In our previous blog post (Obstacles to Comprehensive Compliance) we explored a strategy of improved comprehensiveness to achieve better compliance and more specifically better coverage. While improved coverage is an important outcome it is not the only one or the most critical. Comprehensive compliance must also contribute to an organization’s resiliency — the ability to stay between the lines in the presence of change.
Companies that endure are those that adapt. They plan for and contend with change better than their peers. This ability to adapt also applies to the way these organizations manage compliance. Adapting for them does not mean ignoring rules and regulations to get ahead. It also doesn’t mean building controls and measures that are so rigid that it hinders their ability to innovate. Adapting means that compliance holds the line when necessary but also bends when the winds of change call for it. Compliance for successful organizations must be resilient.
What is a resilient organization?
Erik Hollnagel, internationally recognized specialist in the field of resilience engineering, writes in his book Resilience Engineering (2009) that companies are resilient if they are:
able to adjust their functioning prior to, during, or following events to ensure continuation of operations under both expected and unexpected conditions.
Conditions that might thwart continued operations vary in both their nature and their effects. From the perspective of compliance these are often the effects caused by non-conformance such as data breaches, safety incidents, defects, violations, exceeding emission limits, reputational damage, and others. In practice organizations must consider any action or condition that could disrupt continued operations.
This consideration will involve more than reviewing a list of possible events. Erik Hollnagel defines four essential capabilities that organizations must have for resiliency to exist:
- Ability to learn from the past
- Ability to respond to current challenges
- Ability to monitor incoming critical situations
- Ability to anticipate the occurrence of future events
All these capabilities need to work together to constitute a resilient system that is effective to ensure continued operations which also includes continued compliance.
The current COVID-19 pandemic has certainly stretched the resiliency of many organizations trying to maintain their operations while providing a safe work environment under new and changing conditions.
Perhaps, that is why anticipation and planning are the most important capabilities for organizations to have since they help to envisage the required level of resiliency, performance, and capabilities an organization needs to respond to future events.
What is compliance resiliency?
When it comes to compliance, continued operations often means returning to the way things were, back to the original lines. However, increasingly it also means aligning with new objectives.
For compliance to be resilient it must ensure that programs, controls and measures all support both kinds of resiliency.
Traditionally, compliance has focused on meeting prescriptive obligations where the goal is to consistently follow standard procedures and processes.
Controls are put in place to ensure that prescribed rules are followed, and outputs are created safely, with integrity and quality. Consistency is a critical measure of performance and passing an audit is the measure of success.
In response to change (anticipated or actual), resiliency means to bounce back to the existing line.
However, when it comes to advancing compliance outcomes towards such things as zero emissions, zero violations, zero incidents, zero fatalities, and zero harm, the focus for compliance is continuous improvement, managing risk and making progress towards targeted outcomes.
Risk controls are put in place to ensure that objectives are achieved, and outputs are evaluated against their progress towards targeted outcomes. Meeting objectives is a critical measure of performance and getting closer to zero is the measure of success.
In response to change (anticipated or actual), resiliency means to bounce forward to the next objective.
How does comprehensive compliance improve resiliency?
While minimum conformance to regulations and standards may be enough to pass an audit, it is not enough to ensure that organizations remain on-side when things change. To bounce back or forward requires that organizations have the capabilities to monitor, respond, learn, and anticipate. For organizations to be effective at this they must know:
- what is needed to achieve and maintain compliance
- the status of their compliance in real-time
- the threats and opportunities to compliance
- they have the capabilities to continuously be in compliance (i.e. the outcome of resiliency)
Organizations that are comprehensive with their compliance will be better informed of these aspects with a higher level of assurance. They will know when to bounce back or bounce forward and will do so quickly. They will seldom be surprised but when unanticipated change does come, they will know exactly what to do.
If you are interested in improving your organization’s resiliency, consider participating in our upcoming 40-Day Internal Obligations Challenge.
By participating in this program, you will engage in weekly sprints designed to help improve your compliance coverage and achieve greater resiliency.
While this program is offered at no cost it does require your engagement to realize the benefits. Rise to the challenge and sign up today.