Greg Davies, head of service development for Assurity Consulting, expands on the points of his presentation for FMJ, breaking down the strategic, tactical and operational objectives of forming a successful compliance programme.
It is somewhat of a paradox that the failure of a ‘light touch’ approach to regulatory compliance in one sector (finance) is now leading the same approach elsewhere (health & safety) as a mechanism for recovering from the initial failure.
As when the Operating and Financial Review was repealed in 2006 (which covered non-financial risk reporting), the response of many organisations has been to proactively fill the void anyway – enter the concept of GRC (governance, risk management and compliance).
The GRC hierarchy has a range of definitions, but effectively covers the strategic, tactical and operational activities an organisation undertakes in, for example, corporate governance, compliance with law/regulation and risk management.
What’s in a word?
Where governance covers the overall management approach for an organisation’s direction and control, and risk the process of identifying, analysing and responding to conditions that may affect the organisation, compliance is solely “a means of conforming with stated requirements”.
From an FM perspective this last definition has more than one consequence it appears, as recent straw polling I have undertaken has shown. When asked “what are the main compliance-based risks affecting you currently?” typically 15 to 20 answers come back ranging from statutory compliance issues such as:
- health & safety
To organisational compliance:
- business continuity
- service level agreements (SLAs)/key performance indicators (KPIs)
- ISO/BS standards
- industry regulators (Ofsted, ISI, FSA, etc.),
What adds to the interest here is almost always FMs in the corporate sector highlight the statutory over the organisational and for those in education, health, care and charities the opposite is true.
When then asked about the risks to the business/organisation associated with these compliance issues, there is however complete unanimity in the answers:
Perhaps from a GRC perspective, combined compliance (statutory and organisationally) is actually a key success metric and one FM is right in the middle of?
‘Ps’ in a pod
The people/place/process concept is well established in the industry and provides a good framework for considering the impact of combined compliance across the organisation.
In the diagram above, it is the central area of overlap that represents the highest risk and so the highest value activities. These are the areas that, if they go wrong (or you fail to comply) have the greatest negative effect.
The three ‘petals’ radiating out from the centre and these typically cover interdepartmental compliance activities (e.g. for people/place it may be FM and HR, or FM and IT for place/process). This leaves the larger spaces left representing the specific departmental owned activities.
So by considering the effect the each compliance area has (statutory, organisational or combined) targeting the highest risk activities first and putting in place effective management controls, the process migrates in to the ‘R’ of GRC, risk management.
This does mean that in managing these risks, a better understanding of who is controlling them, what is actually being carried out and to what quality becomes increasingly important. As recent Health and Safety Executive (HSE) and London Fire Brigade reports have highlight, it is risk assessment and schemes of management that are among the most common compliance failings. Not surprising really when they can often be sub-contracts of a contract and procured on cost not quality. It is an unfortunate truth that FM (unlike HR or IT) is one department that can kill if it gets things wrong. Compliance should always be viewed as an investment rather than a cost.
The big ‘G’
The final process is to merge each of the managed activities into the organisations governance. The individual compliance issues will not be recognised as such here, but rather seen as part of the benefit or consequential loss that results from the success or failure to deliver them, for example:
- Strategic – competition (e.g. differentiation), reputation, change;
- Operational – customer satisfaction, loss of productivity;
- Financial – pricing, cost; and
- Hazard – liability, compliance.
The position of FM is critical to the success of this process, yet all too often it can go unrecognised or unnoticed, but why? The industry pre-occupation with not being ‘strategic’ and directly represented on the board (again, unlike both IT and HR) has been much debated. But the strategy needs to be delivered and surely this is as important in the long run. Who enables that? GRC offers a clear mechanism for further engagement across the organisation and one that is ripe for FM to pick.
Compliance does become the basis of success and as such the decisions we are making need to be more measured and less cost driven if we are not to fall into the trap the financial sector found itself in. Often the first port of call for reductions in addressable spend and sometimes an addressable spend in itself. Perhaps FM should be positioning itself as the department of addressable investment?
Extract FMJ March 2013