Whether we are talking about broader HSSE or more narrowly focused CIP, NERC, ISO, Dodd-Frank, etc. compliance, there are two general approaches to implementing a compliance plan within an organization: proactive and reactive.
Reactive – Many companies have used a reactive compliance process for many years. I hesitate to call a reactive approach a plan because it really isn’t a plan beyond the mechanics of scheduling an audit and remediating it. A simple and common example would be: Purchase an audit checklist, Audit against that checklist in some fashion either internally or by leveraging a consultant, correct any deficiencies (hopefully updating your policies, procedures and other controls to accommodate the changes), and then wait a quarter, year or more and then rinse and repeat.
The ostensible advantages to a reactive approach would be a lower upfront cost and simplicity. The disadvantages would be higher incremental costs, incompleteness, lack of management visibility, and increased risk. Why increased risk? The possibility of fines is much higher due to long periods of time where you are managing towards non-compliance. Rules and Regulations change constantly and when you are measuring compliance at such wide intervals you will be managing to non-compliance at some point.
Proactive – A proactive approach is fundamentally different, allowing changes in the regulations and standards to drive compliance management throughout an organization. How is this accomplished? Every control, compliance artifact, audit, policy, procedure and task related to compliance must be mapped back to the rules and regulations they were derived from. Why? When the regulation changes, you proactively reevaluate all of the above to ensure they still reflect the changes in the regulation and standards.
The advantages to a proactive approach are numerous. One of the highlights is that you are always compliant, and if the system is capable, you can clearly demonstrate that you always have been compliant. This approach helps you manage and reduce financial, legal, environmental, reputational and safety risks, thereby reducing the potential costs of non-compliance. Another highlight is that executive management has up-to-the-minute visibility into the current compliance state of the organization instead of relying upon data that is months old –again, if the solution is capable.
Comments