top of page


The Lean Compliance Compendium is a compilation of our blog articles covering a proactive and integrative approach to compliance.

Lean Compliance


Compliance has undergone a significant transformation in recent years. It is no longer solely focused on conforming to prescriptive regulations, undergoing audits, and correcting deficiencies through training programs.


Today, compliance has expanded in scope, criticality, and material significance for organizations. In the face of uncertainty, it is essential to maintain a level of operational rigor similar to other mission-critical functions to ensure that stakeholder value is protected and grows over time.

Lean Compliance is committed to helping organizations meet this challenge:


  • A Case For Lean Compliance (link)

  • Lean - Lost In Translation (link)

  • Fighting Dragons With LEAN (link)

  • Breaking Free From the Reactive Compliance Trap (link)

  • How To Make Compliance Soar (link)

  • Better Compliance Done A Better Way (link)

  • Compliance Excellence - A Road Less Traveled (link)

  • Lord Of The Risks - The Two Towers: Productivity and Compliance (link)

  • Why We Need Compliance Excellence (link)

  • Is Compliance A Waste (link)


compliance waste

1. Compliance Landscape


Compliance has changed, the operational model has changed, digital technology has changed and so has the level of risk. Understanding the new landscape is important to get your bearings so that you know where you are heading, which obstacles to avoid and which opportunities to pursue. 


  • Why Compliance Is Falling Behind (link)

  • 2020 The State of Risk Oversight (link)

  • The State of Digital Transformation (link)

  • RISK: Losing Your Social License (link)

  • Better Compliance Done A Better Way (link)

  • Are You Ready for An Environment-First Future (link)​

  • Governance, Risk and Compliance (link)

  • Proactive GRC (link)

  • Why ESG Will Be Difficult (link)

  • Sustainable Development And Environmental Stewardship - Part 1 (link)

  • Why Didn't Risk and Compliance Change During The Pandemic (link)

  • Compliance Is An Outcome Not An Activity (link)

  • Stakeholder Trust - A New Destination for Risk and Compliance (link)

  • Are You Neglecting Your Compliance Boundaries? (link)

  • The Compliance Dance - Closing Gaps And Raising Standards (link)

  • A Failure of Cybersecurity - Lack of Intention (link)

  • Two Steps Forward Three Steps Back (link)

  • Overcoming Compliance Siloes (link)

  • Does Compliance Hinder Innovation (link)


Vicious Cycle
Virtuous Cycle

2. Regulatory Designs

Regulators are becoming increasingly risk-based in their approach to contending with public harm. This transformation affects how regulations are designed and what compliance now looks like. The primary shift is from prescriptive to performance and outcome-based obligations.


  • The Regulatory Tsunami (link)

  • Catastrophic Harm (link)

  • The Burning Platform of Reactive Compliance (link)

  • Regulatory Compliance Not Enough (link)

  • Digital Threads: The Future of Compliance (link)


Regulatory Design

3. Obligations & Promises​


Compliance is all about meeting obligations which in turn requires that commitments be made. These commitments are promises that organizations make to meet all their stakeholder obligations coming from external sources and internal to the business.


  • Should Compliance Manage Obligations Or Promises (link)

  • The Heartbeat of Compliance: Keeping Promises (link)

  • Considering Promises as Assets (link)

  • The Nature of Environmental Obligations (link)

  • The Nature of Environmental Obligations - Part 2 (link)

  • Obligation's Hierarchy Of Needs (link)

  • The Taxonomy Of An Obligation (link)

  • Outcome-based Specifications (link)

  • Integrated Regulatory and Compliance Taxonomy (link)


Hierarchy of Needs

4. Compliance Ethics & Culture

Culture can help or hinder compliance.  What does a compliance culture look like?  How do organizations create the culture needed to keep all their promises?


  • Ethical Compliance (link)

  • Bounded-set Versus Centered-set Compliance (link)

  • Compliance 1 and 2 (link)

  • Building A Community Of Trust (link)

  • Is Your Motivation Holding You Back (link)

  • Tyrannical Compliance (link)

  • Seeing Compliance As A Whole (link)

  • A Measure Of Integrity (link)

  • Motivations (link)

  • How To Transform Culture (link)

  • How Structures Create Culture (link)

  • Is Your Culture Holding You Back (link)

  • Culture Eats Tools For Breakfast (link)

  • Compliance Management Office (CMO) - The Office of YES Not NO (link)

  • The Human Side Of Compliance (link)

  • Are You Being Nudged Into Compliance (link)

  • Compliance Helps Companies Stay Within The Lines (link)


Compliance 1 and 2

5. Accountability & Responsibility

Effectively managing accountability and responsibility is essential to keep promises and meet compliance obligations. Who is answerable for the obligation?  Who owns the risk?  Who is responsible to do the work of compliance?  To answer these questions requires establishing clear and unambiguous compliance roles that are sustained across reorgs, mergers, and acquisitions – a golden thread that runs through all our obligations & promises.


  • The Dilution of Compliance (link)

  • You Cannot Transfer Risk (link)

  • Use RAM to Improve Compliance (link)

  • Automating Responsibilities (link)

  • Integrity (doing what you say) Is A Measure Of Uncertainty (link)

  • Governance, Risk and Compliance (link)

  • Digital Threads: The Future of Compliance (link)



6. Compliance Operating Model


"All models are wrong, but some are useful"

Compliance commonly uses a model that is reactive founded on audits and corrective actions. This is no longer sufficient to meet performance and outcome-based obligations. What should a compliance operational model now look like to consistently realize performance objectives and compliance outcomes? What are the essential properties for this system? What processes need to be present and what interactions are necessary to achieve operability?


  • Ideal Compliance (link)

  • Concept of Operations (CONOPS)  (link)

  • Capabilities Maturity Model for Compliance (link)

  • How to Steer Towards Greater Effectiveness (link)

  • Proactive GRC (link)

  • Why You Need Compliance Engineers (link)

  • A Faster Way To Operational Compliance (link)​

  • How to Define Compliance Goals (link)

  • Seeking The Wrong Goal (link)

  • Minimal Viable Performance (MVP) (link)

  • Moving Compliance To The Performance Zone (link)

  • Cybernetic Control (link)

  • System Dynamics (link)


Operating Model

7. Programs, Systems & Processes


Compliance management programs and systems are essential to achieve a state of continuous compliance. Each have their own purpose and fulfill a different function.  How do they support both proactive and reactive processes? How should they be governed? What is essential for them to fulfill their purpose?


  • A Credible Program Needs a Credible Plan (link)

  • Implement Programs and Systems (link)

  • Do You Need A Different System For Each Regulation (link)

  • Managing Compliance Obligations (link)

  • Essential Properties For Compliance Systems (link)

  • The Environmental Golden Thread (link)

  • Modernize Your Compliance with ISO 37301 (link)

  • Towards an Environmental-First Assurance Framework - Part 1 (link)

  • Towards an Environmental-First Assurance Framework - Part 2 (link)

  • Are You Auditing What Really Matters (link)

  • The Problem With Assessments (link)

  • Does Compliance Need An Incident Management System? (link)

  • Manage Legal Risk with ISO 31022 (link)

  • Total Safety Management (link)

  • Essential Properties For Managed Pipeline Safety Program (link)

  • Maintaining Safe Operations (link)

  • Compliance Now Requires A Design (link)

  • Four Misuses of Audits (link)

  • Four Steps To Proactive Compliance (link)


Regulatory Model

8. Uncertainty & Risk


Everything happens in the presence of uncertainty and this uncertainty creates the opportunity for risk.  For organizations to meet all their obligations and stay between the lines means contending effectively with uncertainty and risk. This requires a modern approach to risk based on the science of uncertainty and its effects.


  • What Do We Mean By Risk (link)

  • 5 Ways Risk Management Has Changed (link)

  • A New Year And A New Framework for Risk Management (link)

  • Operational Risk: Where Do Risks Come From (link)

  • When the Internet Is the Hazard (link)

  • Is Compliance Risk Reducible (link)

  • Anatomy of Compliance Risk (link)

  • Taming The Dragon Of Uncertainty (link)

  • Organizational Hazards (link)

  • Antifragile - The Solution To Aleatory Uncertainty (link)

  • Rasmussen's Risk Management Framework (link)

  • To Address Systemic Risk You Need Systems Thinking (link)

  • The Two Towers of Safety : Be Safe, Act Safe (link)

  • Risk-based Thinking - Quieting Our Lizard Brain (link)

  • Emergent Uncertainty (link)

  • Not All Rocks are Obstacles (link)


Definition of Risk

9. Risk & Compliance Controls

Risk and compliance controls are the primary defences against the effects of uncertainty and the means to ensure promises are kept. Controls have different functions. They can be preventive, detective, mitigative along with being technical or administrative in nature. All of them have the same purpose – when effective they improve the probability of success. However, for controls to be effective requires organizations be proactive - anticipate, plan, and act to increase the probability of success.


  • Value Protection - Margin and Compliance (link)

  • Applying DOE Risk Handling Strategy to Obligations (link)

  • Is The Precautionary Principle Part Of Your Risk Strategy (link)

  • The Most Important Risk Control (link)

  • Reducing Compliance Debt Caused By Deferred Maintenance (link)

  • Getting More From Your Risk Registers (link)

  • Be Certain About Change (link)

  • Managing Risks Caused By Cost Reductions (link)

  • How To Manage Risk During Organizational Changes (link)



10. Methods, Measurements, & Indicators

Waiting for audits is too slow and too long to stay ahead of risk. Continuous compliance requires real-time data, metrics, and indicators to know the status of compliance and how it is performing. 


  • Crossing the Ethical Chasm Of Data - A Compliance Perspective (link​)

  • Voluntary Information Sharing (link)

  • Hidden Data (link)

  • Improving The Management Of Technical Information (link)

  • Measures Without Measures Is A Waste (link)

  • Are We There Yet (link)

  • You Can't Turn Lagging Indicators Leading Indicators No Matter How Hard You Try (link)

  • The Trouble With Zero (link)

  • Proactive vs. Predictive vs. Reactive (link)

  • Is Your Scorecard Balanced (link)

  • Problem With Risk Scores (link)


Balanced Scorecard

11. Continuous Improvement


Improvement is the heart of excellence in every field of endeavour and so it is with compliance. Improvement is necessary to advance compliance outcomes, achieve targets, maintain standards and ultimately create greater levels of stakeholder trust by continuously staying between the lines and ahead of risk.


However, improvement does not look the same for all levels and neither do the approaches that work best. What does improvement look like for governance, culture, programs, systems, and for operational processes? What approaches should be used for each, and when should they be used?


  • How To Strengthen Your Ability to Drive Compliance Improvement (link)

  • 5 Questions You Must Answer To Improve Your Compliance (link)

  • Continuous Compliance Requires Continuous Improvement (link)

  • Where To Make Compliance Improvements (link)

  • If A thing Is Worth Doing, It is Worth Doing Badly (link)

  • Management PDCA - Hero or Zero (link)

  • The Trouble With Zero (link)

  • Why Compliance Should Leave Low Hanging Fruit To The End (link)

  • Problem Solving In Highly-Regulated, High-Risk Industries (link)

  • Towards a Systems KAIZEN (link)

  • Risk-based Continuous Improvement (link)

  • Doing Less Maybe Simpler But Rarely Is It Effective (link)

  • Continuous Improvement Objectives (link)

  • Don't Settle For Fractional Improvements (link)

  • Keep Your Workers And Improve (link)

  • When Is The Right Time To Introduce Technology (link)

  • Which Improvement Framework Should You Use (link)


12. Tools & Technology


Tools and technology enable the work of compliance so that organizations stay between the lines and ahead of risk. Organizations are good at adopting technology but less so about exploiting technology. Which technology is best depends on many things particularly how reactive or proactive the culture. A technology-first strategy seldom delivers so how should organizations take advantage of digital transformation?


  • Culture Eats Tools For Breakfast (link)

  • How Do You Fight Uncertainty (link)

  • Bow Ties Are Cool and Effective (link)

  • Compliance Chain Analysis (link)

  • Compliance Compass To Make Certain You Are Always In Compliance (link)

  • Lean And The Environment (link)

  • Risk-based SIPOC (link)

  • Risk-based CAPA (link)

  • Lean Compliance A3 Format (link)

  • Integrated Risk Assessment (link)

  • Should Compliance (EHSS) Processes Move To The Cloud (link)

  • The Digital Depot of Transformation (link)

  • The State of Digital Transformation (link)

  • Digital Transformation - Exploiting The Power Of Digital Technology (link)

  • Demo-first Approach To Selecting Compliance Software (link)

  • You May Be Using The Wrong Compliance Software And Here's Why (link)

  • Compliance In The Cloud (link)

  • Can Research Into AI Safety Help Improve Overall Safety (link)


bottom of page