How much do you love your SOPs Part 5: Compliance Infrastructure - Connect/Collaborate/Innovate
By Dee Carri
Read the introduction to our 'How Much Do You Love Your SOPs' blog series here >
In this post, we set out the main physical and organisational structures required to optimise compliance, process and quality activities, described collectively as Compliance Infrastructure. Those of you who have been reading previous blogs in this series will be aware that we view compliance and quality as embedded attributes of business processes, not separate activities. Therefore, when we use the term “process” or “task” it includes whatever quality and compliance attributes are applicable and defined for that process or “task”. We'll briefly look at what we want and need, in order for these processes to be best achieved, compared to what most organisations currently have in place.
What We Want Versus What We Have
The ideal would be a single, enterprise-wide, integrated, closed-loop Compliance and Quality Management System that provides end-to-end visibility of the organisation's activities and access to all quality and compliance resources, including local variants and performance measures.
Viewed through a quality lens, this is called an Integrated Management System, viewed through a Business Process Management lens; it is described as a Process Architecture or a Process Framework. See figure 1 below for a conceptual graphic that shows how the layers of an integrated Management System / Process Architecture are connected. Note that it encompasses vertical and horizontal integrity and traceability, attributes that are critical to the implementation and auditability of compliance and quality processes.
Figure 1. Integrated Management System 
Viewed as a conceptual graphic, the IMS appears straightforward and logical. Why then, are there so few examples of Integrated Management Systems? The answer is that implementing a real-life IMS that encompasses hundreds of processes operated by thousands of people is not a simple or quick task. To make a fully living, breathing, dynamic IMS, other factors such as organisation, enabling technology and Leadership are critical to success, and often under-emphasised, leading to sub optimisation and failure.
Here we'll look at each of these aspects, as they are now and as they could be, viewing compliance and quality as embedded attributes of business processes, not separate activities.
Research into successful innovation has revealed that the notion of new ideas and inventions springing from brilliant individuals working in isolation is mostly a myth. It is now widely accepted that new ideas and improvements mostly result from people working together intensively, sharing knowledge and experience to seek improvements or breakthroughs. If we accept this as fact, then the challenge for organisations is to provide the necessary infrastructure to enable multi-disciplinary process stakeholders to connect, collaborate and innovate across traditional boundaries. These boundaries can include geographic, time zone, organisational (role & status), cultural and language boundaries. Broadly speaking, the critical requirements to support innovation of Compliance activities fall into two categories:
- ICT Compliance Infrastructure Requirements
- Organisational and Governance Requirements
Compliance Infrastructure Requirements: Technology - What We Want
Business Process Management Systems (BPMS) to Connect & Collaborate
An enterprise-wide process repository will enable sharing of process, compliance and quality knowledge
- One source for all processes required to run the business - more than an “operations manual”
- Remove process and operational redundancies
- Identify and make local variants transparent
- Embed compliance and quality attributes and pre-requisites in processes
- Use Multi-lingual capability to facilitate understanding and adoption
- Use workflow and roles for automation of change management , including suggestions, actions and change requests
- Supports role-based process training for effectiveness and adoption
- Satisfy compliance requirements for security, integrity and electronic signatures
- Satisfy compliance monitoring, measurement and subsequent action resolution
In summary, a BPMS provides the basic infrastructure necessary to connect and collaborate on processes.
Workplace Media that support us to Collaborate and Innovate
The requirement to collaborate and innovate demands the integration of social collaboration tools with business processes, allowing direct and active involvement with a wider, more diverse and larger community interested in:
- Co-creating new processes
- Implementing new and changed processes
- Improving processes; discuss, comment and validate changes
- Sharing tacit knowledge, best and new practices
- Monitoring usage and effectiveness of compliance processes
- Solving problems, investigating issues or providing expertise to others outside of their regular community where “fresh eyes” may be of benefit
- Sharing compliance processes with upstream and downstream partners
Some BPMSs provide collaboration facilities, some don’t. Either way, if you are serious about compliance collaboration and innovation, you want it!
Versus What We Have
1. Multiple, disparate, unconnected quality, compliance and management technology and systems.
2. Corrective and Preventive Action (CAPA) systems are not correctly operationalised
The theory is that if a compliance deviation or non-conformance occurs in location A then it undertakes root-cause-analysis followed by a corrective action. All other locations B-Z will be notified so that they can implement a preventive action that will ensure they don’t repeat the non-conformance. The reality tends to be somewhat different due to a number of factors e.g. the setup of CAPA, the inability to use CAPA properly, the inability to conduct Root Cause Analysis. One global Quality Manager, in discussion on this topic said “I wish! Great theory but it’s primarily a tool to help us through inspections and demonstrate we track and close complaints and we use it for big production issues. We also don’t seem to be able to train folks well to perform real root cause analysis so we sometimes fix the wrong thing. Anyhow, we’re all too busy putting out fires to get to the real cross-company preventive actions”
Compliance Infrastructure Requirements: Organisation and Governance – What We Want
To be effective, the Integrated Management System must be supported by:
Appropriate Organisation and Governance to ensure that:
- Decisions are made at the correct level in the organisation and they are made on time
- There is a single Owner of Enterprise Compliance: organisational redundancies are removed between and within compliance and quality silos (a small number of organisations are already doing this, despite considerable resistance from the existing organisation).
Versus What We Have
1. Compliance activities are viewed as parallel activities, separate from other operational activities.
2. Poor, fragmented Governance Structures
Multiple compliance “silos” and compliance owners: local, functional, regional and corporate are spread across the various compliance agendas, rarely sharing organisation, knowledge, tools and resources.
- Fiscal
- Environmental
- Product Life Cycle
- Privacy & Data Protection
- Ethics
- Sectoral and other Regulations and Company Policies
Each of these areas is a compliance silo with little connection to the other compliance silos, each demanding its own internal infrastructure (organisation and systems) to provide a response to the relevant external agencies. Where the enterprise is global, then each compliance area is likely to have a regional and global or corporate function, adding even more compliance silos. There is almost no sharing of knowledge, methodology and resources across these compliance silos, making management complex and expensive. For smaller business units, dealing with multiple compliance agendas and representatives of the different groups can cause serious practical challenges, both in terms of providing sufficient coverage for the compliance activities and in dealing with multiple compliance agencies, customer and partner audits, and internal corporate representatives.
Other factors such as overlaps and duplication between compliance regulations, the need to deal with variation between jurisdictions and current content and management structures make difficult tasks into a barely controllable endeavour and places most quality and compliance organisations on a permanent treadmill.
3. Unclear Roles and Responsibilities. Vague language around roles in policy documents or quality management systems that don’t correlate with other relevant information such as tasks, performance targets and don’t get integrated to individual job specifications. The result of this is that it is not easy and sometimes very difficult to see “Who” is responsible for “What” when it comes to compliance activities and the degree of difficulty increases proportionally with greater physical distances, variety of languages and rank.
In addition, with the exception of executive management, roles and job titles tend not to be standardised which causes endless amounts of manual mapping of between individual persons, job titles and User IDs, activities and SOPs, something that is wasteful, subjective and prone to error.
4. Un-integrated tools for the orchestration of knowledge sharing and collaboration. Feedback and suggestions die on the vine: Contributors don’t how or to whom they should send their contribution. Even if they could, they can’t track, collaborate or aggregate. Workplace social media is missing.
Enterprise wide process standards – What we Want
Process Standards established and supported by a Centre of Excellence
“Standards are characterised by a snowball effect: the greater the number of people using them, the more valuable they become, and therefore the greater the number of people motivated to use them”
[Source: Blown to Bits: How the New Economics of Information Transforms Strategy, Phil Evans, Thomas S. Wurster]
At a minimum, the following Enterprise-Wide process, quality and compliance standards required for Compliance infrastructure are:
- An enterprise dictionary of definitions is available and searchable
- Process Owners are in place and their responsibilities are defined with a particular focus on innovation
- A single set of common tools are sourced and available for quality and process work
- A business process notation standard is defined, so everyone is capable of following process documentation and business processes can be linked thereby providing end-to-end process visibility
- Standard roles are defined to facilitate setting up communities of practice, for easier communication and sharing of knowledge, for faster change implementation, to facilitate standard work and benchmarking
- Process Scorecards are in place, aligned to business strategy and goals and best practice benchmarks
- A Training strategy and training schedule is in place for: training on process, quality, compliance tools; process training; role-based training; SOP training and task training
- An innovation strategy that incorporates data gathered from all relevant sources e.g. Corrective and Preventive Action (CAPA), manufacturing, laboratory, reviews and audits etc.
With both Governance and Standards in place the enterprise is organised for success.
Versus What We Have
Certain sectors such as arirmotive, automative, telecommunications and some companies in the semi-conductor and technology industry are leaders in this space and they have already defined and implemented many of these standards. Otherwise, most organisations have not defined and implemented these standards although a small number are working to establish integrated centres of excellence.
Summary
Organisations wishing to improve or transform their compliance costs and effectiveness need to build a compliance infrastructure that will allow process and compliance stakeholders embed compliance activities in operations and connect, collaborate and innovate with other process stakeholders.Of course, it would be simplistic to build a case for Compliance Infrastructure without considering other aspects (such as those described in previous posts on this topic). In the final post of this series, we will provide some guidance on how to start this journey.
In the next blog in our SOP series, we'll focus on the topic of “Enterprise Flexibility". And if you missed the introduction, you can find it here >
In the meantime, we invite you to provide feedback, comments and your experience in the comments section below.