Why Enterprise Compliance Programs Fail (24 April 2016)

A Systems Management Solution

They say that structure is freedom, and in a sense it is. When you’re dealing with multiple constraints, you have to figure out what you can get out of that.

Demetri Martin

A culture is like an immune system. It operates through the laws of systems, just like a body. If a body has an infection, the immune system deals with it. Similarly, a group enforces its norms, either actively or passively.

Henry Cloud

Quality is consistently delivering intended outcomes. From this perspective, a quality management system (QMS) is really about delivering products and services in compliance to the internal or external customer. All enterprises are systems where the output is the byproduct of interrelationships, interconnections and dependencies of processes and resources. In the myopic view of quality, the focus is on the final product or service deliverable that the customer pays-for within specification, budget, and time. When the significance of workplace culture and its effect on the output of a system is considered, the impact of enterprise compliance is clearly significant. Culture is defined by the interaction of practiced values, processes and resources that constrain and form decisions. Hence, every decision is a risk proportional to the certainties in the cultural decision making processes. Corporate compliance relies on having optimized policies, procedures and processes which will detect and prevent violations of applicable law, regulations, rules, and ethical standards by employees, agents and other stakeholders. Therefore, corporate compliance is threaded throughout every connection within the system. Because corporate compliance connects every node in the system, as shared values or corporate culture, it is in reality the principal enterprise risk where compliance risk, integrity risk, and reputation risk are all components which greatly affect operational risks. The new ISO 9001:2015 Quality Management System standard emphasizes risk-based thinking. Enterprise risks needs to be de-compartmentalized and assessed in context to the entire system and enterprise objectives. When risk is assessed as individual components of departments and group expertise without context to their interdependencies and influence on overall department and market performance, the system is corrupted and the deliverable to all stakeholders is compromised. Quality cannot exists where there is weak corporate governance and compliance. Quality and compliance are inextricably dependent on each other.

Compliance is too often inappropriately relegated to the executive team and legal arms of an organization external to the principal business operations that frame governance compliance decisions. There is much literature discussing the failures of enterprise compliance programs and enterprise corruption. The current paradigm to remedy enterprise compliance failures is built around training and awareness measures for employees which exposes individuals to the legal and policy limits of behavior. Of course, the workforce must understand the constraints of compliant behavior. But, understanding the limits of compliant behavior in of itself will not really change non-compliant behavior measurably or successfully. Simply identifying non-compliance is tantamount to placing signs on a production line stating “zero defects” or affixing safety posters that say “don’t get hurt on the job.” Such accruements are ineffective and likely do more harm than good. Compliance must be regarded as the desired outcome of the managed system in the same way omitting rework and building quality into the processes is the objective of a quality management or safety management system. The principal problem with any non-compliant system – a system which produces the unwanted outcome – is the management paradigm which guides too many enterprises. It is the top-down management of fear that perpetuates the fallacy that compliance performance is a worker-based problem. Quality guru and management consultant W. Edward Deming demonstrated that performance is grounded in the constraints which management imposes. Top management decides how and why processes and resources are developed and used to achieve intended outcomes. Governance compliance, just as quality, safety or environment compliance, is a culture issue which is driven by top management. In Deming’s famous Red Bead Experiment, it was demonstrated time and again that performance is attributable to the managed system 85-99% and only the remainder to the employee. Compliance unequivocally is a management based problem, as is enterprise risk, for the most part.  Compliance and quality are actions and not outcomes.

Risk comes from not knowing what you’re doing.

Warren Buffett

Anything that is wasted effort represents wasted time. The best management of our time thus becomes linked inseparably with the best utilization of our efforts.

Ted Engstrom

In systems management, the objective is to develop processes which eliminate the opportunity for undesirable outcomes. However, this requires a thorough understanding the inter-dependencies of processes and resources. An action which eliminates an outcome in one area may create negative outcomes in another. A common example is the elimination of using knives in offshore operations as much as possible due to the number of workplace mishaps which they contribute to. However, during an emergency evacuation (e.g., Deepwater Horizon) not having a sharp knife easily accessible to cut the tether to a life boat adds time and risks to a safe emergency evacuation. This is an example of compartmentalized risk-based thinking. The most effective remedy for this risk paradox is de-compartmentalized knowledge-sharing throughout the enterprise. This simply is not the reality of top-down driven mandates. Decisions are most effective when they are driven by common knowledge of processes and constraints. It is why there are emergency drills. This is how enterprises mitigate operational risks successfully. The same concept applies to enterprise compliance. There is no compliance without engagement. Simply publishing or being familiar with correct actions is not the same as behaving correctly. Corporate compliance requires stakeholders to be both aware of and abide by internal policies and procedures designed to prevent and detect violations. Compliance risk is sometimes referred to as integrity risk. A corporate culture of integrity is critical to achieving sustainable growth. High levels of trust and reputation make it easier to operate throughout the enterprise. This is the undeniable connection that threads every decision and process change or improvement. A reputation of trust is valuable in business. Far too many operational enterprise decisions are made without direct consideration or reference to policies and laws. The acute interdependencies of enterprise governance to operational process performance is hardly recognized. Further, there are often no transparent processes of control which actually govern – constrain – decision-making on matters of compliance and enterprise governance. Thus, in a poorly managed system, non-compliance is usually only arbitrarily detected, much less corrected. The same holds true for quality, safety, and environment enterprise systems.

Management controls the processes and resources that truly determine enterprise performance which make the enterprise unique. This means that management of the enterprise creates the environment where non-compliance is either rare to where it is all but a foregone conclusion. Compliance programs that focus on worker training without recognizing the overwhelming influence of the enterprise management will fail. Programs that direct responsibility for non-compliance on those within the system are misaligned and driven by fear. Compliance success rests with authoritative decision making power. Successful systems share knowledge and are transparent. Decision making hierarchy is flat, because the basis and power to make decisions is shared knowledge and objectives. Non-compliant enterprises are often composed of siloes and have dysfunctional communication flow. They are not transparent. Decisions that are driven by hierarchal perceptions and manipulations rather than the broad analytics of process and resource interaction will likely not deliver compliant behavior, even when well-intended. Unconstrained decision-making without pre-determined limits foment corrupt cultures. Developing processes that remove the opportunity of non-compliance should be the objective. Compliance training should be focused on both the constraints as well as improving enterprise processes. But, there must be guidance and engagement from top-management. Compliance must be viewed as a desired outcome of a managed system and not an advertising gimmick. The reason that many compliance programs fail is because there is no real accountability. Simply, compliance programs fail because a common misguided paradigm.

If you want small changes in your life, work on your attitude. But if you want big and primary changes, work on your paradigm.

Stephen Covey

Excellent firms don’t believe in excellence – only in constant improvement and constant change.

Tom Peters