Improving assessments of compliance failures

By Veronica Root Martinez, JD

Veronica Root Martinez (vrootmartinez@nd.edu) is Associate Professor of Law at Notre Dame Law School in Notre Dame, Indiana, USA.

Compliance in the 21st century is challenging. There are countless handbooks, textbooks, classes, programs, seminars, and magazines all dedicated to explaining and demystifying compliance. These materials valiantly attempt (some more successfully than others) to simplify the complicated legal and regulatory chaos we live in today. Yet despite their best efforts—and despite the best efforts of managers near and far—compliance failures still happen all too often. Some, quite spectacular in their gory details.

You certainly know them: the downfall of Enron, the General Motors ignition switch catastrophe, the Wells Fargo fake accounts debacle, the allegations of sexual harassment at 21st Century Fox—all very notorious compliance failures leading to public outcry and outrage and, in the case of some, a concomitant wave of regulatory change. Yet if history has taught us anything, it is that companies like Enron, General Motors, Wells Fargo, and 21st Century Fox are not alone. Compliance failure is both inevitable and ubiquitous in today’s complex administrative and regulatory environment. And while it is commonly accepted that effective compliance programs will never result in perfect compliance, we certainly can and must do better going forward.

The status quo

When confronted with a compliance failure, we often ask “Why did the failure occur?” But that question can result in imprecise and incomplete assessments about the true cause of the compliance failure. Take the case of General Motors, for instance. Reports of the faulty ignition switch first came to light in 2004. However, when General Motors first analyzed the potential problem, it classified the issue as one of customer convenience instead of a safety issue. And as a result, the company failed to take actions that would have prevented harm to its customers and other members of the public.

By focusing only upon the issue of misclassification, the full extent of the failure at General Motors can be difficult to discern. Upon first glance, the cause of the compliance failure at General Motors appears to be the failure of its engineers to detect the full scope of the defect, and admittedly, that is likely a primary cause of the ignition switch scandal. But when one drills deeper, one also finds that individuals at General Motors failed to properly and fully investigate the extent of the problems with the ignition switch. Indeed, in 2005 an investigation into the ignition switch was opened and closed in the span of a month. Moreover, a group of internal lawyers at General Motors, charged with using settlement data to generate settlement forecasts and, according to accounts from some employees, to detect trends indicating safety issues failed to do so, which impeded General Motors from properly responding and remediating the problems with the ignition switch.

When conducting a root cause analysis into why a compliance failure occurred, the challenge is to do so in a manner that allows the complexities of the situation to be revealed. To do so effectively, it may be time to reframe the inquiry from “Why did the compliance failure occur?” to something else.

The compliance process

Building off the work of others in the compliance field, I posit that the compliance function is a process made up of four distinct yet interrelated stages: prevention, detection, investigation, and remediation (see figure 1). If those charged with assessing compliance failures ceased asking the broad question, “Why did a compliance failure occur?” and instead asked, “At what stage(s) within the compliance process did the failure(s) occur?” a more precise root cause analysis might be revealed.

Although these categories appear simple, they can be powerful when used to systematically think through a compliance failure and ultimately help to reveal the root cause of the issue. The four stages are necessarily interconnected, and a complex compliance failure may include failings at every single stage. Yet thinking of the stages separately when analyzing a compliance failure aids in analytical clarity and helps managers and leaders alike reach the true root cause of a failure. Getting to the root cause of the failure is a critical and necessary step toward remediating the immediate problem as well as drafting a solution likely to prevent a similar failing in the future.

Figure 1: Four stages of the compliance process

1. Prevention

The prevention stage is all about having policies and systems in place to stop misconduct within an organization. It is the first line of defense, and thus must be rigorous enough to withstand multifaceted attacks. A prevention failure occurs when an organization is not fully cognizant of its responsibilities related to prevention, meaning it either does not know of its risks and obligations or does not take the appropriate steps to prevent the risks from occurring. Accordingly, some sort of misconduct eventually occurs.

The importance of prevention within compliance efforts is, of course, well known. Many legal and regulatory mechanisms require firms to engage in effective prevention efforts. But it is just the first of four stages those charged with overseeing the implementation and creation of effective compliance programs must take into account. The importance of prevention may get lost after a compliance failure occurs, as the company focuses on the compliance program more generally.

2. Detection

Detection involves a firm’s policies designed to discover errors, misconduct, aberrations, or risk within the organization. Detection is one of the most complicated stages because it must not only pick up on the acts of the firm’s agents that are outside of the internal policies put in place by the firm, but it must also find potential risks that can result in harm to outsiders or the firm itself. This is a complex and challenging task.

Corporate officers are responsible for detecting misconduct within their ranks, yet detection can be difficult for a number of different reasons. Sometimes the data is not readily available to allow leaders to look for patterns or abnormalities. Other times, the misconduct is misclassified as unimportant, when it should have been seen as a warning sign of a larger and more pervasive issue (e.g., the General Motors ignition switch). And occasionally the wrongdoing is hidden, so it is not detectible at all. Any or all of these reasons can have disastrous consequences and magnify what otherwise would have been a small compliance issue.

3. Investigation

The investigation stage includes an organization’s policies and procedures for discovering the existence and scope of any compliance failure. This includes gathering the relevant facts surrounding the potential failure so that informed steps to escalate or address the failure can occur.

Although the investigation stage is often particularly difficult to separate analytically from the detection phase (because investigation often begins as soon as a significant issue is detected), thinking of the stage independently is important. Investigation is the first step to determining the root cause of a compliance failure, or determining whether there is actually such a failure in the first place. Declining to properly investigate misconduct within an organization can create devastating consequences and add difficulties to an already complex compliance challenge.

4. Remediation

Finally, remediation, which involves an organization’s efforts to respond to and alleviate the discovered misconduct, is one of the most overlooked stages, namely because it cannot and does not occur absent a failure at one of the three preceding stages. Yet remediation is a critical step that continues to be emphasized by those in the regulatory and compliance fields. And indeed, without proper remediation, organizations can often get stuck in the same systemic cycle of compliance lapses. Consequently, evaluating the success or failure of a company’s remediation effort is of the utmost importance.

This document is only available to members. Please log in or become a member.
Become a Member Login


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings