Nimonik just completed its first Internal Obligation’s 40 Day Challenge! We thought it would be helpful to look back at what was covered and the lessons participants learned from their experience.
As a reminder, the purpose of the 40 day challenge was to help organizations better tackle what we believe is the next frontier for risk & compliance which is: Internal Obligations. These obligations arise from internal goals and objectives connected with stakeholder expectations, operating requirements, or other internal requirements you have adopted to allow yourself to operate.
We defined Internal Obligations as,
“obligations that your organization has imposed on itself voluntarily or through an agreement with a third party. In contrast to External Obligations which are imposed by a third party (i.e. Government), Internal Obligations are generated through the activities you engage in.”
While similar to those promulgated by regulators Internal Obligations differ in an important way. Internal obligations are regulated internally by the organization and not by an external body. In many ways, managing internal obligations requires organizations to act as their own regulator. The objective of the Internal Obligations is to both advance public interests (public safety, product safety, sustainability,…) and the interests of their stakeholders (ESG investment, local communities,…). It is this focus on advancing beneficial outcomes that adds additional layers on top of basic compliance which is something that risk & compliance professionals must learn to navigate.
To help, our 40 Day challenge introduced weekly objectives to navigate through these layers:
- Identify all internal obligation sources applicable to your business
- Identify all obligations & metadata arising from the internal obligation sources
- Identify steps needed to incorporate internal obligations into existing registers
- Evaluate obligation risk for all internal obligations
- Create plan to achieve compliance for all internal obligations
- Establish a process to sustain compliance through continuous improvement
Participants of the 40 day challenge came from different areas of compliance and different levels of compliance. The challenges were adapted in consequence. The areas of compliance covered by our participants included:
- Data Privacy
- Health & Safety
- Legal & Regulatory
- Sustainability and Governance (ESG)
- Process Safety
- Patient Safety
- Corporate Risk & Compliance
- Mission Objectives
The Path to as Resilient Organization
Day 1 – Kick-Off
This was the first session where we covered the basics of what internal obligations are, where they come from, and what we need to know about them to manage them effectively.
Here is what Jeremiah (Senior Director, GxP Process Operations Center at Vertex) said about the kick-off:
“One of the things I try to do on a regular basis is spend some time listening to other branches of compliance professionals. This talk on internal obligations from an EHS perspective is fascinating and there are several thought processes that are real thinking moments. The analogy on regulations and outcomes introduced in the first part was so well explained. Great job!”
Outcome: Equipped with a better understanding of internal obligations the first challenge for our participants was to identify the sources of their internal obligations. How big and complex would their challenge be? Answers to these questions and many more would be addressed at level 1.
Day 6 – Level 1
Each participant worked to identify their internal obligation sources; however, this proved harder than expected. Participants discovered several obstacles :
- Participants had to take a bigger picture view which is not part of their normal work
- Struggle to identify which internal obligations are applicable without further assistance
- Challenge to follow-up with responsible people within their organization (subject matter experts)
- How to consider threats and countermeasures in completing the challenge
- Understand and explain to colleagues that no one has a complete picture at any level
Outcome: The challenge resulted in the extraction of individual obligations and metadata from the identified sources using the taxonomy presented at kick-off.
Day 13 – Level 2
Complete with valuable obligation data it was time to find somewhere to put it. Internal obligations require setting and capturing measures of effectiveness, performance, and also conformance from which to evaluate progress and validate outcomes. This information is necessary to inform internal audits and assurance functions as these roles would not be done by external counterparts.
Outcome: This challenge resulted in making changes to their existing obligation and risk registers to better accommodate internal obligations.
Day 20 – Level 3
There comes a time when everyone must face their dragons and this was the time for our participants to face the dragon of uncertainty. As we know, everything happens in the presence of uncertainty and it’s this uncertainty that creates risk.
Risk data is essential for developing a proper risk plan to ensure obligations are met. To help with the evaluation these topics were covered:
- How risk is defined
- How risk is connected with uncertainty
- How to create a qualified risk statement for each obligation
- How do use a qualified risk statement to calculate the level of risk for an obligation
Outcome: This challenge involved evaluating the risk in meeting each obligation and updating their registers with appropriate risk data.
Day 27 – Level 4
This challenge required creating an effective compliance plan to close the gaps and improve the probability that all their obligations would be met. Compliance plans would answer the following essential questions:
- What does DONE look like?
- How do we get there?
- Do we have enough time, resources, and money to get there?
- What impediments will we encounter along the way?
- How do we know we are making progress?
Outcome: This challenge resulted in the creation of a compliance plan that improved the reach a state of compliance.
Day 34 – The Continuous Challenge
This quote from James Clear, author of Atomic Habits, reinforces the danger of not continually improving:
“You do not rise to the level of your goals. You fall to the level of your systems.”
Two different systems and strategies were considered for this challenge. The first one based on the vicious cycle of non-conformance and the second on the virtuous cycle of compliance. It is the latter one based on proactive behaviours that keeps companies always in compliance.
Outcome: This challenge resulted in the creation of a continuous improvement process to make sure that the participant’s organization would always stay in compliance.
Day 40 – The End of the 40 Day Challenge
All too often compliance is a “lonely” job done by an army of one or a few. However, It is on the strength of teams that organizations succeed. The best part of the 40 Days was experiencing the benefits of working together with others towards common goals. The following are highlights of what the participants experienced and shared over the 40 Days.
Lessons learned during the challenges:
- Consider threats/countermeasures
- Identify internal obligations which are applicable
- Take a bigger picture view
- No one has a complete picture at any level
- Follow-up with responsible persons on a daily basis regarding their giving task progress.
- There is a lot of information to review
- Try to encourage the other to join the challenge
- Don’t give up
- Figuring out relevance of internal obligations
- We can step up the responsibilities to meet the stakeholder expectations e.g. Zero Waste, ESG.
- OODA and PDCA
Obstacles in the way completing challenges:
- Time available to work on Internal Obligations
- Time to gather required resources
- Know exactly what an accrediting body might look for
- No one in my company has a complete picture; stakeholder analysis is ongoing.
- Management’s lack of support of improvement opportunity suggestions from staff members
- Attention deficit
- Competing priorities
Countermeasures to overcome obstacles:
- Build a team to support the work needed to identify, monitor and manage compliance risks and develop a regulatory compliance register
- More feedback and coaching
- Perform more detailed stakeholder analysis, build a process
- Encourage management to trust staff members’ ability to see better opportunities for improvement
- Disperse the workload
- More Attempts
- Continue the challenge
- Keep learning
Steps to make further progress:
- Assign tasks to team members once R&Rs have been clearly defined
- Identify the internal obligations along with a list of relevant sources
- Book time in my calendar to work on this each week
- Build more time
- Daily follow communication on progress to top management and staff members
- Book more time – tended to go off on tangents as I dug in each week
- More coaching and training
- Keep practising
Day 41 – Your Next Challenge
Internal obligations remain the next big challenge for organizations looking to improve compliance. As organizations continue to progress towards meeting greater stakeholder exceptions they will need to be more comprehensive with their compliance, proactive in their behaviours, and take on greater responsibilities for compliance outcomes.
While lessons learned from managing external obligations (regulations) are useful, additional skills and capabilities will be necessary to effectively manage internal obligations (permits, documents). During the 40 days we introduced the beginnings of what these might look like. Nimonik is here to support all compliance professionals who want to improve their management of all of their obligations – both external and internal.
We congratulate all those who participated in the 40 Day Challenge and wish them all continued success.
If you are interested in learning more about how Nimonik can help you be more comprehensive with your compliance contact us at firstname.lastname@example.org or at 1-888-608-7511