In September of 2001, shortly after the 9/11 attacks, the U.S. Federal Emergency Management Agency (FEMA) met to discuss its response. In particular, leaders wanted to know how 403 emergency responders lost their lives.
What emerged was a term that would revolutionize the agency and affect first responders the world over, and there is much compliance teams can learn from its application: Span of control.
How Much Control Can One Compliance Team Handle?
Today’s compliance teams are facing a challenge, not unlike a massive, slowly unfolding emergency. The ISO standards for technology and manufacturing now span 23,320 international standards reviewed by no less than 792 committees and subcommittees. A reported 120 countries have their own data privacy regulations, and the largest — GDPR —contains 99 articles. This creates an ever-growing and continuously changing tangle of regulatory obligations. Compounding the issue, compliance teams are chronically understaffed.
According to one compliance manager who preferred to remain anonymous, “It’s just me right now, my hair is on fire, and if I need to know who was trained and who wasn’t, I’d need to look at a spreadsheet.”
Their span of control is far, far too great, much like it was for the disaster managers in New York on September 11. A major reason so many responders were lost is because a small number of people were controlling far too many. After the disaster, FEMA revised its guidelines to define a manageable span of control, or the number of people any one person should manage, as three to seven. Any fewer than three and you get inefficient operations. Any more, and you unnecessarily increase the risk.
It’s a similar story for modern compliance. Few areas of control, and compliance teams grow lax. But if assigned too many areas of control? Compliance teams quickly degrade by their inability to manage anything at all.
As we explore in today’s infographic, How Compliance Officers See the World in 2020, regulations and governance responsibilities are growing unmanageable. How will compliance teams respond?