What You Don't Know CAN Hurt You: Risk Registers Are Key to Compliance Management
There's a lot of talk around compliance these days. Compliance is a broad term in itself; it covers many operational areas - Quality Management System, Environmental Health and Safety Management, Governance, Supply Chain - the list goes on. Compliance encompasses a lot, and it's really at its definition an adherence to any policy, standard or regulation set forth by an organization or regulatory entity.
Compliance, however, isn't really the whole picture. Compliance doesn't help you prevent adverse events, it provides the guidance for proper avoidance of those events. Typically, changes to policies and procedures are a result of a non-compliance event - Corrective Actions, adverse events, Audits, or similar processes. What aren't covered are the predictive methods to look at your existing operations and determine areas where potential non-compliance can occur. The reality is, if you are not looking at these potential problem areas, you are facing threats to compliance. How can you effectively look at your existing system and search for data points that might threaten compliance. The answer is Risk.
Risk Management is a larger component of Compliance - in fact, you could argue that without some level of risk management, you are not effectively tracking compliance. Risk is the ability to perceive potential threats and hazards and make decisions to postively impact your compliance to whatever standards, policies and regulations you are striving to adhere to. Risk Management is a method for looking for hazards and threats, making decisions on how to handle those threats and hazards, and then focus on controls and preventive measures to mitigate risk and maintain compliance.
The Risk Register: Your Window to Assessing Compliance
In any system, QMS, EHS, GRC or others, data is king. Every system is a wealth of compliance data - trouble in, corrections out, and the data and history of every event in between. With all the data within the system, you can analyze, trend and predict similar events in the future. The Risk Register takes the data, and applies common risk methodologies to it. It takes the historical data and assigns risk rankings to each event, so that you can effectively build a "risk portfolio" or past events to help dictate future occurrences.
Like many things in life, we look to the past to determine our future - this is the Risk Register.
Risk Register Data Proactive Analysis to Impact Events before they Occur
Having a portfolio of compliance risk can provide a risk history that will help organizations assess their current operations and improve similar conditions before they potentially occur. Consider the following example:
Company XYZ had a series of adverse quality events at site A, arising from a faulty machine. The Corrective Action indicated that maintenance was only performed monthly, and if weekly maintenance was performed, the risk of failure would be lowered within acceptable risk parameters. Sites B, C and D have the same machine, and still perform monthly maintenance. By viewing the Risk Register, the company can update maintenance schedules to weekly for all sites, and mitigate risk of adverse events for all sites, saving potential Quality issues going forward.
A basic example (I'm never one to get all complex), but it make sense - by looking at data from one series of data points, you can impact other areas within the organization. Risk histories are good for this purpose. Look locally, and act globally.
Risk Registers Provide Cross-Operational Reporting
In the old Star Trek shows, the crew would encounter an alien species and as soon as they came on screen, they would implement the "universal translator", which would automatically translate their language into English. A nice plot device, otherwise all Star Trek episodes would need subtitles.
However, in the real world, and more poignantly the business world, Risk is the universal translator for an organization. Operational areas speak their own language - Quality doesn't have the same terminology as EHS, nor does GRC and Supply Chain Management. To roll up reporting from each functional area would be a mishmosh of jargon and nomenclature - executives would need a glossary for each decision they had to make.
Risk registers roll up Quality, EHS, GRC and other data into a single common language - Risk. This way, you can see top risks within the organization and the events that are causing these risks. Risk data makes for easier decision making, and it also fosters the ability to implement changes that span these functional areas. A risk stemming from a Quality operation can have an impact on Safety processes. By creating a cross-functional approach to Risk and Compliance, you can make decisions that will impact many areas all at once.
Knowledge is key to compliance; the knowledge is hidden in the data, and the best way to uncover the knowledge and make compliance decisions across the enterprise is through Risk. Let's recap:
- Compliance is the result of a good risk mitigation strategy.
- Risk Registers are the key to collecting risk-based events from the entire enterprise.
- Visibility into top risks can help make better decisions; past event can help dictate future actions.
- Risk is a universal language that everyone can understand.
- Key elements of change and compliance management arise from knowing our past risks and making informed decisions to impact the business.
So, what you don't know CAN actually hurt you - implement a risk register, and start collecting risk to help "futureproof" your enterprise.