lcbs presentation conf 08-06

8/10/2019 LCBS Presentation Conf 08-06

1/49

Lean Compliance

ManagementHow to measure compliance management effectiveness in quantitativeterms and make it achievable to any business organization

Alessandro CeluzzaMoscow, 2014-06-10


2/49

Summary - Key topics of the presentation

Introduction

Purpose of the presentation and sources of the model

The contents of Lean ComplianceA new synthesis of management tools already known in businessworld

The quantitative approach to compliance managementIntroduction to the theoretical basis of the model and toquantitative measurement

How to put Lean Management in practiceSuggestions to make it work to increase the resilience of yourorganization in a profitable way


3/49

IntroductionPurpose of the presentation and sources of the model


4/49

Introduction

Lets start from a question:

Is it possible to define a methodology tomake companys business profitable, makingcompliance measurable in quantitative terms,evaluating and reducing the impact of incidentson business continuity and reducing risks of

losses and costs?


5/49

Introduction

The research of a business solution to answer theprevious question brought to the proposal of a newmanagement model which synthesize some powerfultools already well known in the business world:

compliance management system

six sigma

lean management


6/49

Introduction

The purpose of this presentation is to depict a methodology,

made available for every kind of organization, which can beput into practice with achievable investments, aimed torealize the following results:

total compliance to regulations and laws robustness to accidental events and disruptive incidents

and assurance of business continuity

excellent world class results efficiency of management system


7/49

Introduction

The presentation refers to the following sources:

ISO/DIS 19600, about compliance management system

ISO 31000 and ISO 22301, about risk assessment andbusiness continuity management

six sigmabreakthrough strategy

lean managementliterature

Any contribution to the improvement of the model will be appreciated


8/49

The contents of LeanCompliance

ISO/DIS 19600 and its relation with other standards


9/49

Compliance ManagementSystemISO/DIS 19600


10/49

Compliance Management System

Compliance is one of the main issues for everykind of organization, regardless its dimension, typeof products, applied technologies and targetmarkets, and for every kind of business.


11/49


One of the solutions which companies are providedwith, to prevent the consequences of non

compliance, is the effective application of aCompliance Management System(CMS).


12/49


A CMS is aimed to

- enable the organization to manage effectively boththe internal and the external risks associated with

any regulatory compliance- help to mitigate liabilities and to protect the goodreputation of the companies and the trust of the

market


13/49


Is it possible to provide organizations with asimple, reliable and easy to use compliancemanagement system?

For this purpose, ISO is going to provide themarket with a new standard ISO/DIS 19600

compliance management system guidelines.


14/49


ISO delivered ISO/DIS19600 standard, whosepurpose is to provideorganizations withguidance for establishing,

developing,implementing, evaluating,maintaining andimproving an effective and

responsive compliancemanagement system.


15/49


ISO/DIS 19600, is still in draft status and can already be

considered in the light of its potential to become an internationalstandard, so its useful for companies and for any other interestedparties to be familiar with the model provided by ISO.

ISO/DIS 19600 provides us the definitions of compliance and

compliance obligation (see ISO/DIS 19600, 3.24 and 3.31):

Meeting all the organizations requirementsthat the same organization has to, or chooses to,

comply with.


16/49


The definition provided by ISO/DIS 19600 implies thatcompliance is an outcome of an organization meeting itsobligationsand that the commitment to compliance implies thatthe organization is supposed to be compliant with:

all the laws and regulationsapplicable and having impact on its

businessall the contractual requirements agreed with its clients and

other interested parties

all the requirements chosen on a voluntary basis, according tocompanys policies.


17/49


The CMS Guideline ISO/DIS

19600 is articulated on 10chapters, according to the newstructure stated in ISOdirectives, and is based upon

the continual improvementprinciple (PDCA)

According to PDCA methodology, the

Compliance Management Systemincludes the following phases


18/49


19/49


The key starting point is the understanding of the contextin which the organization operates.

It includes the determination of internal and externalcompliance risks.

In doing so, the organization needs to take intoconsideration a broad range of external and internalaspects, i.e.: regulatory, social and cultural contexts,

economic situation, internal policies and resources.


20/49

Compliance, risk assessment and

business continuity managementISO Guide 73, ISO 31000 and ISO 22301


21/49

Compliance and risk management

The guidelines included inISO/DIS_19600 can be effectivelyintegrated with ISO_31000 and

ISO_22301 to set up a compliancemanagement system able to give to theorganization robustness to potentialdisruptive events

.


22/49

ISO 31000Riskmanagement Principlesand guidelines

Provides the

principles andguidelines formanaging anyform of risk in asystematic,transparent and

credible mannerand within anyscope and context.


23/49

Compliance and risk management

Business organizations need to evaluate in

quantitative terms the consequences of breachingone or more of :

the laws and regulations applicable and having

impact on their business the contractual requirements agreed with its

clients and other interested parties

the requirements chosen on a voluntary basis,according to companys policies.


24/49

ISO 22301 specifies

requirements to plan,establish, implement,operate, monitor, review,maintain and continually

improve a documentedmanagement system toprepare for, respond toand recover from

disruptive events whenthey arise.

Compliance and business continuity


25/49

Compliance and business continuityISO 22301 is the firstinternational standard to befully compliant with the new

guidelines from ISO/Guide 83(High level structure andidentical text for managementsystem standards and commoncore management system termsand definitions).

ISO 22301 is the first standardto fully integrate a high-levelstructure and common textthat will make it totallyaligned with all other

management systems once therelated standards have alsoadopted the ISO Guide 83guidelines.

According to PDCA methodology, the

BCMS according to ISO 22301 includes thefollowing phases


26/49


ISO 22301

The PDCA modelapplied to BCMS

processes


27/49

Compliance and business continuityISO 22301 - The PDCA model applied to BCMS processes


28/49

ISO 22301 applies to all types and sizes of organizations thatwish to:

establish, implement, maintain and improve a BCMS

assure conformity with the organizations stated businesscontinuity policy

demonstrate conformity to others

seek certification/registration of its BCMS by an accreditedthird party certification body

make a self-determination and self-declaration of conformitywith this International Standard.



29/49

The quantitative approach tocompliance management

The theoretical basis of the model


30/49


When you can measure what you are speakingabout and express it in numbers, you know somethingabout it, but when you cannot express it in numbers,your knowledge is of a meagre and unsatisfactorilykind.

Lord Kelvin (1824-1907)


31/49


We know what we can measure and express in

numbers and in quantitative terms.

If we dont measure something, we cannot controlit, so we accept to be at the mercy of chance.

So the main question is:

Can we accept the risk to be at the mercy of

chance when we manage a business organization?


32/49


According to the theoretical basis that we just

pointed out, we need to measure the risks ofnoncompliance and express them inquantitative terms, if we want to know them.

If we dont know them we cannot controlthem.

If we dont control the risks, it means that weaccept to be at the mercy of chance.


33/49


If we really dont accept the risk to be atthe mercy of chance

and we want to master the processes of ourbusiness organization,

we need information

in terms of factsand figures.


34/49


The acceptance of the risk of noncomplianceshould be

related to the effective consequences of the negativeevent.

ISO Guide 73


35/49


We need information:

- clean, free from prejudice, not affected by thepeople who collected them, in other wordswe need representative information

- sufficiently numerous, not to be affected byerrors during the sampling, in other words

we need significant information


36/49


Whatever the process we need to measure, to put it under

control, we need to get some quantitative information relatedto it, so we need to define:

1. The process and its variables

2. The questions we want to answer

3. The variables which are related to the questions

4. The sampling strategy (how to collect representative data)

5. The sampling budget (how many samples we can collectto make the sample significant)


37/49

Six sigma

The breakthrough strategy applied to CMS


38/49

Six sigma and compliance managementSix sigma breakthrough strategy is based to five interconnectedphases: D.M.A.I.C.

DEFINE: identify the Critical to Quality (CTQ) characteristics ofproducts/processes and the best in class performances tobenchmark

MEASURE: determine the process baseline, or where we are in terms of

process capabilityANALYSE: discover the causes of the gap between the actual performance

and the benchmark

IMPROVE: improvement projects to reduce the gap and reach the best in

class performance

CONTROL: consolidation of the results and continuous improvement


39/49

Six sigma and compliance management

We can extend six sigma definitions to Compliance Management

System.

CTQ CTC

We define the Critical to Compliance characteristics the subsetof the business processes which could have a critical impact onorganizations requirements that the same organization has to, or

chooses to, comply with.


40/49

ComplianceRelatedprocesses

CTC

The set ofbusiness

processes whichaffect any of the

ComplianceRequirements

The subset ofbusiness

processes whichaffect criticalcompliance

requirements(e.g. laws,

regulations,contracts, other

criticalrequirements)


CTC = Critical to Compliance

characteristics


41/49

Six sigma and compliance managementBusiness organizations should identify and define their CTCwith reference to the criticality of the consequences of

noncompliances: e.g. civil or criminal charges, big fines, lossof reputation, loss of contracts with the most importantclients, loss of market shares, bad reputation.

For such critical variables, the six-sigma long termperformanceto be assumed as a benchmark is:

Number of noncompliances


42/49


Number of noncompliances


43/49


With reference to CTCs, organizations cannot wait for thenoncompliance to happen because the consequences could be

disruptive for the business.

The suggestion is to

- select the key CTCs which are really critical according to Risk Assessment

and Business Impact Analysis,- Plan adequate Stress-Tests to simulate noncompliances related to the key

CTCs

- Perform the Stress-Tests and review the results expressed in quantitative

terms (DPMO)

- Improve the Business Continuity Plan and Procedures according to thereview of the Stress-Tests results.


44/49

Lean ComplianceManagement

How to make CMS efficient avoiding any waste of resources


45/49

The core idea of Lean Management is to maximize the value forinterested parties (shareholders, stakeholders, clients,

workers, etc.)while minimizing waste.Lean management means creating more value without waste ofresources.

A lean organization understands value for interested partiesand focuses its key processes to continuously increase it.

The ultimate goal is to provide perfect value to each interestedparty, through a perfect value creation process that has zero

waste.

Lean compliance management


46/49


47/49

Lean compliance management

The 5 tools of lean compliance management:SORT Seiri Select only the key CTCs and do not pay the same

attention to non-critical variables.Do not waste time and resources.

SYSTEMIZE Seiton Act in a systematic way and store the informationrelated to key CTCs in the right place, protecting

them.SHINE Seiso Keep all the information in perfect order.

STANDARDIZE Seiketsu Identify best practices and define procedures tokeep under control the key CTCs

SUSTAIN Shitsuke Spread and share the attention to compliancethroughout the whole organization


48/49

Lean compliance managementHow to put in practice the Lean CMS:1. identify and define CTCs (critical to compliance variables) according

to Business Impact Analysis and Risk Assessment

2. define a metric to express each CTC in terms of DPMO3. measure actual performance (process baseline) for each CTC

4. analyze the causes of the gap between actual performance and six-sigma compliance

5. improve performances with an action plan to make performancesimprove till six sigma and monitor the results

6. keep under control new performances of CTQ in 5S organizationalenvironment

7. plan and perform stress tests to simulate the effectiveness of the CMS

8. review and share the results of the stress tests and improvecontinuously the CMS procedures


49/49

Alessandro Celuzza

Managing DirectorThe Skyline Project SrlMilan Italy

[email protected]

lcbs presentation conf 08-06

Documents