Under the ORC model (obligations, risk and compliance); Strytex has defined the following obligation hierarchy and prioritised them in this order.
|Legal||Statutory or Regulatory|
Legal obligations include all international, federal, state and local government statutory and regulatory obligations.
Sometimes, particularly with operational obligations, standards are included in the legal obligations, however, not all standards are legal obligations.
Non-compliances to legal obligations can result in fines, penalties and jail terms.
|Critical||Business Continuity or Business Critical|
The next level includes those obligations an organisation imposes on itself to ensure the continuity of its business or those events that would have a critical impact on the business and impair its ability to continue operating.
|Best||Best Practice Standards or Contractual|
Includes all obligations driven by best practise; international, national or industry standards (most of which are not legal obligations) and contractual obligations.
Meeting ISO9000 or maintaining public liability insurance is not a legal requirement nor generally a business continuity requirement, it is however good business practice and may sometimes even be a contractual requirement.
As mentioned earlier, contractual obligations are between two parties and are different to the international, federal, state and local government obligations noted in level 1, however, they are operationally important.
Driven by changing societal pressures, organisations may also impose ethical obligations on themselves e.g., equal pay across the genders, ethical sourcing policies, gender and race board diversity etc.
In time, many of these ethical obligations become law, e.g. Modern Slavery Acts, anti-slavery, anti-bribery and corruption legislation etc.
|Discretionary||Discretionary and Asset Maintennce|
This level of obligation is mainly driven by economic or brand issues. Assets are maintained because it makes economic sense to maximise the ROI and operational life of the asset. Equipment is maintained to maximise operational efficiency and minimise downtime. Many of these obligations are manufacturers recommendations.
Organisations often impose discretionary obligations to maintain the brand and staff and customer morale, e.g. clean the floor of the shop every day, wash the office windows once a month, repaint the outside of the building every 5 years, completely remodel retail stores every 3 years, replace laptops every 3 years.
These discretionary obligations often produce a positive return on investment (ROI).
|Legacy||Legacy or Red Tape|
The final level of obligations is legacy obligations. These are the obligations that fall into the we’ve always done it this way basket. The model exposes them, providing an opportunity to either eliminate them or update the relevant procedure.
Legacy compliance costs are red tape and can be one of the largest unnecessary costs in a business. The IIA WhitePaper Reducing and Better Managing Red Tape, explores this topic in more detail.