The missing link in Compliance and Governance

Over the years I’ve done a lot of work in the area of Regulatory Compliance and Information Quality. Whether it is Data Protection, Information Quality, Governance or Compliance, it is important to bear in mind that what we are dealing with a Quality Management System:

  • Data Protection Compliance is the Quality System where by the obligations and expectations which arise under Data Protection/Privacy laws are met consistently
  • Information Quality programmes involve, by definition, the implementation of a Quality Management System
  • Information/Data Governance… well, that’s another form of Quality Management System
  • Complying with other forms of industry or Governmental regulation… well, the best way to achieve those objectives is through some form of systemic approach to meeting or exceeding expectations.

In my experience Compliance and Governance initiatives and strategies tend to fall into three camps:

  1. Documentation Driven by “Rules Wizards”, with extensive policy and procedure documentation, usually from the comfort of an Ivory Tower in the Business that is comfortably removed from GEMBA
  2. Technology Triggered by “Techno-Lords”, usually from within the bowels of the organisation’s IT department, which is also often at a distance from the place where the work is actually getting done.
  3. Awareness and Attitude Oriented: Driven by a “Coalition of the Willing”, with a focus on policy that is actually executed through the appropriate use of supporting technologies and a strong focus on the “Human Factors” that lead to awareness and understanding of the required changes.

Often it is difficult to see which kind of initiative you are dealing with. In organisations that have a “Document Driven” approach, management take comfort in the fact that they have documented procedures and policies for everything therefore everything is in control. In “Technology Triggered” initiatives, the management of the organisation places a blind faith in the power of technology to protect, prevent, detect, and mitigate issues.

Both approaches are doomed to failure. Neither, no matter how sophisticated, can ever deliver anything other than “small ‘c’” compliance. Because Quality Systems are about more than just documentation or technology. Real quality requires a sustainable change in attitudes and awareness. After all, Deming’s 1st two points of Management Transformation are not “Write documents” or “Get good technology”: They is “Create a Constancy of Purpose” and “Adopt the New Philosophy”.

Purpose and Philosophy require that the organisation look at the attitudes that are there. It is as important to understand and articulate a Vision for the Quality System… and to make sure that that Vision is embedded in the mind-sets and attitudes of the staff in the organisation.

At a conference in London in 2005 Joyce Orsini of Fordham University shared a story with me of a trip W.Edwards Deming (she was working with Deming at the time) took to an automobile manufacturer in the US in the mid 1980s. On this trip the plant manager took great pride in showing off the robots (technology) that they were using to manufacture the cars. Deming noticed that every time the robot arm swung over the car it dented the boot (trunk) lid of the car. He asked if this was part of the Quality Standard (Policies). The Plant Manager said no, it wasn’t, but they had a man at the end of the production line with a hammer to knock the dent back out.

A lack of awareness about the operation and objectives of the Quality System and what it meant as a value system meant that no-one in the plant seems to have questioned the operation of the Quality System.

Without Awareness and Attitude the investment in Documentation and Technology that form part of the Quality System will ultimately have sub-optimal return.