Featured Product
This Week in Quality Digest Live
Risk Management Features
Stephanie Ojeda
How addressing customer concerns benefits the entire quality process
Denise Robitaille
Without ISO 9000, ISO 9001 lacks context
Jamie Fernandes
From design to inspection to supply chain management, AI is transforming manufacturing
James Chan
Start the transition to preventive maintenance
Erin Vogen
Eight steps to simplify the process

More Features

Risk Management News
For companies using TLS 1.3 while performing required audits on incoming internet traffic
Recognized among early adopters as a leading innovation for the life sciences industry
Handle document, audit, and concerns management more effectively
Providing practical interpretation of the EU AI Act
A tool to help detect sinister email
Developing tools to measure and improve trustworthiness
Streamlines annual regulatory review for life sciences
Adds increased focus on governance

More News

Timothy Lozier

Risk Management

Benchmarking Risk and Compliance: How Do You Add Up?

Go beyond meeting what’s required and do what’s desired

Published: Wednesday, November 11, 2015 - 15:59

Compliance is a broad term. It can mean compliance to financial obligations, quality and safety, or general compliance to any regulation that is driving the organization. When you look at the current state of quality management and safety management with respect to compliance, most of the challenges arise in the overall operations and processes that govern companies’ adherence to common standards and initiatives.

Compliance, for many organizations, has a stigma around it. As a definition, compliance is the adherence to a set of guidelines, usually ones that you as an organization are not necessarily in control of. It’s created by a standards body, a regulatory agency, or government regulations, or may be a requirement to do business in certain industries.

Compliance, in a sense, is doing “what’s required.”

Shift in the compliance mindset

However, doing what’s merely required isn’t always the sole goal, nor should it be. In many industries, the term “operational excellence” is thrown out there, and it’s something that companies strive for, but don’t always know how to achieve. For many organizations the definition of operational excellence is the processes put in place to adhere to the company’s strategy of improving the bottom line. It’s how they leverage performance metrics to really affect change, and shift the organizational and operational culture to go beyond meeting what’s required, and instead do what’s desired.

With that in mind, we wanted to gauge the common challenges of compliance around quality and safety. In doing so, we constructed the Compliance Grader tool, which allows companies to answer simple questions about their overall compliance processes and activities related to quality management or safety management. Based on these results, they were presented with a score that identified a basic “grade” on the health of their compliance activities.

Compliance Grader questions and results

The questions centered on specific areas in the compliance journey and shifted in terms of the notion of required activities vs. desired activities.

Based on each answer, the participants build a score on compliance management, which is rated as shown in the following table:


Poor compliance grade—All or a majority of the areas are not in control


Neutral compliance grade—Some areas of improvement are needed


Good compliance grade—Better compliance management and control, with only a few areas of improvement needed


Strong compliance grade—Companies are in compliance and controlling processes

Based on this simple grading scale, we were able to determine a general outlook on where people are within their compliance management regarding quality and safety management.
Here are the overall results:
• 58 percent are scoring well in their compliance
• 26 percent are just getting by
• 16 percent are in poor compliance

The majority of the respondents exhibited good compliance behavior, and demonstrated that many of their processes were in fact automated to help mitigate any risk of noncompliance. Fifty-eight percent of the respondents were in a category that would be considered a passing grade with respect to the study; this means that they were showing that the majority of their processes were either in control, or being controlled through automated solutions. Of course, looking at this data in aggregate only shows a high-level view. When we dig deeper into the individual areas of compliance, we start to see some interesting trends:

Controlling documents and training employees. The questions around documentation and training centered on reviewing records, training, maintaining training records, and approving temporary deviations on a specification or element that is visible on the document. Based on the data, we know that document control and training are core aspects of compliance, and one would expect that as a result, companies are keen to make sure they are diligent in the management of these processes. The data agrees: Sixty percent or more are managing records and training well, and deviations are slightly lower, but not by much in the grand scheme. This is expected because this is typically what most companies focus on first when planning their quality system. Process management, controlling records, and training are key to compliance.

Corrective action. Now, this one was interesting to me. We know companies are leveraging corrective actions as part of their overall compliance, but it seems that the largest pain point is the timeliness of corrective actions. Only 32 percent of those using the tool were keeping on track with their corrective actions, and this is a major source of noncompliance. This could be the result of many things.

First, corrective actions can be not only painful, but also time consuming. Sometimes the investigation of a corrective action takes longer than expected, there are delays when people have daily work to do, and completing a full corrective action analysis is not usually a fast process. Second, you find that people often forget things when there isn’t a stronger push. This is where automated notifications, escalations, and predefined due dates become valuable. The idea is to automate not just the process, but also the timeliness that is critical to on-time delivery.

Lastly, this becomes a mindset shift on the nature of what corrective action should be doing. The idea is that we need to look at corrective action as not a required “thing” we have to do, but as an opportunity to make things better in the long term. That’s why many best-in-class organizations implement tools to keep them on track, enforce the process, but also embrace the idea that a corrective action can bring about organizational and operational change to what is the more desired effect on their processes.

Audit management. This is a process that we know most companies will do as part of their compliance, and it’s a known and accepted requirement of the compliance journey. This is one of those components for which we delved into the operational excellence component of this shift. Maybe we are conducting our audits, but are we doing it with risk in mind? Are we referencing the most at-risk controls when we conduct our audits? Are we looking at the areas that have the most risk? The answer was no; we’re doing what’s required, but not what’s desired. Only 28 percent of those asked were factoring in a risk management component to their auditing and focusing on at-risk controls. Part of the new way of achieving operational excellence is to embrace the concept of “risk-based-thinking.” You see this in the new ISO 9001 standard, and you’ll start to see this term crop up in other updates that will follow. It’s the idea that you are looking at processes with risk in mind, and this is some indication that we’re not yet there.

Managing change. Again, we come back to a core compliance requirement—processes—specifically around change management. Forty-eight percent of respondents have an established change management process. It wasn’t particularly surprising that this had a strong response. In fact, it tends to mirror our documentation question. Those folks that are managing their documents and processes also have a process in place for change management. Now, how well are they executing on management of change is a different question, and something we must look at. It’s one thing to have the process documented and controlled, but it’s another thing to make sure that the process is followed accurately and that it’s effective.

Reporting. Reporting was an interesting component that was a part of the tool—the key question that was asked was around the ability to produce metrics on problem areas and their causes. Surprisingly, this scored out at only 42 percent, which tells me that a majority of folks are only partially achieving their goals with reporting—or not achieving their goals at all. This begs the question: Are we reporting on what’s required of us vs. what’s desired? Furthermore, are we placing the tools to get into the data to make more meaningful decisions on metrics and foster continuous improvement? From a compliance perspective, having a record of the processes and managing and tracking those processes is a requirement, but without a meaningful way to interpret the data, you can encounter challenges when trying to achieve operational excellence. Having a robust reporting tool is critical to getting to that point. By segregating, filtering, and searching on your data, you can create a more complete picture of where you are at today, and make decisions on where you want to be.

Post-market feedback. Now we are at the end of the cycle, which is post-market feedback, specifically around customer feedback. The results showed that the majority are at least partially collecting customer feedback and taking actions on them—50 percent are tracking customer feedback and the resulting actions, 34 percent are partially doing so. Now, we can analyze and interpret those actions. Are they corrective actions, which we saw are slow to get completed, or are their resulting from continuous improvement? The concept of customer feedback is critical to taking the real-world customer experience and affecting change, fostering continuous improvement, and taking your compliance activities to operational excellence initiatives.

Risk management. When we set up the Compliance Grader tool, we specifically wanted to illustrate the concept of risk within compliance. This was mainly because we felt that the industries that are involved in compliance will need to understand the risk management story, partly because the standards and initiatives are shifting to this “risk-based thinking” concept, and partly because this is the bridge that connects compliance to operational excellence. This particular component was more tactical in nature; are you leveraging risk-based thinking to prioritize your corrective actions? The answer was not really—only 34 percent of respondents are using risk management to identify continuous improvement initiatives.

Here’s the conundrum

Corrective actions are typically handled in the manner in which they are received—the due date. When a company prioritizes by this metric, what happens is it may have a critical issue that has a larger effect on the business, yet it is not handling the issue immediately simply because it’s not due yet. In that time, it may encounter repercussions of that issue. By prioritizing by risk and effect, you can ensure that the most high-risk events are on the top of the list so you can handle those first.

The results also look at risk in a more strategic context, one that not only promotes risk-based thinking, but also provides the context for risk in operational excellence, specifically by using risk management to identify continuous improvement. The results are better, but not that much. The reality is that risk is relatively foreign to the quality and compliance groups from an operational risk management perspective. People know what risk management is and what it entails at a high level, but the challenge is actually implementing risk management within their existing processes. Based on this tool and based on what the industry is pushing toward, the results show that risk management is a major area for improvement.


The conclusion of this study is this: Compliance is strong in some areas and weak in others. Organizations have a strong tendency to document and follow the processes related to compliance, however they are still challenged with responding to corrective actions and expanding their compliance processes beyond the basics of what is required. Forward-thinking concepts such as risk management and risk-based controls in operational processes are still not being adopted, and there is some evidence of resulting challenges around prioritization and timeliness.

The notion of quality and safety compliance is undergoing a shift. We are seeing it in some of the commonly accepted standards and regulations, and from certain industries where compliance pressure is high. This is a risk-based approach to compliance. Companies are managing compliance in terms of preparation and execution, but have not developed many practices around incorporating risk tools into these processes. As industries shift toward this mindset, we expect to see more emphasis on risk, and companies looking to build upon compliance with risk-based concepts.

With knowledge of the process, the right tools, the right people and a little effort, you can plan your quality system with risk in mind and bridge that gap from doing what’s required to doing what’s desired.

For more on this topic, join me and Dirk Dusharme of Quality Digest for the webinar, “Benchmarking Risk and Compliance with your Peers: How Do You Measure Up?” The live event starts at 2 p.m. Eastern, 11 a.m. Pacific on Thursday, Nov. 19, 2015. Click here to register. 


About The Author

Timothy Lozier’s picture

Timothy Lozier

Timothy Lozier is the director of product strategy for Verse Solutions, a quality and compliance management software provider that incorporates key quality processes, such as document control, corrective action, audits, and training in a dedicated cloud environment. Lozier has been involved in the quality and compliance industry for more than a decade and has an extensive background in quality and compliance management systems. At Verse Solutions he is responsible for driving the innovation and strategy of leading cloud-based compliance and quality management software solutions.