Everything an Organization Does is Compliance

I realize this statement may be controversial or even provocative to some, but I kindly ask that you hear me out.

For many organizations, compliance sits apart from what the organization does. It’s often seen as an obstacle in the way of innovation and getting things done.

This perspective often arises from having a narrow view of compliance influenced by years of prescriptive and legal regulations. However, this perspective is only part of what compliance now means and why we need to think about compliance differently.

Let’s start with the definition of compliance found in the international standard ISO 37301:2021,

Compliance is the outcome of meeting all your obligations.

This definition implies there are two aspects to compliance:

1. Compliance is an outcome, that arises from
2. Meeting all your obligations

This parallels the dictionary definitions for compliance most often described as:

1. The state of conformity with official requirements
2. The act or process of complying

Let's look at the first part.

Compliance as Obligations

The first thing we can say about compliance is that it involves obligations. Without obligations there is no need for compliance.

Obligations are explicit requirements that in some cases will be legal in nature, some will be ethical, and others are beneficial to mission success.

Whatever the motivation, these requirements are explicitly defined and are intended to create outcomes beyond just that of conformance.

It's also generally understood that not meeting obligations may also create outcomes:

• losses arising from not meeting the obligation (penalties, fines, sanctions, etc.), and
• loss of value associated with unrealized obligation outcome

Obligations can be expressed in several ways that include: rules to be adhered to, practices to follow, targets to achieve, or outcomes to advance.

No matter the shape or size, or when compelled by law, moral values, or corporate strategy, obligations give rise for the need of the act of compliance.

Compliance Promises

This brings us to the second part of the definition: meeting the obligation – the act or process of complying.

When a company decides to accept an obligation, for example:

to achieve carbon neutrality by 2035

they are making a commitment, in this case with an environmental obligation. However, in practice this can be any obligation imposed from outside or inside of organization.

Until the obligation is accepted, there is no need for the act of compliance. When it is accepted, a commitment is made to engage in the act of complying.

According to Promise Theory (Mark Burgess), compliance commitments describe promises an organization makes and intends to keep to meet a given obligation. Promises shape policy, strategies, goals and objectives for the organization to meet all their obligations.

In essence, promises define the means rather than the ends.

Compliance as a Regulatory Process

Now we come to the heart of the matter.

The primary means by which compliance meets organizational obligations is by regulation. I don't meet regulations, but rather the regulatory process.

Many organizations view regulation narrowly as:

• Rules: A set of rules or principles that control how something is done. These rules are often set by an authority, like a government agency, to ensure safety, fairness, or a certain standard. It can also be define by internal policy.
• The act of controlling: The process of enforcing these rules or principles. This can involve things like inspections, licensing, and penalties for non-compliance.

As a result of changes in the compliance landscape in recent decades, meeting obligations has become more than adherence to rules or the establishment of controls.

Fundamentally, compliance involves regulating organizational behaviours and actions to meet accepted obligations of all shapes and sizes.

This regulatory process is not the responsibility of the compliance function or limited to what is traditionally considered as compliance obligations.

In fact, meeting such things as production schedules, sales quotas, or new product launches also requires a regulatory function which for the most part reside with functional managers although they simply call this activity – management.

When we look more broadly, we can see that every part of the organization is working to achieve compliance with respect to their specific goals and objectives. You may recognize this as the chain of accountability.

• Employees are meeting obligations from Managers
• Managers are meeting obligations from Directors
• Directors are meeting obligations from General Managers
• General Managers are meeting obligations from the CEO
• CEO is meeting obligations from the Board
• The Board is meeting obligations from Stakeholders

Everything an organization does is compliance.

Now, I am not saying management should now adopt a check-box or audit approach that is followed by traditional compliance functions. In fact, just the opposite.

Compliance should adopt an operational and performance-based approach found in functional departments.

Functional managers know how to negotiate operational goals and objectives, develop strategies and plans, monitor performance, and continuously improve. While their obligations are related to operational objectives they still require a commitment (a promise) that must be kept. This is the contract between one accountability level and another.

In this sense, functional managers have been practising the act of compliance for years and many excel at it.

Pressing the point further, some use the Lean practice of Hoshin Kanri (policy deployment) / Catchball to align operational goals and objectives with organizational values and outcomes.

What is unfortunate is this process traditionally has not included compliance obligations. This presents an opportunity for organizations to leverage these capabilities to better operationalize all their obligations.

Eating the Other Half of the Elephant

We have observed in recent years that at least half of an organization’s obligations come from internal policy and not from external regulations. These obligations are not compelled by law but instead are voluntarily chosen to support stakeholder expectations.

These obligations are often associated with quality, environmental, ethics, safety, security, sustainability and other expectations that have more to do with a social license rather than a legal license to operate.

While these obligations do overlap with legal obligations they require operational capabilities similar to those found in functional units across other parts of the organization rather than a compliance department.

This is Not a New Path

I realize many do not view compliance in this way which is not surprising. Their compliance experience for the most has come from finance and legal where obligations are prescriptive and enforcement is reactive. They do not know what compliance looks like from an operational and proactive perspective.

This is not the first time organizations have faced this situation. Back in the 1980s a similar thing happened with the quality movement. Back then we strove to achieve zero-defects utilizing quality control (QC) and quality assurance (QA) roles.

This is not fundamentally different from achieving vision zero targets such as: zero incidents, zero non-conformance, or zero violations. What is different is we don't need to do it like we did back in the 80s.

What we have learned since then is that inspection and audits seldom improve quality. Instead quality needs to be designed into products, services, and processes.

Today, we can't imagine managing quality without managing it in every part of the value creation process.

This approach is what is needed now to meet safety, security, sustainability, environmental, ethical, and even regulatory compliance obligations.

We need to manage all our obligations in every part of value creation.

The good news is that organizations have been doing the act of compliance with respect to operational objectives for years in production, sales, marketing, HR, and other business functions.

They have for the most part the capabilities needed to meet all their obligations. They just need to leverage the capabilities they already have.

However, this won't happen until they realize that everything an organization does is compliance.