Compliance Today (June 2024)
Anytime a compliance violation occurs—or even a breakdown in compliance controls that doesn’t ultimately result in noncompliance—the remediation process takes center stage. And this is where questions of how and why are critical.
Whether noncompliance occurred or there was only a close call resulting from a breakdown in controls, remediation steps are determined by understanding how it happened. Did an existing compliance control break down, or is there a flaw in the design of our controls? If a control is well designed but broken down, a follow-up how needs to be addressed. Was it skipped entirely, improperly carried out, or what? Each of these leads to a different approach to remediation, which may point to a need for training, additional clarity in our procedures, or a variety of other outcomes.
On the other hand, we may find that everyone did their jobs in accordance with our expectations, but we still had a noncompliance event. This means we need to change the design of the compliance-related controls, focusing first on preventive measures and secondarily on timely detective controls. Changes in the design of controls are normally a bit more disruptive than training or reminding people of their expectations, and due to the implications for operations, they often involve more people.
Remediation sometimes focuses largely on the how and not enough on the why. Why did people behave the way they did, resulting in our compliance event or control breakdown? The why is obvious in the case of failures caused by flaws in the design of internal controls—one or more controls were missing from our process. But, when existing controls should have prevented or detected something but failed to do so, the why can be more complex.
Failures of this nature are either intentional or unintentional. A wide variety of answers explain why someone would intentionally skip or override a compliance control. At its worst, someone has malicious intent, resulting from, once again, a variety of causes ranging from anger at our organization to a personal benefit they may receive from noncompliance. Nonmalicious reasons often involve perceiving that a particular step isn’t necessary or is inefficient. It can also stem from an overworked employee simply deciding that to meet production or other goals, some of these compliance steps need to be skipped.
Unintentional failures bring us back to where this column started in the how question. This normally points toward training needs or a need to improve clarity in our procedures.
Whenever we have, or almost have, a noncompliance event, be sure to follow up by asking how and why.
[View source.]
