Compliance dependency modelling

Compliance is all about understanding the flow of tasks – what needs to be done when, and in what order, to ensure that the business is doing what it must. It is not enough for an organisation to assume that its suppliers are covering this off – a court of law will require that the business has undertaken due diligence to monitor the operational quality of those it subcontracts to.

And the penalties for non-compliance can be high – financial, legal, reputational and ultimately the careers of those at the top.

These are, in my experience, the steps that you need to take to appropriately model your compliance systems. Whilst these apply to all aspects of compliance, I am going to use critical mechanical and electrical systems (M&E) as an example.

Step one – define the scope

Taking our M&E example, you decide what needs to be included in the models – for example insurance inspections. Once you have listed every element, then you group them and set out each activity’s requirements and the date of expiry of the certificate, so you know what activities and internal audits need to be scheduled in advance of the inspection, as well as the date by which the inspection must take place to remain compliant.

Step two – build the model

Build the models of requirements on a per system basis. You should be designing the models so that they can interlink, as a process in one system could have an impact on another, even if those elements are not in themselves a compliance requirement – for example emergency lighting.

Then you will populate the model with all the tasks and dates, as defined within the scoping stage.

Step three – manage and escalate tasks

The dependency model will send notification to the managers of what tasks need to be done when. This is something a spreadsheet simply can’t do without human intervention, which relies on memory.

It should also be able to escalate the notification if the task isn’t completed. In a perfect world, everything would be done right, first time without the need for reminders. But, in the real world, you need to know when a task moves from notification, to urgent and to critical and so do managers at increasingly senior levels – a triple knock system.

Step four – remedial actions

An inspection visit may result in a certificate being awarded on the proviso that certain remedial actions are completed, normally within a set time frame. We often find that, without proper modelling, these remedial actions get forgotten, and of course once the deadline has passed, the business is no longer compliant.

The model should allow the manager to schedule the remedial actions, with the appropriate notifications, reminders and escalation process.

It should also allow him to upload all documents relating to that activity, including the inspection certificate and reports, so that all evidence is stored in one place associated with the activity.

Beyond compliance

The beauty of dependency modelling is that you can link up one set of models with others to manage interdependencies. So, taking my example of M&E, you can link models to manage critical systems, such as the UPS (uninterrupted power supply) maintenance. So while the UPS will not in itself be part of the compliance with the Electricity at Work regulations, its maintenance will contribute towards making the electrical systems safe, and therefore compliant with the regulation.

Spreadsheet limitations

It is in steps three and four that the spreadsheet comes unstuck. They just can’t do these intelligently scheduled alerts, nor can they escalate without manual intervention – leaving you open to human error. They’re somewhat clunky at interlinking models as well!

I know I’m biased when I say Riskenomics handles all these things extremely well. After all, it was designed specifically as a dependency modelling tool!

We have colour coded each level and created dashboards so you can see the status across the business at a glance. You can upload all evidence after an inspection and audit remotely. And with our latest software release, you can now capture and manage any remedial actions to remain compliant, as well as adjust scheduled events from the anniversary of the last visit.

Whatever system you choose, please make it fit for purpose!