City Intelligence
Monday, June 8, 2009
Creating Effective Compliance
One of the great trends of the last few years has been the attempt to increase effectiveness through the creation of compliance standards. These standards, either mandatory or voluntary attempt to codify the use of “best practices” and other guidelines into organizations to the point where they cannot fail to be effective. All too often however, the approach has the exact opposite effect. Instead of creating effective organizations, the application of compliance criteria creates a bureaucratizing effect and stagnation within the organization. To overcome these effects we need to look deeply at the purpose of the compliance regime, and see how it applies to the business to determine an approach for implementation that increases, rather than decreases effectiveness.
All compliance regimes, ISO, SOX, 21 CFR, PCI, HIPPA have a core purpose in mind when they are created. That purpose may be to increase security, to enhance privacy, or to encourage openness or consistency in the business. Based on that principle the authors of the specific guidance have chosen particular details which to them embody that purpose. The rest is a description of how they can recognize the result. What the authors have not done, and perhaps cannot do for various reasons, is provide clear guidance as to how those details should be translated to a particular circumstance. As a result, all to often the compliance regimes take on the flavor of rigid mandates with diminishing relevance which introduce inefficient practices.
Instead of viewing the compliance documents as a strict list of mandated actions, effective implementation demands that we first seek to discover what the core purpose is that the tasks are trying to accomplish. In this mode we view the lists of tasks, not so much as a simple rote exercise, but rather as the authors’ attempts to communicate the core purpose. Then once we uncover that core purpose, we can explore how it applies to the current organization and functions. When this is done, we may find new relevancy in the given list, or we may find that the purpose is already, or needs to be accomplished through some other method.
Having either discovered the relevancy of the given lists, or having discovered existing or alternative means of accomplishing the core purpose, we are now ready to implement a compliance that is effective and adds to the effectiveness of the organization. As a part of this we need to document how we are accomplishing the core purpose and what that means in terms of our organization. This not only helps us clarify our understanding, but it also provides any evaluators a means of casting their evaluation into the same focus,
All compliance regimes, ISO, SOX, 21 CFR, PCI, HIPPA have a core purpose in mind when they are created. That purpose may be to increase security, to enhance privacy, or to encourage openness or consistency in the business. Based on that principle the authors of the specific guidance have chosen particular details which to them embody that purpose. The rest is a description of how they can recognize the result. What the authors have not done, and perhaps cannot do for various reasons, is provide clear guidance as to how those details should be translated to a particular circumstance. As a result, all to often the compliance regimes take on the flavor of rigid mandates with diminishing relevance which introduce inefficient practices.
Instead of viewing the compliance documents as a strict list of mandated actions, effective implementation demands that we first seek to discover what the core purpose is that the tasks are trying to accomplish. In this mode we view the lists of tasks, not so much as a simple rote exercise, but rather as the authors’ attempts to communicate the core purpose. Then once we uncover that core purpose, we can explore how it applies to the current organization and functions. When this is done, we may find new relevancy in the given list, or we may find that the purpose is already, or needs to be accomplished through some other method.
Having either discovered the relevancy of the given lists, or having discovered existing or alternative means of accomplishing the core purpose, we are now ready to implement a compliance that is effective and adds to the effectiveness of the organization. As a part of this we need to document how we are accomplishing the core purpose and what that means in terms of our organization. This not only helps us clarify our understanding, but it also provides any evaluators a means of casting their evaluation into the same focus,
Labels: effectiveness, evaluation, HIPPA, ISO, SOX, standards
Archives
Subscribe to Posts [Atom]