Three Essential Measures to Overcome Compliance Risk

By ,

In our post on the Obstacles to Compliance we looked at three obstacles that hinder organizations from being more comprehensive with their compliance. These obstacles contribute to the uncertainty of obligations, compliance status, and the effectiveness of compliance actions. If left unchecked this uncertainty may expose your organization to unnecessary and preventable compliance risk.

In this article we outline what you can do to make sure that doesn’t happen. This will involve establishing three essential risk measures, one for each obstacle:

  • Combined Register
  • Rich Metadata
  • Connected Actions


These measures when properly applied will improve your organization’s probability of meeting obligations in the presence of a changing business or business climate.

Risk Measure #1 – Combined Register

Improving comprehensiveness by having a single source for all your obligations

The first measure addresses the uncertainties created by having obligation silos. It also lays the foundation for the other measures to come.

Many organizations manage their obligations in disparate spreadsheets which mostly contain regulatory obligations. They often lack internal obligations connected with policies, industry standards, an other stakeholder commitments.

A countermeasure to this threat is having a combined, up-to-date, and extensive list of both internal and external obligations.

Having one central register for the entire organization provides the opportunity to more easily and effectively:

  • identify gaps within and across obligations sources
  • identify overlapping requirements and commitments
  • monitor and update obligations arising from changing regulations
  • prioritize efforts to improve compliance
  • provide an integrated view of overall compliance

Risk Measure # 2 – Rich Metadata

Improving comprehensiveness by knowing the status of your compliance in real-time

The purpose of this next measure is to address the uncertainties created by having insufficient and out-of-date data to properly manage obligations.

Unfortunately, many obligation register do not adequately capture or have the information needed to effectively answer questions such as:

  • Are we currently conforming to stated requirements?
  • Do we have the capability needed to stay in compliance?
  • What is needed to effect recent regulatory changes this year?
  • What is probability of not meeting mandated performance targets next year?
  • What is the confidence level that we are meeting all our obligations?

A countermeasure to this threat is having rich and relevant metadata to track and manage each obligation.

Compliance status is determined by more than just the absence or presence of findings provided by an audit. Many obligations specifically those related to safety and the environment require tracking of performance levels along with the effectiveness of controls used to assure that compliance is maintained. They also need to know the status of compliance when the organization and its processes have changed.

In our recent webinar (Know Your Obligations) we unpacked various sources of obligations that included: regulations, standards, guidelines, policies and others. We identified the following types of information that should be considered for every obligation register:


As private and public organizations continue to adopt vision zero objectives (zero emissions, zero violations, zero fatalities, zero breaches, etc.) the need for more and better data will grow.

Tracking this information will help to build a robust and comprehensive compliance status that is aligned with not only measures of conformance, but also measures of performance and effectiveness needed by many obligations (e.g. phosphorous levels in wastewater. carbon emissions, number of fatalities, and so on.)

Ideally compliance status is assessed and provided in real-time so that actions can be put in place to close any gaps when the cost of repair is less and the chance of avoiding significant damage is better.

Risk Measure # 3 – Connected Actions

Improving comprehensiveness by ensuring actions are effective

The purpose of this measure is to address the uncertainties associated with a disconnected approach to creating, managing, and closing actions.


Corrective or preventive actions to be effective must not be done in isolation or without context. For example, when audits discover a missing procedure the associated action is often simply stated as, “Create missing procedure.” While this may result in a procedure being written, the procedure may not conform with requirements or be effective to achieve the objectives of the obligation. Unfortunately, actions of this kind will get closed solely based on the existence of a written procedure. It will be up to the next audit to discover any issues with the content.

However, by connecting actions with obligations and audits the appropriate context is readily available to properly complete the action. There is no need to duplicate data, describe what is needed, or restate the obligations. The necessary context is provided by connecting to the single source of truth (i.e. the obligations register). As a result there will be:

  • No wasted time finding information.
  • No ambiguity as to what is needed to meet the obligation.
  • No partial completion to discover in the next audit.
  • No uncertainty as to when the action is completed.

Meeting the Challenge

To achieve better resiliency companies must effectively address the uncertainties created by obligation silos, unclear status, and uncoordinated actions. The three measures we have introduced are a good start and will help to improve your probability of meeting all your obligations.

For those who want to strengthen their defences even further we are launching in January the 40 day Internal Obligations Challenge

Internal obligations are often overlooked and not well managed leaving organizations exposed to significant risk. By participating in this program you will engage in weekly sprints designed to help you clean up your existing register, get it ready for internal obligations, and incorporating relevant data to better manage your obligations.

Nimonik wants to help you make sure that your compliance is the best that it can be for 2021 and beyond. That’s why we are offering this program to you at no cost.

Rise to the challenge and sign up today!