System and Information Security Assurance

Framework for Compliance

Framework for Compliance

Toward a Culture of Compliance

Building a Compliance Management Framework


Compliance Management Framework: 2

Executive Management and Governance. 2

Mission and Strategic Plans. 2

Step 1: Define Mission and Desired Outcomes. 3

1.      Involve Stakeholders. 3

2.      Assess Environment 3

3.      Align Activities, Core Processes, and Resources. 4

Step 2: Measure Performance. 4

4.      Produce Measures at Each Organizational Level 4

5.      Collect Sufficiently Complete, Accurate, and Consistent Data. 5

Step 3: Use Performance Information. 5

6.      Identify Performance Gaps. 6

7.      Report Information. 6

8.      Use Performance Information to Support Mission. 6

Step 4: Repeat and Reinforce Compliance Management Implementation. 6

9.      Devolve Decision-making with Accountability. 7

10.        Create Incentives. 7

11.        Build Expertise. 7

12.        Integrate Management Reforms. 8

Conclusion. 8


Compliance Management Framework:

A compliance management framework is an essential element of a culture of compliance.  As with every element of an organization’s culture, a culture of compliance begins with the “Tone at the Top,” or the emphasis placed at the highest levels of the organization.  The culture of compliance must be pervasive throughout planning, execution, measurement, and the feedback of results into planning.

Executive Management and Governance

Mission and Strategic Plans

Strategic plans are the starting point for each organization’s performance measurement efforts.

Each plan must include:

·         A comprehensive mission statement based on the organization’s goals and objectives

·         Statutory requirements

·         Desired results related to strategic goals, and

·         A description of how the organization intends to achieve its goals.

The mission statement brings the organization into focus.  It explains why the organization exists, tells what it does, and describes how it does it.  The strategic goals that follow are an outgrowth of this clearly stated mission.  The strategic goals explain the purposes of the organization’s programs and the results they are intended to achieve.

Step 1: Define Mission and Desired Outcomes

Leading results-oriented organizations consistently strive to ensure their day-to-day activities support their organizational missions and move them closer to accomplishing their strategic goals.  In practice, these organizations see the strategic plan (that is, a particular document issued on a particular day) as one of the least important parts of the planning process.  This is because they believe strategic planning is not a static or occasional event it is a dynamic and inclusive process.  Done well, strategic planning is continuous and provides the basis for everything the organization does each day.

For strategic planning to have this sort of impact, three practices are critical.  Organizations must:

1.       Involve their stakeholders

2.       Assess their internal and external environments, and

3.       Align their activities, core processes, and resources to support mission-related outcomes.


·         What is our mission?

·         How well is the mission defined and understood throughout the organization?

·         What are our goals and how will we achieve them?

·         How well are goals communicated to those responsible for achieving them?


1.                   Involve Stakeholders

Stakeholders include owners, governance bodies, executives and employees, business partners, customers, and anyone potentially impacted by the organizations processes and/or products.  Obtaining agreement among possibly competing stakeholders may be difficult, particularly in an environment where available resources may be subject to competition, declining, or in need of conservation.

Involving stakeholders in strategic planning can help create an understanding among the stakeholders of the competing demands that confront the organization, the limited resources available to them, and how those demands and resources require careful and continuous balancing.  Involving customers in strategic planning can provide not only valuable input from individuals directly impacted by the organizations products and services, but can provide a positive opportunity for promoting the organization as being concerned about the needs, wishes, and protection of its customers.

2.                   Assess Environment

External forces impacting an organizations strategies can include emerging economic, social, and technological trends, and new statutory, regulatory, and judicial requirements.  Internal forces include the organizations culture, management practices, and business processes.

Effective managers understand that many forces, both inside and outside their organizations, can influence their ability to achieve their goals.  But even managers who try to stay alert to these forces often gather information anecdotally or informally.  In contrast, successful organizations monitor their internal and external environments continuously and systematically, thus providing the ability to anticipate future challenges and to make adjustments so potential problems do not become crises.[1]  By building environmental assessment into the strategic planning process, they stay focused on their long-term goals even as they make changes in the ways they intend to achieve them.

3.                   Align Activities, Core Processes, and Resources

Sound planning is not enough to ensure success.  An organizations activities, core processes, and resources must be aligned to support its mission and achieve its goals.  Effective organizations assess the extent to which their programs and activities contribute to accomplishing their mission and desired outcomes.  Such results-oriented organizations often find it necessary to alter activities and programs to more efficiently produce products and services to meet customers needs and satisfy stakeholder interests.

Leading organizations strive to ensure their core processes efficiently support mission-related outcomes.  They rely on a well-defined mission to form the foundation for the key business systems and processes they use to ensure the successful outcome of their operations.  For example, many successful public and private organizations integrate their human resource management activities into their organizational missions, rather than treating them as an isolated support function.  This sort of integrated approach may include tying individual performance management, career development programs, and pay and promotion standards to organizational mission, vision, and culture.

Successful organizations also align information management with their activities and processes as they pursue strategic information management – that is, comprehensive management of information and technology to maximize improvements in mission performance.  Strategic information management leads to systems that provide the data needed to consider ways to realign processes, reduce costs, improve effectiveness, and ensure consistent results.

Step 2: Measure Performance

Measuring performance allows an organization to track progress toward its goals, and gives managers crucial information on which to base organizational and management decisions.  Leading organizations recognize that performance measures also create powerful incentives to influence organizational and individual behavior.

Annual performance plans use performance measurement to reinforce the connection between the long-term strategic goals outlined in strategic plans and the day-to-day activities of managers and staff.  Annual performance plans include goals for activities as identified in the budget, a summary of the necessary resources to conduct these activities, the performance indicators used to measure performance, and a description of how the performance information will be verified.

Organizations new to performance measurement practice may find that developing performance measures is a difficult and time-consuming task.  Becoming a results-oriented organization may require significant time and resources committed to developing a sound and applicable set of performance measures.  But not only are the results worth the effort, it is the only way to build a sustainable culture of compliance.


How can / do we measure our performance?

·         Produce measures at each organizational level that:

·         Demonstrate results

·         Are limited to the vital few

·         Respond to multiple priorities

·         Link to responsible programs

·         How can / do we manage data collection?


4.                   Produce Measures at Each Organizational Level

Effective measurement items (metrics) must be:

·         Tied to specific goals and demonstrate the degree to which desired results are achieved

·         Limited to the vital few considered essential for producing data for decision-making

·         Responsive to multiple priorities, and

·         Linked to the specific responsibilities established to ensure accountability for results.

But in establishing appropriate metrics it is also essential to balance "ideal" performance measurement systems against real-world considerations, such as the cost and effort involved in gathering and analyzing data, and ensuring the data collect is sufficiently complete, accurate, and consistent to be useful in decision-making.

a.       Demonstrate Results:

Performance measures should tell each organizational entity and level how well it is achieving its goals.  Yet, simple as this principle may appear, it poses an especially difficult challenge for some managers for whom the link between efforts and desired outcomes is often difficult to establish or may not be apparent.  Examples include research programs and programs that are delivered jointly with or through third-parties.

b.      Limited to the Vital Few:

The number of measures for each goal should be limited to the vital few needed to cover the key performance dimensions that enable an organization to assess accomplishments, make decisions, realign processes, and assign accountability.  Organizations that seek to manage an excessive number of performance measures risk creating a confusing excess of data that will obscure rather than clarify performance issues.

c.       Respond to multiple priorities:

Organizations often face a variety of interests whose competing demands force policymakers and managers to balance quality, cost, customer satisfaction, stakeholder concerns, and other factors.  Performance measurement systems must take these competing interests into account and create incentives for managers to strike the difficult balance among competing demands.  Performance measurement efforts that overemphasize one or two priorities at the expense of the others may skew the Organizations performance and keep its managers from seeing the whole picture.

d.      Link to Responsible Entities:

Performance measures should be linked directly to the entities responsible for results.  A clear connection between performance measures and results helps to reinforce accountability and ensure managers keep in mind the outcomes their organization strives to achieve.  This connection helps to lay the groundwork for accountability as measures advance through the organization.  A connection between performance measures and activities also provides a basis for determining the appropriate degree of operational authority for various organizational levels.  Managers must have the authority and flexibility for achieving the results for which they are to be held accountable.

5.                   Collect Sufficiently Complete, Accurate, and Consistent Data

Adequate and reliable performance data are indispensable to decision making, but collecting the data can be costly and difficult.  As organizations become results-oriented, many make significant investments in information management systems.  But organizations can manage costs by building performance data collection into the processes that govern daily operations rather than creating entirely new and separate data collection systems.

Step 3: Use Performance Information

The third key step in building successful results-oriented organizations is to put performance data to work.  Managers should use performance information to continuously improve organizational processes, identify performance gaps, and set improvement goals.


·         How do / will we use performance measurement information to make improvements?

·         Identify Performance Gaps

·         Report Information in a Useful Manner

·         Use Performance Information to Support Mission


6.                   Identify Performance Gaps

Performance data can add value as they identify gaps between an organizations actual performance level and performance level goals.  As performance gaps are identified, managers can determine where to target resources to improve overall accomplishment, set realistic improvement goals, and select appropriate process improvement techniques.  When managers need to reduce resources, the same analysis can help target reductions to keep to a minimum any threat to the organizations mission.  Benchmarking can also help by comparing the organizations performance to that of its peers.

7.                   Report Information

The complete picture of cost and performance information must be presented in a way that is useful to the audiences who rely on it to help them assess and manage processes and programs.  Viewing performance in light of costs for instance, by establishing the unit cost per output or outcome achieved can help management make informed decisions.  Performance reports are likely to be more useful if they

·         Describe the relationship between annual performance and strategic goals and mission,

·         Include cost information,

·         Provide baseline and trend data,

·         Explain the uses of performance information,

·         Incorporate other relevant information, and

·         Present performance information in a user-friendly manner.

8.                   Use Performance Information to Support Mission

Two simultaneous demands are driving the trend toward results-oriented management: to demonstrate improved performance while cutting costs.  As they focus on the intended outcomes, managers are finding traditional ways they measured success, and thus the traditional ways they did business and provided services, are no longer appropriate or practical.  For example, the focus on outcomes prompts some organizations to alter their approach, including working more closely with customers and business partners.  As organizations create information systems to provide cost and performance data, they discover that having the facts gives them a basis for focusing their efforts and improving performance.

Step 4: Repeat and Reinforce Compliance Management Implementation

A culture of compliance requires a strong commitment of the organizations senior leadership.  Only they can ensure strategic planning and performance measurement efforts will become the basis for day-to-day operations.  Some steps they can take to reinforce results-oriented management include:

·         Devolve decision-making authority within a framework of mission-oriented processes in exchange for accountability for results,

·         Create incentives to encourage a focus on outcomes,

·         Build expertise in the necessary skills, and

·         Integrate management reforms.


·         How well do day-to-day operations reflect the objectives of a culture of compliance?


9.                   Devolve Decision-making with Accountability

Best of breed organizations establish mission-related processes and systems within which to operate, but they give their managers authority to pursue organizational goals while using those processes and systems.  Such organizations invest the time and effort to understand their processes and how those processes contribute to or hamper mission accomplishment.  They then ensure their processes provide managers at each organizational level the authority and flexibility they need to contribute to the organizations mission.  Allowing managers to bring their judgment to bear in meeting their responsibilities, rather than having them merely comply with overly rigid rules and standards, can help them make the most of their talents and lead to more effective and efficient operations.

Two management reforms aimed at enhancing accountability among line managers are: (1) simplifying the rules for such things as budgeting and human resource management while (2) devolving decision-making authority.  Such reforms are undertaken in exchange for managers assuming greater accountability for the results of their programs.  Managers generally welcome their new authority to make spending, personnel, and operational decisions formerly made by central authorities.  But organizations implementing such changes continue to struggle with important issues, such as the acceptable level of risk, the extent to which decision-making authority should be devolved to a given organizational level, and the appropriate level of measurement, reporting, and monitoring to be associated with new and changing roles.

10.               Create Incentives

Successful organizations define their missions clearly and communicate them to their employees – particularly to their managers – so each one understands her / his contribution.  At both the organizational and managerial levels, accountability requires results-oriented goals and appropriate performance measures through which to gauge progress.

The best incentive to foster results-oriented management is to use performance measurement data in policy, program, and resource allocation decisions and to provide managers the authority and flexibility to achieve results.  Senior leadership can encourage a greater accountability for results by providing managers at each level in the organization with the appropriate authority and flexibility to obtain those results.  Through meetings and personal contacts, for example, leaders can let managers and staff know of their commitment to achieving the organization’s goals and to keeping these goals in mind as they pursue their day-to-day activities.

11.               Build Expertise

To make the most of results-oriented management, staff at all levels must be skilled in strategic planning, performance measurement, and the use of performance information in decision-making.  Training is an important tool for changing to a culture of compliance.  Results-oriented managers view training as an investment rather than an expense.  And as human resource management experts have pointed out, organizational learning must be continuous in order to meet changing customer needs, keep skills up to date, and develop new personal and organizational competencies.

When overall budgets are under pressure, training budgets are unlikely to increase.  Therefore, it is important to develop innovative and less costly ways to train staffs – remembering that the level of return for investing in the skills needed for results-oriented management will depend largely on how well employees are encouraged to put those skills to use.

12.               Integrate Management Reforms

Management reforms may spring from various sources.  They may be self-initiated, the result of shifts in the organization’s goals, may be mandated by legislation, or responses to other external pressures.  Such reform activity must be effectively coordinated:

Planning, budgeting, program evaluation, and financial accountability processes should be integrated with requirements to ensure consistency and reduce duplication of effort.  Other management improvement efforts should be incorporated into the compliance framework to capitalize on the synergy and availability of key information and to improve responsiveness to customers and other stakeholders.

Another important management reform initiative area is information technology management.  Each organizational unit must ensure performance measures are prescribed for the information technology it will use or acquire, and that the performance measures will assess how well the information technology supports the organization’s objectives.  In addition, the managers responsible for using information systems must define the cost, performance, and schedule goals new or changing systems.

But a culture of compliance requires a more coordinated approach to gathering and managing compliance related information than is possible in a distributed environment of isolated compliance management systems and processes.  It requires first the vision on the part of senior leadership to see the commonality in process and information management, and then the initiative to combine the common elements of compliance into an integrated data gathering, information management, analysis, reporting, and results feedback cycle of continuous improvement.  And the management information system for coordination of the myriad compliance efforts is not to be taken lightly or constructed from bits and pieces of existing systems and processes.  Such a system requires the same type of thought and expertise as building the process of shaping the organization into a culture of compliance.


Taken together, these reforms can help redirect an organizations culture from the traditional focus on inputs and activities to a new focus on defining missions and achieving results.  Throughout, commitment from top leadership is required to meld these various reforms into a coherent, unified effort.  Top leadership must make clear its commitment to the fundamental principles of results-oriented management and the culture shift that must accompany it, and ensure that managers and staff at all levels recognize that they must do the same.  Traditionally, the danger to any management reform is that it can become a hollow, paper-driven exercise.  Leaders who integrate results-oriented management into the culture and day-to-day activities of their organizations will avoid that danger.

For a copy of this document and more information on compliance management contact Charles Le Grand -  For more information on a Culture of Compliance, see

[1]  "From Strategic Planning to Strategic Thinking" discusses "The Fall and Rise of Strategic Planning" (Henry Mintzberg, New York: Free Press and Prentice Hall International, 1994) and environmental monitoring as a critical aspect of strategic thinking.  See:

Website Builder