You’ve probably heard the saying: if you aren’t getting better, you are getting worse. This is as true of compliance management as it is of business and personal life.
So how do you tell if your compliance management system is heading forward, or declining into irrelevance?
Back in my compliance auditing days I used to boast that I could take the pulse of a quality/safety system – and start writing the audit report – after asking only three simple questions:
- Show me the minutes of your last management review meeting?
- Show me your internal audit schedule and all associated audit reports?
- Show me all corrective action/non-conformance reports raised in the last six months?
These questions, which are often responded to with blank stares, are the “triage” questions that test the vital signs of a compliance system, because:
1. No system will ever succeed without the commitment and support of top management
If management are so disinterested that they never bother to review the relevance, adequacy and effectiveness of their policies and procedures, you might as well turn off life support.
2. An effective system is one where management requires that audits are undertaken
This is for the express purpose to determine the extent to which policies and procedures – themselves developed on the basis of constantly changing regulatory requirements – are being adhered to across the business and all its extended relationships. Moreover, management rely on the outcomes and analysis of the auditing effort to provide insight into their exposure to compliance risk and uses these results to drive improvement decisions. Failure to audit is like taking your hands of the wheel of your car and hoping it will get there all by itself.
3. Problems are a daily reality for every business
The idea of identifying and acting on problems is to implement improvements to prevent problems from re-occurring, and to improve systems to ensure that the causes of the problems are eliminated. An empty non-conformance register is a sure sign that the lights are out and everyone has gone home. One of my colleagues conducted a safety audit at a military ordinance facility and in response to the non-conformance question was shown a register with only a single entry, relating to a missile that had fallen off a loading trolley. There was no indication of the implementation of corrective action.
After considering these three points, my notion – of knowing how the report is going to end up, after only a few questions, – holds true. Virtually all international standards and regulations include core requirements for management to identify compliance obligations, assign responsibility and authority, undertake reviews, monitor adherence to the requirements, and implement ongoing improvements. If these vital signs are missing, or the signals are weak, you might as well head up your report, “Epic failure starts here.”
What are the tell-tale vital signs in your compliance world? I am fascinated to know if other compliance professionals have the same views, or apply other litmus tests to quickly establish compliance system health.
