Managing your governance and compliance objectives with a single, integrated management system
Every organization has a primary objective. For a business, this is usually commercial performance: returning a profit to its owners. At the same time, every organization is subject to a range of requirements and obligations that constrain how its activities are carried out. Some are mandatory: legal requirements imposed by the jurisdictions in which the organization operates; some are voluntary, expressing the values of the organization’s owners. Most organizations have contractual obligations. Many have commercial imperatives — such as certified compliance with standards like ISO 9001 — which, in some locations and industries, are essential if the business is to compete.
Integrated governance means developing a single framework for identifying, tracking, and managing the entire set of requirements and obligations. Taking an integrated approach has several significant benefits —
- It’s less work.
- It’s more reliable.
- It’s easier to verify.
- It eliminates duplication of effort.
- It standardizes the ‘clerical’ work of compliance, such as document control and issues tracking.
Perhaps most importantly, it can provide the board with holistic assurance that the organization is aware of compliance obligations as a whole. Where multiple compliance obligations are managed independently, there is a risk — and a corresponding board concern — that particular requirements may ‘slip through the cracks’.
Here’s how to do it —
Understand the organization’s operating context.
Work through the factors that influence or constrain how the organization should operate. Some management system standards (eg, ISO 9001:2015, ISO 14001, etc) include this as a step anyway; but it usually makes more sense to address this as a single task, rather than carrying it out separately (and repeatedly) as a quality task, as a safety task, as a risk management task, etc.
The range of factors will depend on location, industry, and circumstances. These are some of the common ones —
The organization’s stakeholders may impose requirements as matters of principle, such as those expressed in the organization’s Values.
Keeping the directors out of jail is always a good outcome.
Although the organization is of course subject to all laws and regulations, for governance purposes we are interested in those that —
- Require the organization to do something that it otherwise might not do.
- Require controls to be in place to prevent something happening or to manage the risk of litigation.
- Require a level of training or awareness for the organization’s personnel.
The organization might choose to meet the requirements of one or more standards (ISO 9001, ISO 14001, etc) for marketing or contractual purposes, or as a commercial necessity.
The organization may be subject to codes and standards imposed by a professional or industry body. These might apply to the operation of the organization as a whole — such as the professional standards applicable to law firms or accounting practices; or they might apply to its products — such as (in some jurisdictions) those applicable to steel industry manufacturing.
By definition, a contract creates obligations for its signatories.
If there are licenses and permits that your organization needs to stay in business, you need to keep track of them to ensure you meet their requirements and you renew them on time.
Conducting risk assessments will identify things you need to do to ensure the continued good operation of your business.
Define your governance objectives.
Your set of governance objectives define what it means to say that your organization is well managed. Your operating context will have established a whole raft of requirements, obligations, and commitments; your governance objectives express these as a set of specific outcomes that the organization must deliver.
As a practical task, defining these objectives can be managed through four registers —
For governance purposes, a policy does three things —
- It commits to an objective that is in addition to the organization’s core commercial objectives
- It authorises the use of resources needed to meet the objective.
- It grants authority to the personnel accountable for meeting the objective.
Compliance obligations are laws, statutes, and management standards that have terms and clauses with which the organization must comply.
Legal commitments are contracts and agreements that the organization has entered into. As with compliance obligations, they have terms and clauses that must be met. For practical reasons it is usually preferable to track these separately, in order to deal with issues like renewals.
The risk register tracks the issues that have emerged from the organization’s risk assessments and the actions that must be taken to manage those risks.
Implement your governance activities.
For each governance objective, define and cross-reference the systems, process controls, and actions used to meet the objective. This typically involves —
Some governance objectives may require explicit planning with quantified performance objectives and measures. For example, you may need an Illness and Injury Prevention Plan, an environmental management plan, or a quality plan.
Modify your procedures to embed the controls and actions needed to meet your compliance objectives. This is where most of the work should happen: as far as possible, compliance should be built in. Doing things correctly (legally, safely, meeting quality requirements, etc) should be automatic and easier than any alternative.
Assign accountabilities and authorities to the personnel involved.
Management actions are things the organization must remember to do, like renew licenses and permits, submit statutory reports, deal with terminating contracts
Check that it works.
With an integrated system, checking that it all works reduces to these questions —
- Have we identified all the factors relevant to our operations?
- Do our governance objectives address all the identified factors?
- Is our implementation sufficient, in principle, to meet our objectives?
- Is our implementation effective in practice?
Of course there’s a lot of devil in the details; but one of the big pay-offs for implementing an integrated system is that the details are managed in a simple, straightforward manner.
Learn, adapt, and improve.
Nothing’s perfect. And even if you get things right today, tomorrow will be different. The above four steps are a continuing cycle, each subject to internal and external changes.
- Are you getting the results you expected?
- External factors change over time, usually with some lead time. One of the responsibilities of the personnel involved is to be aware of forthcoming changes and to prepare for them.
- Procedures change in response to changing technologies, changing market requirements, new methods and materials, and any number of other factors. Procedure owners have to be aware of the governance implications of the changes they make.