Continuous compliance vs continuous trust

It is only when noncompliance results in catastrophic failure that consumer behavior is changed, and then it is avoidance behavior. If a pharmaceutical company is on the front page of The Wall Street Journal for casually revealing clinical trial records, one might be inclined to shift investments out of that company. If the same company were featured on page 10 as a compliance visionary (let’s face it – you won't see that on page one) a rush of support would be unlikely.

Most enterprises, recognizing that compliance excellence is not a meaningful differentiator, seek to spend as little as possible on compliance while keeping themselves out of the spotlight. With that in mind, the questions become, how much is enough, and how do we know when we have reached that goal?

First, let’s look at the psychology of the consumer – the ultimate beneficiary of compliance. (Satisfying the requirements of regulators is a topic we'll explore more in future columns.) With the consumer, we need to examine the fuzzier side of compliance and the relationships between compliance, auditing, and trust in the eyes of the end user.

A case in point: Our local YMCA wants to build a new facility. There are environmental regulations that govern construction near waterways, so the Conservation Commission must approve the plans before the Planning and Zoning Commission will evaluate them.

One of the issues that surfaced is the reliability of the proposed septic system. Critics argue that some installations of the proposed system have been found to be out of compliance more than half the time. Their conclusion is that a system that cannot be shown to be in continuous compliance is inherently unsafe, and therefore the building proposal must be rejected. That led me to investigate the facts and the assumptions, because it sounded like an illogical risk management argument against the project.

In fact, there have been more than 10,000 installations of this type of system, and while a few have been found to be frequently out of technical compliance, I found no evidence of a single catastrophic failure. The public perception, however, is that it is a high risk and dangerous solution. What, then, does compliance mean in this context, and what does it tell us about the reliability of the system and the potential dangers it may pose? And more importantly for compliance executives, what does it tell us about public perceptions of compliance?

What I learned by talking to a wide spectrum of people about this case was that most people who hear about a situation in which a compliance failure has the potential to inflict physical damage show concern in proportion to their proximity to the results. That is, if you’re downstream, you’re worried. The answer, in my opinion, is education. Customers, and the general public, need to understand the difference between compliance and risk, and the difference between continuous compliance and continuous safety.

For most of the population, a system that could be demonstrably in compliance 100 percent of the time would be acceptable. However, 100 percent compliance is not a realistic goal if it means that there can be no failures. Materials fail, and systems that rely on materials will also fail. The issue is not whether an enterprise can demonstrate continuous compliance; it is what they do when compliance is interrupted.

So, to answer the age-old question, “what do customers want?” Customers want continuous trust, which is a proxy for continuous compliance. A good starting point for achieving continuous compliance is continuous auditing (CA). In a CA process, auditing information is always available and up to date. This is in stark contrast to the traditional quarterly or monthly availability of such information. In a 2006 survey by PricewaterhouseCoopers, 81 percent of respondents reported having a CA program in place or in the plans.

In most cases, a system that satisfies the customer’s trust requirements this way will ultimately be more rigorous than one that satisfies the regulators. In a real market, after all, we are regulated more by customers’ expectations than government rules.

Adrian Bowles is Regulatory Compliance Program Director, and head of ORCA
(http://orca.omg.org/).