In previous series of articles Part I and Part II, we discussed the benefits of using a closed-loop process for managing regulatory compliance (pictured below). I also showed how setting up Key Performance Indicators (KPIs) that monitor performance to goals is a good way to Check that processes are working properly, thus reducing the need to perform manual audits of a given operation.

Let’s now take a closer look at the Track Problems step. The primary goal of this step is to collect and analyze data related to operational problems. This is a vital prerequisite for the next step in the process: Improve. Remember our overall goal is to systematically and continuously improve regulatory compliance. So let’s first take a look at collecting data.

Collecting data about operational problems sounds like an easy task, but it turns out to be anything but. First of all, there is a cultural stigma associated with anything that is labeled as a problem. This is because, where there is a problem, there is blame. And where there is blame, there are consequences. Given the fact that we are talking about consequences associated with someone’s livelihood, this is not something to take lightly. Therefore it is important to set a “tone from the top” that let’s employees know that the data will be used to improve operational processes and not punish employees. It is also helpful to ask employees to suggest improvement ideas. I’ve even seen some companies acknowledge and reward employees for suggestions that result in positive actions.  These are all good ways to encourage problem reporting. You want to tip the scale in favor of logging problems as shown in the illustration.

The next question is, “What data should we be collecting?” Let me start by pointing out that some data is better than no data. Waiting to create the perfect system will result in the loss of valuable information that could have alerted you to looming problems. So at the very least, start collecting data any way that you can.

I have seen hundreds of problem tracking forms spanning many processes and many industries. I’ve created product issue forms, process problem forms, out of spec forms, suggestions forms for industries regulated by the FDA, NERC and the SEC. I’ve summarized four design tips in the next illustration.

Now that you are collecting problem data, what should you do with that data? The high level steps for processing issues are: Identification, Investigation, Immediate Actions, Analysis and Planning for Further Action.

This is a summary of what each of these steps involves:

Identify: Collect problem data from all sources. Route these to someone that can determine immediate actions and investigate the problem.

Investigate: Look into the problem beyond the initial problem report. Look for trends from other sources (employees, vendors, customer) and from similar product and problems.

Immediate Actions: This step may be performed in parallel with or before the Investigate step. Determine if there are any immediate actions that need to be taken to contain the problem. While you are looking for root causes you don’t want the problem to grow or continue to do damage.

Root Cause Analysis: This is different from the initial investigate step in that you now are trying to determine what actually caused the problem. During the investigation you may determine that the problem was a result of operator error. But the root cause analysis may reveal that the operating procedure is unclear and is in fact the root cause of the problem.

Plans for Further Action: Once you have established the root cause you can take actions to Improve operations. In this step you would plan out what those improvement actions will entail, who will implement them, and how long they will take to enact. Typically this Corrective Action project requires management approval to allocate the required resources.

One benefit of this process is that a single Corrective Action project can address multiple problems. See the following illustration.

The next step is to Improve operations through implementing the corrective action project. We will take look at that step in the next article.

Sal Lucido is Vice President, Enterprise Solutions at AssurX, Inc. You can follow him at http://twitter.com/ComplianceTips

In Part I, we took a high-level look at a process for automating regulatory compliance management. The closed-loop process starts with Documenting your processes followed by Monitoring or Checking that your processes are being followed. Next you provide a means of Logging or Tracking any problems that may arise and then take actions to Improve. This improvement should then result in a revision to the Documented process followed by notifying or training those affected by the process improvement.  This closed-loop process, which I call the Circle of Compliance, should be used to automate the process of complying with regulatory standards.

Now lets take a closer look at the Check step. The goal of this step is to eliminate the need to manually audit a process in order to determine its effectiveness. One way to do this is by defining a Key Performance Indicator (KPI). That’s a measure of performance that is used to help an organization monitor progress to goals. For example, a company may decide to improve responsiveness by reducing the number of late tasks. A company might also set a goal for reducing violations or incidents to improve conformance to regulations or standards. You can see an example dashboard showing these two KPI’s in the diagram shown below.

Key Performance Indicators for monitoring late tasks and monthly incidents. Traffic Light indicators provide a method for quickly showing progress to goals.

Let’s take a closer look at this KPI dashboard. Both measurements are listed: Late Projects and Monthly Incidents. Notice that the date the measurement was made along with the actual performance data are displayed. We can see that for the month of May there were two late projects and five incidents. Then on the right we see a trend arrow (more on this below) and a traffic light, which give us a quick indication of performance to goal. Green is good and red is bad. Of course in order to set the traffic light to the correct state (green, yellow or red) we need some goals.

For example if there are less than two late projects each month the light will be green. If there are between two and four late projects we would consider that a yellow light (or caution). And if there were more than four late projects in a given month we would set the light to red.

When implemented properly, KPI’s monitor performance over a given time period (day, week, month, etc.) and provide a visual indication (traffic light, flag, etc.) of performance to goal. So let’s dig a bit deeper to better understand how to do it right.

Since a KPI measures performance over a given time period there must be historical data, trends and state changes. Let’s start with historical data. By clicking on the KPI dashboard we can see past measurements (shown below).

A report of historical KPI data shows an improving trend. An email is automatically sent in May when the light changes state.

We can see from the historical data that the trend is moving from bad to good and that in May there was a state change to red and yellow respectively. This system is set up to automatically send an email to the KPI Owner whenever there is a state change.

Emails are automatically sent when the light changes state. This shows a notification indicated that things are getting worse given the light changed from green to yellow.

Also if you look back at the KPI Dashboard you see the Trend arrow is green and down. Down indicates that we have fewer late projects than in the previous reporting period. The arrow is green, which indicates that this is a ‘good’ or desirable trend.

In summary, setting up Key Performance Indicators that monitor your performance to goals is a good way to ‘Check’ that your processes are working properly. It also eliminates the need to perform manual audits of
a given operation reducing labor costs. The next step in this closed-loop process is ‘Tracking Problems’.

Next time: We’ll take an in depth look at the ‘Tracking Problems’ step.

Sal Lucido is Vice President, Enterprise Solutions at AssurX, Inc. You can follow him at http://twitter.com/ComplianceTips

The primary function of the compliance department is to ensure that the company complies with all of the applicable regulations, rules, and laws. Regardless of industry (life science, energy and utilities, financial services, etc.) this is a universal charter.

As someone who serves customers across many heavily regulated industries, I think I’ve got a unique perspective — and I’d like to share some of what I’ve learned along the way in the hopes that it helps you in some small way .

One particularly useful tool I see used across all industries is what I call the ‘Circle of Compliance’. Before I explain this concept, let’s take a deeper look at the job of the compliance department.

As I’ve already mentioned, the compliance department is put in charge of ensuring that all applicable compliance requirements are met. For example U.S. medical device companies must comply with the FDA’s Good Manufacturing Practices (GMP). Regulation 21 CFR Part 820.90 states that each manufacturer shall establish and maintain procedures to control product that does not conform to specified requirements. So the compliance department must determine if their company follows this process.

This is not so different from a U.S. power company that owns transmission lines. They must comply with Reliability Standard FAC-003 that mandates a clearance be maintained between transmission lines and vegetation. It also requires the company to report any vegetation related outages. These are different industries and different regulators (FDA, NERC), but each has the same fundamental task.

So how does the compliance department go about ensuring these regulations are met? Typically they audit the company for compliance. If there is a gap between the requirement and current practice, they work with the appropriate departments to close the gap. Take a look at this illustration for a visual representation of this ‘push’ exercise.

You can see from the illustration that this is a manual task. The problem is that it is a time consuming, never-ending job. As soon as the compliance department shifts their attention to another area of the company, compliance gaps can (and usually do) reappear. This is then addressed with ‘periodic’ audits. What we end up with is an endless and expensive merry-go-round of audits and fixes.

The solution? Set up a process that continuously ‘pulls’ the operations towards the regulations. I’ve illustrated this type of system below.

You can see the advantage of this system from the illustration. It does not require the constant and repeated attention of the compliance department.

So what is this process? I call it the ‘Circle of Compliance’ as illustrated below.

In a nutshell, this is a closed-loop corrective/preventive action process. While you might recognize the process as it relates to quality systems, you may not have considered its application to the job of regulatory compliance.

This is how the process works: Let’s look at the U.S. power company that must ensure that trees are kept away from transmission lines. Of course the compliance group would first check to make sure the vegetation inspection and removal procedure is ‘Documented’ adequately.

Next the compliance group would see if there is a ‘system’ in place for monitoring that the process remains effective. This is the ‘Check’ part of the process. Also they would ensure that there is a process for documenting problems such as vegetation related outages. Most compliance departments do a good job of auditing these two steps, but it is crucial that the next two steps are completed.

Any and all problems with the vegetation monitoring system must be ‘Tracked’. This means they must be documented in a system that links directly to the next step: Improve. All problems must be looked at to determine how the problem occurred and how the system can be ‘Improved’ to prevent reoccurrence. This improvement must then result in a change to the ‘Documented’ process followed by retraining of the workforce to the new process.

If implemented properly this closed-loop ‘Circle of Compliance’ will save the company time and money while improving its ability to comply with industry regulations.

Next time: I’ll explore each of these steps (Document, Check, Track and Improve) in more detail.

Sal Lucido is Vice President, Enterprise Solutions at AssurX, Inc. You can follow him at http://twitter.com/ComplianceTips

Risk management is one of those terms that is often used a bit too loosely, warns AssurX’s Sal Lucido. “People say ‘risk management’ but it can mean very different things to people working at different parts of a company.”

For example, the finance and accounting department focuses on documenting and managing risks associated with business financial transactions and reporting as governed by Sarbanes-Oxley (SOX). The information technology group (IT) focuses on cyber security risks, which involves processes such as identity and access management, threat and vulnerability management, and configuration control. The regulatory compliance group is concerned with meeting government regulations, laws and standards applicable to their industry. For example medical device companies must meet regulations imposed by the FDA regarding such activities as quality and incident management. Energy companies must abide by national and state mandated regulations established by NERC, FERC and their respective regions. Noncompliance can lead to fines that sometimes total in the millions.

Across these industries “the Federal Government is actively auditing and levying large fines for those companies found to be out of compliance. The bar is being set higher each year and the penalties are becoming more severe.”

“Having a risk management system that is managed on paper and spreadsheets is just not going to cut it anymore.”

Sal has helped dozens of regulated companies in industries ranging from utilities to medical device manufacturers to better manage their corporate risk data and processes. And he’s observed that they have a lot in common when it comes to handling risk management. Based on his years of experience with many different firms working to address risk, he has some valuable observations and advice.

Across the board, “what we’ve been finding is that information associated with risk management is rarely made available to the departments that need access to it. For example, if the audit department had access to the identified risks and their risk levels, they could use this information to plan their audit activities aiming audits at those that pose the greatest liability to the company. ”

Companies are now looking for tools that “allow for secure collaboration” so that the risk information and data is readily available for all those who need to access it.

”Because each of these departments already have their own processes” companies are looking for applications that allow each group to maintain their own forms and workflows. “It’s critical to have an application that provides processes unique to each group while harmonizing the underlying data” so that each group can access what it needs, when it needs it.

The other trend we are seeing is that companies are looking to move beyond just documenting risks and listing mitigation efforts. They are looking for enterprise applications that can manage the associated business processes. For example, risk assessment and mitigation efforts are tasks that need to be assigned to individuals or teams, with due dates and status updates. In order to ensure projects stay on track there is a need for escalation functionality that automatically emails the appropriate personnel when tasks become due and go late. These activities also have associated workflows and approval routings that need to be managed via software. Of course this type functionality goes well beyond the capabilities of simple risk tracking software and spreadsheets.

The other need we are seeing is related to reports and dashboards. Department and process managers are looking for reports that show risk levels, heat maps, late reports and so forth. The executive staff is looking for enterprise dashboards that report on the state of compliance throughout the organization using easy to read traffic light and gauge or thermometer formats.

Finally the solution should also be flexible enough to integrate with data and systems that are already being used within the company. For example, if a system is already being used to document the status of key risk indicators (KRI’s) such as violations or incidents, “that data should be reported within (and accessible from) the risk management system.”

In conclusion, managing risk across the corporation means something different to each department yet it requires the entire organization to work together. It involves documenting and sharing risk data across the enterprise, managing workflows and tasks, while handling escalation and reporting. Yes, risk management has matured beyond the spreadsheet.

Sal Lucido is VP of Enterprise Solutions at AssurX, Inc.

In comments filed last month, the North American Electric Reliability Corporation (NERC) told the National Institute of Standards and Technology (NIST) that it should focus hard on coordination of standards as it works on its Proposed Framework for Smart Grid Interoperability Standards.

NERC simultaneously stressed the differences between the three types of proposed standards: Interoperability Standards, System Security Standards and Reliability Standards – and the ultimate need for streamlined, real coordination between the different standards.

“Although the voluntary Interoperabilty Standards proposed by NIST are designed to achieve a different purpose from the NERC mandatory Reliability Standards, it is critical to the continued reliability of the bulk power system that the two bodies of standards be compatible and complementary,” the Nov. 9th comment noted.

NERC also stressed the importance of cyber security to smart grid technologies and encouraged NIST to integrate adequate cyber security protection, at all levels (device, application, network and system) in the development of its Interoperabilty Standards.

While NERC CIP Reliability Standards provide for the reliable and safe operation of the bulk power system by preventing the unauthorized cyber and physical access to critical assets and critical cyber assets, NERC commented, there is a need to develop additional cyber security protection for distribution facilities in the development of Smart Grid Interoperability Standards to address, for example, security aspects of interoperability at the distribution level.

http://www.nerc.com/files/FinalNERCCommentsNIST_Smart_Grid_Framework_Document.pdf

Click here for more information about NERC Electric Reliability Compliance Solutions