(The Lean Six Sigma approach to implement compliance management systems ISO 37301)
It sounds like a provocation, but it is the question that all structured organisations are asking themselves about the usefulness of yet another certifiable standard for compliance management systems. First of all, it can be said that compliance is certainly one of the most attractive megatrends of the moment along with many others such as cybersecurity, artificial intelligence and benefit companies. The Omniapart TEAM, in spite of these megatrends, has perfected a methodology that makes operational, at every level, compliance processes of absolute value now necessary for organisations that intend to establish themselves and succeed in the most diverse markets. Not only is ISO 37301 a certifiable standard, but it is also the primary standard to which all organisations, whether structured or not, can refer both for the migration of their organisational status towards a managerial structure and for the improvement of existing controls, to be integrated or set up. The real potential of this new certification scheme lies in a series of peculiarities and among them the one concerning the control systems and the test to which they will be submitted. Reference is made to paragraph 8.2 of the standard, from which, it can be seen that the implementation of controls to manage compliance obligations and associated risks require careful design and must be subject to periodic checks to ensure their effectiveness without interruption. Such audits of the designed controls help to understand, first and foremost, whether the control does what it is intended to do, but also, whether or not it can be circumvented, thereby undermining its effectiveness. This particular activity requires the organisation to equip itself with tools that are not those commonly applied to management systems, requiring skills to assess the hypotheses that may give rise to their vulnerability. First of all, it is necessary to understand the frequency of the audits to be carried out on the designed control, which cannot disregard the outcome of the risk analysis at the basis of the implementation of the ISO 37301 scheme. This periodicity must be traced back to the dual assessment of both the level of risk associated with the process receiving the control and the vulnerability of this process, deducing in the extreme, the implementation of techniques that are typical of a design with Lean Six Sigma methodology. It therefore follows that compliance models may be affected, at least for the implementation of controls, by the contamination of extremely sophisticated methodologies (Lean Six Sigma) and also with reference to the subsequent periodic verification of controls. As for the vulnerability of the process, the implementation of controls must necessarily consider cases of circumvention by developing the ability to intercept these anomalies. This confirms how the Lean Six Sigma methodology can make a difference as the control in question will benefit from all available statistical techniques both for the definition of dynamic indicators that follow the effective implementation of the control and for the design of operational KPIs subject to ineffectiveness or vulnerability.
The approach described above can also be practically implemented for all the other requirements of the ISO 37301 scheme, especially with reference to the security of the information needed for the operation and effective implementation of the management system (ergo: Reporting on compliance together with accountability mechanisms). In practice, the ISO 37301, unlike the self-made compliance models, favours the interception of both behaviours not in line with obligations (legislative and voluntary) and the interception of situations that weaken the processes and their maintenance due to so-called “involuntary” changes. The techniques with which all this is designed make a difference.
Therefore, the organisations that undertake the implementation of ISO 37301 will not be able to avoid the impetus to the virtuous process that extends safeguards at every level, encouraging the participation of all those who, by interacting with the organisation, may be elected as an element of vulnerability. The reference is therefore not only to employees, but must necessarily extend to shareholders, stakeholders and business partners; it is recommended that the process of empowerment of each of the above actors must follow through a concrete cultural revolution. Only by following a process of widespread, accepted and approved culture can ISO 37001 be considered necessary and instrumental to the regulation of processes that favours the decentralisation of powers through the centralisation of adequately tested controls in terms of effectiveness.
If all of the above finds the right fit within your organisation, ISO 37301 far from being yet another certification scheme will be the starting point for the hoped-for cultural revolution that all organisations will need to foster in order to reliably prove the resilience of their ecosystem in a global economy.
Francesco Cipullo
Chief Executive Officer of Omniapart
