Compliance is a risky business

Promoting compliance may not promote the professional credibility you are looking for

Compliance is a risky business
Dave Rebbitt

One thing I have learned in my years in safety is that safety people love to talk about things like compliance and due diligence. These days I often wonder if the speakers even understand these concepts as the buzzwords build up knee-deep mired in the sea of rhetoric that springs up in these conversations.

When asked, safety people often say they “manage compliance” or “ensure compliance” as that is the bedrock of due diligence. Now I really do not want to get into due diligence as I have previously written about that in this publication. It is this quest for “due diligence” that has led to the bureaucratization of safety.

We still speak about hazards and compliance as the bread and butter for safety professionals. Identify the hazard, assess it, and mitigate it. Check for compliance, and things are great. Simply, easy, check the box and move on. But what if it is not so simple?

One of the phrases I hear a lot is that anyone can do safety. I sure hope so, people are good at keeping themselves safe. If it is just finding hazards and controlling them, laced into a bit of compliance. Then sure, anyone can do that. You do not need a lot of training or talent to be able to spot an unsafe condition or action. Some good discussions will lead to good controls. Almost makes one wonder why anyone needs safety people at all.

Like a lot of things in safety, compliance is complex. We have some tools to gauge compliance, and audits are certainly one good way to gauge safety compliance. We also have inspections and workplace observations. Sounds simple enough, and yet anything involving people is always inherently complex.

Who will do the audits or inspections? What sort of experience and training do they have? The outcome of any sort of review is largely dependant on the training, education, and experience of the person conducting it.

Still, compliance is about being in compliance with a legislated requirement — a law or regulation. These things tend to be clear on what is required, but perhaps not so clear on how these goals are to be reached. The goal is compliance through hazard control. At least it was in the 1970s.

The compliance trap

When all these safety people are talking about compliance and due diligence, I am always thinking about the compliance trap. Compliance is not a well-defined hard line that some think it is. Few things in safety are.

The compliance trap isn’t a new idea. It is about perceived compliance (where the organization thinks they are) and actual compliance (where the legal system says you are).

So, promoting compliance may not promote the professional credibility you are looking for. Celebrating that you have (you think) met minimum requirements may not be the message that employees may appreciate.

Besides, anyone can do safety, and so can’t anyone guess at compliance levels?

Compliance is a perception. Someone (safety person?) will pronounce that something in compliance. Of course compliance equals safe. Or maybe it doesn’t. The language of compliance can be simplistic, but it is an important concept to understand as a starting point.

How can you be sure you are in compliance? Well, that brings us to the compliance trap. Compliance often depends on a few things. The understanding of the law and its requirements, along with an understanding of what the organization is actually doing. Not what is written, but what is actually being done — or not being done.

So far, we have only spoken about laws and regulations, but what about non legislated standards? Industry best practices or accepted practices? Must we do what others in the industry do?

Compliance is about perception, but not yours. It is only the perception and binding judgment of a court that can really establish compliance — or lack of compliance. Maybe the regulatory officer who visits has a different perception and understanding of requirements through their different experiences.

This is the classic compliance trap. The company thinks they are in compliance, and a regulatory officer, or the courts, find them not in compliance. Maybe compliance and hazards were never really the answer.

Compliance does not equal safe

Compliance is inherently defined as regulatory compliance with the law. The law is a social construct where society defines what is acceptable. What safety measures are acceptable in the workplace. It defines the absolute minimum standards for things.

Compliance never promised safety and may only provide “reasonable” safety in general conditions. Compliance provides no guarantee of a safe workplace at all. If the lowest possible acceptable standard is the goal, there is a possibility that the organization could overshoot the mark, or undershoot it.

Companies may get a good audit score — 90 per cent. Should we be celebrating that 10 per cent is out of compliance with our own standard? Is that 10 per cent around a critical task or high hazard activity?

Workplaces are dynamic, change is ever present. Our laws change to reflect the realities. Unfortunately, they change slowly and perhaps reflect the realities some years ago instead of the present. New hazards arise, and so this can be a concern when compliance is the target. Compliance does not always address present realities.

Failing to adapt to change probably means failure for an organization. It can also widen the gap between compliance and where the company perceives they may be.

Adding value

If anyone can do safety, and anyone can guess at compliance, where does that leave the safety person? Well, perhaps it is not the 1970s anymore, and the safety person can add value by concentrating on something else.

Beyond compliance? Who cares? Beyond simply means you might actually be in compliance. Not such a laudable target. If you read court decisions (recommended for actual insight), you may notice that judges often refer to the spirit of the law. This is the intent of the law instead of the letter of the law. Compliance entirely ignores this concept. Intent is hard to measure and a bit nebulous — same as compliance.

I suggest it is true that anyone can do safety. Anyone can be taught to do inspections and hazard assessments. They can even do competency observations and run safety meetings. If your organization thinks that it is the job of the safety person, they are absolutely not getting the value they are paying for.

I would suggest that the safety person should be facilitating safety. Their inherent responsibility should not be to manage compliance but to identify and mitigate risk. Risk is all about what may happen, not what exists at this moment.

Managing risk can ensure the smooth and uninterrupted progress of work. Work that is made safe by proactively identifying and managing risk. Actual hazards that arise can be identified by those in the organizations using the tools that are provided thought the safety system.

What if, instead of running around reminding people to be careful, they were simply not exposed to a higher level of risk unnecessarily? Isn’t that more value added? Perhaps a better use of time and talent as well.

Risk and compliance

If we are managing risk, what about compliance? Instead of trying to meet the minimum requirement, risk means meeting the intent of the law and regulations. It means proactively identifying trends and industry practices with engaged employees. Or did we think they liked the lowest standard?

Risk management inherently means managing at a different level when it comes to worker safety. It means that compliance is only one consideration as managing risk moves past compliance. The best part is that since it is done proactively, it tends to be cheaper.

If the safety people are engaged in managing risk, what about compliance? The risk management process naturally pushes compliance to the line authority where it belongs. The people that supervise employees are tasked to ensure their safety. Ensuring good supervision, procedures are observed, and personal protective equipment (PPE) worn.

Supervisors and managers can hold workers accountable. Safety people do not have any such authority (or shouldn’t). Safety people only need be aware of legislative changes and assess the risk and applicability to the organization.

The compliance trap is insidious. It feels comfortable (in compliance). It feels safe, but it is far from it. It is the strategy of the under-informed, or those simply trying to avoid regulatory attention.

The occupation of safety has moved past hazards and compliance to the business of risk. Facilitating safety through a risk management process that engages workers may not be a certain thing, but it is far superior to hazard and compliance.

The '70s are long past, it’s the new millennium. Looking to the future and identifying risk is much more value added that looking at the workplace to identify an obvious hazard.

It also helps avoid the compliance trap. That is intelligent safety.