We are currently focusing on compliance in our blog, but you focus more on quality management. To what extent are these areas linked?
Guido Lange, CEO at cip alpha: The term compliance means respecting legal, official, and normative provisions. It also means the fulfillment of ethical compliance standards and requirements, which are generally defined by the company itself. Product and service quality must be considered separately.
Does this mean that compliance is linked to several standards?
Guido Lange: Yes and no. Yes, because the standard solutions for compliance management do not go beyond what the basic standards of ISO 9001 and ISO 31000 (risk management) contain: efficiency enhancement, increase in efficiency, and risk minimization as the lever of strategic action.
No, because the advocates of independent compliance management want to raise it themselves into a kind of guiding principle in which the compliance processes are metaprocesses, which are intended to strengthen the existing business processes and help to control them in a risk-oriented manner.
But the question that I would like to put forth as a result of my ambiguous answer is: Is it a matter of using marketing hype with compliance standards or is it a matter of finding a simple solution for a complex issue of corporate management?
Why is corporate governance a complex issue?
Guido Lange: As explained before, each company has different regulations and standards to comply with. Specialists from different areas and with different ideas develop procedures and documents to ensure compliance. They come, for example, from quality management, organizational development, control, the legal department, product development, or production. Naturally, this "wild growth" can only be controlled by overarching guidelines. But this is inefficient and risky.
To tackle this problem, the idea of an integrated management system was born: this sums up everything on one level. The individual regulations and norms are not independent, but are parts of a company's intention.
The idea of the integrated management system is not new, it was born about 20 years ago. But at that time, tools that were powerful and user friendly were missing. Today we call it company management system (CMS).
But the set of regulations and norms has not been diminished. Why is an integrated management system a solution for the compliance issue?
Guido Lange: For two reasons: First of all, because today there are software tools, such as Signavio, that can be used to manage volumes of information easily. This gives each employee the exact amount of information that he needs for his work.
Secondly, because the prerequisite for the functioning of an integrated management system is that a company defines its corporate policy as the will of the top management. It is not the result of a basic democratic process. Compliance is an expression of wanting to behave in line with the company’s policies.
ISO 9001: 2015, which plays an important role in such an integrated management system, also includes information on the use of a compliance management system. Can you tell us what exactly that is?
Guido Lange: Unfortunately, ISO 9001 is often understood as a standard for product and service quality by executives. They don’t recognize the connection with company management.
But at the same time, the standard is dedicated to precisely this topic! The standard speaks of quality policy and quality objectives—it is about company quality. This is the key to compliance.
The standard requires the top management to define company policy. It is concerned with how the policy is to be implemented in a strategy and, ultimately, with an assessment of the strategic and operational action—compliance must be demonstrated. The ISO standard places great value on company-wide, continuous improvement.
The main idea is to see things not as static, but always in tension with the risks and opportunities associated with them.
Your customers come mainly from the automotive industry. This industrial sector is characterized by a norm-driven high quality standard for processes, projects, and products. To what extent is the topic “compliance“ positioned in this quality context?
Guido Lange: The difficulty of addressing technical progress, which currently includes digital transformation, industry 4.0, the Internet of Things, and so forth, does not lie in the fast-growing information load, as many people assume. The problem is the increasing complexity of interlinking data, methods, and tools.
Electromobility and autonomous driving won‘t be achieved just by complying with quality requirements for processes, projects, and products. It takes a holistic approach to qualify, organize, and inspire colleagues of all departments within a company. It takes a well-defined business strategy—from the top manager to the janitorial staff, in terms of: “We demand a lot from everybody—for everybody“.
Business quality is the result of a collaborative will and not a forced response to compliance standards and control. Those who understand this difference will have long-term success.
From your point of view, who is responsible for compliance in a company?
Guido Lange: It’s the top management. They are supposed to define corporate policy and exemplify it; the way they handle corporate policy simply shapes corporate culture. The top management demand and support from the inside and the outside, so that their policy is understood and wanted.
Has the way that companies handle compliance changed over the last few years?
Guido Lange: Yes, very much. In regards to politics and administration, there is a dramatic decrease in their willingness to adhere to ethical standards. This goes along with the societal development concerning the individualization of people; thereby, ethical consensus and an understanding of the law is reduced.
But it’s the opposite in the mechatronics industry and technical services: The complexity of the work leads them to close ranks, everybody has to pull together and go the same direction. It‘s exciting to see how the social development will lead to human resources that are capable of and willing to achieve compliance.
How are you helping enterprises to account for quality and therefore also compliance standards?
Guido Lange: We help enterprises understand that:
(1) compliance standards can’t be demanded or forced
(2) the top management is responsible for compliance
(3) The point of compliance isn‘t whether or not compliance standards are met, but how well they’re met. Variations are a way of recognizing opportunities and risks that can help lead a company to success.
And we are helping companies by providing support and empowering them to define and implement a transparent, economic, and effective system of corporate governance—and thereby succeed.
Thanks to Mr. Lange for this informative interview! If you'd like to learn more about how Signavio can help with regulatory compliance, check out these other resources:
Blueprint for Modern Compliance
Meeting the 8 Challenges of Financial Regulatory Compliance with BDM.