In previous series of articles Part I and Part II, we discussed the benefits of using a closed-loop process for managing regulatory compliance (pictured below). I also showed how setting up Key Performance Indicators (KPIs) that monitor performance to goals is a good way to Check that processes are working properly, thus reducing the need to perform manual audits of a given operation.

Let’s now take a closer look at the Track Problems step. The primary goal of this step is to collect and analyze data related to operational problems. This is a vital prerequisite for the next step in the process: Improve. Remember our overall goal is to systematically and continuously improve regulatory compliance. So let’s first take a look at collecting data.

Collecting data about operational problems sounds like an easy task, but it turns out to be anything but. First of all, there is a cultural stigma associated with anything that is labeled as a problem. This is because, where there is a problem, there is blame. And where there is blame, there are consequences. Given the fact that we are talking about consequences associated with someone’s livelihood, this is not something to take lightly. Therefore it is important to set a “tone from the top” that let’s employees know that the data will be used to improve operational processes and not punish employees. It is also helpful to ask employees to suggest improvement ideas. I’ve even seen some companies acknowledge and reward employees for suggestions that result in positive actions.  These are all good ways to encourage problem reporting. You want to tip the scale in favor of logging problems as shown in the illustration.

The next question is, “What data should we be collecting?” Let me start by pointing out that some data is better than no data. Waiting to create the perfect system will result in the loss of valuable information that could have alerted you to looming problems. So at the very least, start collecting data any way that you can.

I have seen hundreds of problem tracking forms spanning many processes and many industries. I’ve created product issue forms, process problem forms, out of spec forms, suggestions forms for industries regulated by the FDA, NERC and the SEC. I’ve summarized four design tips in the next illustration.

Now that you are collecting problem data, what should you do with that data? The high level steps for processing issues are: Identification, Investigation, Immediate Actions, Analysis and Planning for Further Action.

This is a summary of what each of these steps involves:

Identify: Collect problem data from all sources. Route these to someone that can determine immediate actions and investigate the problem.

Investigate: Look into the problem beyond the initial problem report. Look for trends from other sources (employees, vendors, customer) and from similar product and problems.

Immediate Actions: This step may be performed in parallel with or before the Investigate step. Determine if there are any immediate actions that need to be taken to contain the problem. While you are looking for root causes you don’t want the problem to grow or continue to do damage.

Root Cause Analysis: This is different from the initial investigate step in that you now are trying to determine what actually caused the problem. During the investigation you may determine that the problem was a result of operator error. But the root cause analysis may reveal that the operating procedure is unclear and is in fact the root cause of the problem.

Plans for Further Action: Once you have established the root cause you can take actions to Improve operations. In this step you would plan out what those improvement actions will entail, who will implement them, and how long they will take to enact. Typically this Corrective Action project requires management approval to allocate the required resources.

One benefit of this process is that a single Corrective Action project can address multiple problems. See the following illustration.

The next step is to Improve operations through implementing the corrective action project. We will take look at that step in the next article.

Sal Lucido is Vice President, Enterprise Solutions at AssurX, Inc. You can follow him at http://twitter.com/ComplianceTips

Risk management is one of those terms that is often used a bit too loosely, warns AssurX’s Sal Lucido. “People say ‘risk management’ but it can mean very different things to people working at different parts of a company.”

For example, the finance and accounting department focuses on documenting and managing risks associated with business financial transactions and reporting as governed by Sarbanes-Oxley (SOX). The information technology group (IT) focuses on cyber security risks, which involves processes such as identity and access management, threat and vulnerability management, and configuration control. The regulatory compliance group is concerned with meeting government regulations, laws and standards applicable to their industry. For example medical device companies must meet regulations imposed by the FDA regarding such activities as quality and incident management. Energy companies must abide by national and state mandated regulations established by NERC, FERC and their respective regions. Noncompliance can lead to fines that sometimes total in the millions.

Across these industries “the Federal Government is actively auditing and levying large fines for those companies found to be out of compliance. The bar is being set higher each year and the penalties are becoming more severe.”

“Having a risk management system that is managed on paper and spreadsheets is just not going to cut it anymore.”

Sal has helped dozens of regulated companies in industries ranging from utilities to medical device manufacturers to better manage their corporate risk data and processes. And he’s observed that they have a lot in common when it comes to handling risk management. Based on his years of experience with many different firms working to address risk, he has some valuable observations and advice.

Across the board, “what we’ve been finding is that information associated with risk management is rarely made available to the departments that need access to it. For example, if the audit department had access to the identified risks and their risk levels, they could use this information to plan their audit activities aiming audits at those that pose the greatest liability to the company. ”

Companies are now looking for tools that “allow for secure collaboration” so that the risk information and data is readily available for all those who need to access it.

”Because each of these departments already have their own processes” companies are looking for applications that allow each group to maintain their own forms and workflows. “It’s critical to have an application that provides processes unique to each group while harmonizing the underlying data” so that each group can access what it needs, when it needs it.

The other trend we are seeing is that companies are looking to move beyond just documenting risks and listing mitigation efforts. They are looking for enterprise applications that can manage the associated business processes. For example, risk assessment and mitigation efforts are tasks that need to be assigned to individuals or teams, with due dates and status updates. In order to ensure projects stay on track there is a need for escalation functionality that automatically emails the appropriate personnel when tasks become due and go late. These activities also have associated workflows and approval routings that need to be managed via software. Of course this type functionality goes well beyond the capabilities of simple risk tracking software and spreadsheets.

The other need we are seeing is related to reports and dashboards. Department and process managers are looking for reports that show risk levels, heat maps, late reports and so forth. The executive staff is looking for enterprise dashboards that report on the state of compliance throughout the organization using easy to read traffic light and gauge or thermometer formats.

Finally the solution should also be flexible enough to integrate with data and systems that are already being used within the company. For example, if a system is already being used to document the status of key risk indicators (KRI’s) such as violations or incidents, “that data should be reported within (and accessible from) the risk management system.”

In conclusion, managing risk across the corporation means something different to each department yet it requires the entire organization to work together. It involves documenting and sharing risk data across the enterprise, managing workflows and tasks, while handling escalation and reporting. Yes, risk management has matured beyond the spreadsheet.

Sal Lucido is VP of Enterprise Solutions at AssurX, Inc.

The CATSWeb Measurements feature makes it easy to track performance to goals, monitor trends and automatically send performance-based alerts. Measurements can be added to executive and corporate dashboards to provide important, easy to read, quality metrics information. Not only does this give you feedback about your performance to goal and trends, it also allows you to focus your resources on the areas of the business that need attention. Detailed information can be easily accessed by clicking on the metric of interest. All this is done within CATSWeb without relying on any third party tools or add-ons.

Because most of us don’t have time to look at these dashboards every day, alerts may be configured to automatically send E-mail notifications when the metrics change. Measurements can link to any data source such as internal system data like queries and filters, and with all system reports and graphs in CATSWeb – the source data can even be ‘external’  – such as from ERP and HR systems – or other Oracle and Microsoft databases.

It’s easy to set up a measurement:

1. From the Manage page, click on Measurements and choose “Add” (or copy an existing one)
2. Enter your company goals
3. Then add the measurement to a Dashboard

The CATSWeb Measurements Feature provides an easy way to track progress to goals and alert you when thresholds are crossed. This helps your company to:

• Achieve its corporate goals
• Broaden visibility regarding those goals
• Reduce cycle times
• And ensure that tasks get completed on time

Let us know what corporate goals you are tracking (or would like to track) and how you are using the Measurements Feature in CATSWeb.

As we all know on August 8, 2005, President Bush signed into law the Energy Policy Act of 2005, which authorized the creation of an electric reliability organization (ERO) with the statutory authority to enforce compliance with reliability standards among all market participants.  The electric industry has had to adjust to the change from a voluntary system of compliance to a mandatory system of reliability standards compliance.  In order to deal with this situation most organizations decided to use their favorite weapon – the spreadsheet. It was a great choice given there was a lot of information that needed to be organized in a very short period of time, including: standards, requirements, entities, measures, subject matter experts, applicable procedures, evidence of compliance and the list goes on.

However, once these spreadsheets were filled up with reams of data on dozens of interconnected worksheets, problems began to surface:

• Complexity: Documenting the relationships of each applicable requirement to applicable procedure, compliance rationale for each of the registered entities within the organization quickly becomes a rat’s nest of intertwined data.

• Maintenance: As new and revised standards are released just managing changes to these spreadsheets becomes more then a full-time job.

• Doesn’t Manage Tasks: Analysis of compliance to requirements usually requires assigning tasks, which implies management of assignees, due dates along with documenting the task and the outcome.

• Silos of Information: Spreadsheets by their vary nature are typically owned by one person and are located on that individual’s computer. After a while most companies learn that there is more than one spreadsheet. In fact several people in various parts of the organization are maintaining this information with overlapping data and most of the time without knowledge of each other.

This is when it makes sense to use a corporate-wide compliance management system that can deal with the complexity of the data, can be easily maintained with new and revised standards and manage task assignments, due dates (with automatic email reminders) and associated procedures and evidence.

Technorati Profile

When President Bush signed into law the Energy Policy Act of 2005, which authorized the creation of an electric reliability organization (ERO) with the statutory authority to enforce compliance with reliability standards, market participants faced sea change.  The voluntary system of compliance had morphed into a mandatory system of reliability standards compliance backstopped by audits and fines. Even though this was something brand new for energy companies – it is not the first time an industry has had to deal with such a regulatory shift.

Lessons can be learned from similar events in other industries:

• 1990’s: Manufacturers scramble to obtain ISO 9000 certification
• 2000: FDA regulated medical device and pharmaceutical companies face increased scrutiny regarding management of electronic quality records
• 2005: Publicly traded companies deal with Sarbanes Oxley laws

Here are some ‘lessons learned’ I have encountered while helping companies implement compliance management systems:

Top-Down Approach: The most successful companies implement corporate-wide compliance programs with a clearly stated purpose initiated from the top. The best illustration of this is President Kennedy’s 1961 ‘Man on the Moon’ speech. Kennedy (the top executive) described the goal (“landing a man on the moon and returning him safely”) and deadline (“before this decade is out”).

Compliance for Cost and Reliability Improvement: Given the tight deadlines and overwhelming workload most companies set up a compliance program with one goal in mind ‘pass the audit’. While this may be a necessary first focus; companies that raise their sights towards actually ‘improving reliability’ and ‘reducing costs’ gain the biggest benefit from compliance expenses.

Enterprise Management Systems: Managing everything associated with compliance (data, tasks, documents, evidence, due dates, etc.) quickly outgrows spreadsheets and homegrown databases. It is best to reap the benefits of a commercial-off-the-shelf (COTS) system designed specifically for their industry. COTS vendors like AssurX typically host user group meetings and continually improve the system to keep up with regulatory changes.

Post by Sal Lucido