The question around ownership of compliance to organizational processes is a seemingly simple yet a very complex and involved question.
It is important to note here that this is a very pertinent question for any organization. It provides a clear reflection of the culture prevalent in the organization.
What happens on the ground in respect of compliance to organizational processes tells a lot about the way the organization operates and how effective and efficient its operating model is.
So coming back to the question - Who Should Own Compliance to Organizational Processes?
- Should it be the team or group (management committee) which is the
executive sponsor of the organizational processes and chartered their
usage in the first place?
- Should it be the team or group (process group) which is supposed to author and maintain the organizational processes (as part of a QMS or BMS or some equivalent)?
- Should it be the team or group (practitioners) which is supposed to be using that process to perform their activities?
- Should it be the team or group (compliance group) which is supposed to be internally auditing the practices actually followed by practitioners as against what was supposed to have been followed?
- Should it be the team or group (external auditors) which is supposed to be auditing the practices followed by the organization as against what is required by the applicable standard?
An important point at this juncture to think about is that ownership of compliance to organizational processes is indeed very pertinent but is a direct derivative of the actions of two groups primarily - management committee and external auditors.
External auditors mock at the fact that the organization doesn't deserve the certification on the first day but hand the certificate to the (grinning) head of the organization on the last day.
If external auditors were really so upright and ethical, they would not give the certificate to an organization they think doesn't deserve it. But they have no choice but to give the certificate to the organization.
In addition, the external auditor and the consultant assisting him would have visited the organization and should have supposedly helped the organization plug concerning gaps. And only when there are no concerning gaps would the external auditor perform the final audit.
Not giving a certificate on the last day and even mocking the organization on the first day is, in fact, the failure of the external auditor and the assisting consultant in doing their job!
The other aspect is related to the management committee. They would hire the external auditor keeping only one consideration in mind - certificate will come not matter what, we have long-standing relations with the external auditor.
Will the management committee anytime show the courage to hire someone who has the reputation of denying a certificate? Never.
It is clear, on the face if it, that the above two - management committee and external auditors - do not own compliance to organizational processes. They own just the certificate part of it.
One hires the other only if the other would give the certificate.
What about the process group?
Process group would lay down the process and then have no concern with its implementation. The point here to think about is the pragmatism used by process group while defining processes.
If the defined processes are too cumbersome and difficult to follow then it will have a direct impact on the compliance to organizational processes.
So process group has indirect ownership of compliance to organizational processes and limited to the extent that processes are usable and easy to use (tools may help too in this cause).
What about the compliance group?
Compliance group would just assess whether the defined processes were followed or not.
If, in an organization, people follow processes only because they don't want any adverse findings in the audit it indicates towards the culture being too much "push driven".
This is like someone following the traffic rules only because there is a traffic cop standing ahead!
If a person doesn't want to follow the traffic rule and doesn't mind putting his and others life at risk, then there is hardly much any compliance group can do other than flagging this as a finding.
Lack of compliance should not be seen as a failure of compliance group to find that gap. Audits, by definition, are based on sample. In addition, people should follow processes as a general practice.
Audit should focus on providing assurance that processes are indeed being followed and not at all on what is not happening.
So compliance group should not have any ownership of
compliance to organizational processes. They are basically acting like a
mirror and only reflecting what's going on.
And finally, what about the practitioners?
Good organizations believe in pull factor as far as ownership of compliance to organizational processes is concerned.
In other organizations, the driving force is push factor.
In such organizations things are done by pushing it down people's throats. And that happens because people are not enabled and empowered with adequate amount of resources, time, training, tools, etc.
Who works with the pull factors and push factors? The practitioners.
If they are enabled and empowered with adequate amount of resources, time, training, tools, etc.they will be willing to pull and, in fact, push may not be needed at all.
So practitioners should have direct ownership of
compliance to organizational processes.
Right? Yes, but there is something more to it as well!
Practitioners should have the ownership only when they are enabled and empowered with adequate amount of resources, time, training, tools, etc.
And who ensures the above? It is the management committee. Is that not right?
They set the cultural fabric. The create the environment for the organization to move from mostly push factors getting used to mostly pull factors getting used.
They external auditor and the process and compliance groups act as catalysts.
They help the practitioners use the organization processes to provide products/services to the customers in line with the management committee's vision and overall direction.
So in that sense it is the practitioners and the management committee who should own compliance to organizational processes.
What happens though in reality is completely different.
The primary ownership for compliance is put on the head of the compliance group (how come they did not find this gap? why are same issues being reported again and again? why are the gaps coming back again and again?) and the process group (why are the processes not easy to follow? why are the processes not automated? why compliance is low because process is not clear?).
Part of the above paragraph is true. However, it hides the uncomfortable truth conveniently. One who charters the organizational processes (management committee) and one who follows them (practitioners) are the direct beneficiary and hence who should own compliance to it.