in: Mission and Strategic Risk - uncertainty in your ability to achieve short and long-term mission success Performance Risk - uncertainty in your ability ability to achieve performance objectives Value chain Risk - uncertainty in your ability to create existing value Compliance Risk - uncertainty in your ability to achieve quality, safety, environmental, and regulatory outcomes Productivity Risk - uncertainty in your ability to drive down cost and improve efficiencies Systemic Risk - uncertainty in your ability to isolate risk and avoid risk propagation Organizational and Structural Risk - uncertainty in your ability to maintain appropriate resources and systems needed for mission success Reputation and Social Responsibility Risk - uncertainty in your stakeholder's ability to trust you Innovation Risk - uncertainty in your ability to create new value streams Transformation Risk - uncertainty in your ability to transfer new value streams to the performance zone Audit and Certification Risk - uncertainty in your ability to pass an audit or achieve certification That is why highly-regulated companies in high-risk sectors invest in advanced Management of Change (MOC) systems to effectively manage risk. These systems provide companies with the ability to: quickly identify high impact changes, develop and execute change plans tailored to the level the risk, and monitor risk during and after the change is made. The best companies also consider how overlapping and cumulative changes impact mission success. As is often said (but not so often heeded), it is usually not a single change but rather a series of small changes made over time that leads to a serious incident. Make certain this doesn't happen to you. If you have a basic MOC procedure you may want to consider the benefits of an advanced process to make certain risk is properly managed.

The role of compliance should be to help organizations ensure that outcomes are achieved through proper governance and the management of uncertainty. It should operate more like a Project Management Office (PMO) does in helping projects succeed instead of as a traffic cop waiting to pull you over at the next audit. It's time to put compliance at the front of the line where it can show everyone how to ethically contend with regulations. It's time for compliance to say YES we can and here's how rather than no you can't. #LeanCompliance #Compliance

This post is written by our guest blogger Barbara Kephart. Textiles from the Jacquard Loom Museum of Modern Art, New York City Photo by Barbara Kephart I adore all types of technology. My favourite is the selfie toaster that imprints your photo directly onto your morning toast. In my opinion this toaster is a must for every modern kitchen. It is these types of creative automated inventions that make me wonder why was it created, and what problem was it trying to solve? So when I was visiting the Museum of Modern Art in New York City a few months ago I was overjoyed to discover an exhibition called Thinking Machines: Art and Design in the Computer Age, 1959–1989. This exhibit combined art and design to trace back how computers transformed and reshaped our lives. The questions that came to my mind when touring the Thinking Machines exhibit was: what causes ineffectiveness in our processes, and does technology help or make it worse? In the year 1804, a man named Joseph Marie Jacquard asked this same question. Jacquard was born to a family of weavers and strived to improve the textile loom used to create fabrics. The loom at that time was based on earlier inventions by other inventors. Jacquard wanted to improve the manual and labour intensive process to weave existing designs. He created a head that controlled a chain of punch cards laced together in a sequence, and each row of punched holes matched one row of thread in the design. With the Jacquard head attached to existing looms, the time to create a textile was considerably shortened and the loom could be operated by one person instead of multiple people. The Jacquard Loom in operation A Jacquard Loom Weaver Photo: Horace Bristol/Three Lions/Getty Images Jacquard recognized the nature of weaving was repetitive, and his invention changed the way patterns were created. According to The Institute, the Jacquard loom quickly became the standard during the industrial revolution for weaving luxury fabrics. The first punch card computer invented in the early 1880’s by Herman Hollerith was said to be inspired by the Jacquard loom. Hollerith’s new company called the Tabulating Machine Company eventually became IBM. And Charles Babbage, known as the “father of the computer”, was also influenced by Jacquard’s work. Some historians believe the Jacquard loom was the earliest computer as it produced an output (the woven fabric) in response to the input (the string of punch card designs). Many process experts also believe it was the earliest known form of LEAN techniques in the workplace, since this invention and the later power driven loom set in motion a stream of continuous improvements over time. I find it fascinating how Jacquard’s work influenced modern computing and process improvement techniques. However automation of textiles led to mass production of clothing and left many workers unemployed during the industrial revolution. When we fast forward to present day there is an overabundance of clothing choices; I can buy six inexpensive shirts that may never get worn. When I donate these shirts to a charitable organization, they are offered to individuals in a developing nation who find the shirts culturally inappropriate and all six shirts land in that country’s landfill. This is an unintended consequence of automation. A LEAN process is supposed to eliminate waste, but in the case of textile automation we may be creating more waste over time. When considering whether or not to automate, we should be asking the most important question of all: what is the real problem we are trying to solve and will automation always be the answer? No, I do not own a selfie toaster. But to those of you that do, as you gaze at your toast each morning you could ask - has this really solved my problem? #Automation #LeanImprovement #Lean

There is never enough time, knowledge, or resources to contend with all the risks that a company faces. Therefore, they must choose which risks to address. This is not easy and cannot always be determined by ranking based on risk scores. To know which risks are important you first need to have clearly defined outcomes and objectives. This is because the risks that matter are connected to them. Unless you know what outcomes/objectives you are targeting, you cannot improve, you cannot know what changes will hinder or advance yours goals, and you cannot know which risks really matter. #RiskbasedThinking #Compliance #ComplianceExcellence

Every business operates in the presence of uncertainty. This uncertainty creates the opportunity for risk. Compliance programs buy down risk to ensure outcomes are achieved. That is why we have quality, safety, security, environmental and regulatory compliance programs and why they need to move beyond adherence to prescriptive requirements and focus on achievement of outcomes. #ComplianceInsights #RiskbasedThinking