Approximately two years ago, while attending SCCE’s Compliance & Ethics Institute in Las Vegas, I had a brief yet impactful conversation with the CEO of SCCE & HCCA, Gerry Zack. I asked him one question: “When you have the opportunity to have an elevator-style conversation with executives and board members about the goal of compliance programs, what do you say?”
I anticipated he would say something about the importance of implementing the ever-present “seven elements,” but his answer surprised me. He said something to the effect of, “Oh, that’s easy. I tell them the same thing that Roy Snell did: Effective compliance programs are in place to prevent compliance issues from happening, to find them when they do, and to fix them once they are found. Prevent. Find. Fix.”
Gerry’s unexpected response gave me a great deal to think about, and I pondered his answer for the next several weeks. My primary train of thought went something like this, “I like the concepts of prevent, find, and fix. But if the purpose of effective compliance programs is to prevent, find, and fix, how do we prevent, how do we find, and how do we fix?”
What I concluded surprised me—again.
Another look at the “seven elements”
Before moving on, let’s briefly review the seven elements. Several years ago, the U.S. Department of Health & Human Services (HHS) published its “Health Care Compliance Program Tips,” which outlined their interpretation of the seven elements of an effective compliance program.[1] The U.S. Department of Justice (DOJ) has since published guidance that evaluates 12 elements, with many in common with the original seven.[2] And an evaluation of the U.S. Sentencing Guidelines on Effective Compliance and Ethics Programs yields a total of 17 “shalls” that have been distilled down to seven by several entities.[3] Over the past few years, many organizations have adapted the above and other best-practice guidance to develop their own models, which include anywhere from seven to 11 or more elements.
For this discussion, I will use the following nine elements, aligned with the U.S. Sentencing Guidelines on Effective Compliance and Ethics Programs (see Table 1).[4]
Element |
FSG Citation |
---|---|
Identify Requirements/Assess Risk |
§8B2.1.c |
Establish a Compliance Organization |
§8B2.1.b.2.A-C |
Establish Policies and Procedures |
§8B2.1.b.1 |
Communicate/Train |
§8B2.1.b.4.A&B |
Implement/Promote |
§8B2.1.a |
Monitor/Audit/Report |
§8B2.1.b.2.C & b.5.A-B |
Investigate and Enforce |
§8B2.1.b.6 |
Change/Improve |
§8B2.1.b.7 |
Leadership/Corporate Culture |
§8B2.1.a.1&2 |
Look closely at these nine items. Can you see elements for which the primary purpose supports prevent?[5] Find? Fix?
In my pondering, eventually, this is what I saw (see Table 2).
Prevent |
---|
|
Find |
|
Fix |
|
This does not mean there is no prevent, find, and fix overlap with some elements. For example, there will be an organization in place to assist in finding and fixing. Also, communication and training are often tools used to fix. But, overall, the primary purpose of each element can be viewed as outlined above, with a focus on prevention.
Viewing compliance through the lens of prevent, find, and fix was a huge “aha” moment for me because this paradigm does not replace the elements of a compliance program; it makes them even more relevant than ever. We achieve these goals by proactively designing and implementing the elements of an effective compliance and ethics program!
Prevent, find, and fix is everywhere
In fact, the concepts of prevent, find, and fix are woven into many—if not most—regulations. For instance, in the previously mentioned DOJ guidance, prevent is mentioned 13 times, monitor (find) 14 times, audit (find) 25 times, and an entire section is devoted to “continuous improvement” (fixing). The concepts of prevent, find, and fix are embedded everywhere: the U.S. Sentencing Guidelines, HHS Office of Inspector General guidance, Federal Energy Regulatory Commission statements, the Health Insurance Portability and Accountability Act, etc. Therefore, what I learned from Gerry is the value of teasing prevent, find, and fix out of whatever regulation is relevant and elevating these concepts to a master strategy that governs the design of our compliance programs. The elements of a compliance program then become a next-level strategy for achieving prevent, find, and fix.
The value of the prevent, find, fix paradigm
There are many benefits to adopting a prevent, find, and fix master strategy in our compliance programs. The greatest value of using this paradigm to design and implement compliance programs—organization-wide and subject-specific—is simplicity. This simplicity makes compliance programs an easier sell to executives and board members. The following are a few examples:
Prevent:
-
Why do we need a compliance officer?
-
Because this person will be responsible for overseeing the design and implementation of policies, procedures, training, etc., that will help prevent compliance issues from occurring.
-
-
Why do we need compliance subject-matter experts?
-
Because these people have the expertise to know exactly what we need to do to comply with various regulations, this will prevent compliance issues from occurring in these areas.
-
-
Why do we need so many new policies?
-
Because adequate policies are a must to ensure we prevent compliance issues from occurring.
-
-
Why do we need adequate communication and training platforms?
-
Because communication and training are critical components of a prevention program, they convey knowledge and expectations.
-
Find and fix:
-
Why do we need to have a helpline?
-
Because this tool is key to finding when employees and leaders are not complying with regulations, policies, and procedures, which leads to internal investigations and enforcement.
-
-
Why do we need to partner with internal or external auditors?
-
Because auditors will help our organization find compliance issues and fix any existing gaps.
-
-
Why do we need continuous improvement in compliance?
-
Continuous improvement programs help fix programs and processes that are not working effectively, which will help prevent issues from occurring again.
-
None of these prevent, find, and fix processes and programs are possible without the final element (refer to Table 1): senior leadership support, including adequate resources and an organizational culture that values compliance. A simple prevent, find, and fix paradigm can help pave the way to getting the support and resources needed to succeed. This paradigm also gives senior leadership three simple questions: How are we preventing? How are we finding? How are we fixing? The answers to these questions should then be supported with appropriate indicators and metrics.
Also, a prevent, find, and fix approach can be used as a framework for collaboratively creating an internal strategy that aligns with the U.S. Sentencing Guidelines, DOJ, and other guidance (like the nine elements discussed in Tables 1 and 2). This internal strategy would be a scalable operating model that puts all subject-specific compliance programs on the same page. This model could also help identify where some services can be shared, or existing programs can be leveraged, such as legal services, policy management, training management, auditing, and monitoring.
Conclusion
Several years ago, I took an internal training course licensed by one of the top consulting firms in the United States. One of my lasting takeaways from this course was the concept of “simplicity on the far side of complexity.” This idea came from a quote attributed to influential U.S. Supreme Court Justice Oliver Wendell Holmes Sr., “For the simplicity on this side of complexity, I wouldn’t give you a fig. But for the simplicity on the other side of complexity, for that I would give you anything I have.”
As experienced compliance professionals well know, compliance is full of complexity—thousands of pages of complexity. I will be forever grateful to Gerry Zack (and Roy Snell) for helping me understand and embrace the simplicity of a “prevent, find, and fix” paradigm and the value of applying this approach to all that complexity. The result? The design and implementation of robust, scalable, effective, and efficient compliance programs.
Takeaways
-
The fundamental goals of effective compliance programs are “prevent, find, and fix.”
-
All the traditional elements of an effective compliance program can be categorized under and used to support prevent, find, and fix.
-
The concepts of prevent, find, and fix are woven into most regulations. There is a great benefit to teasing those concepts and making them a master strategy for managing compliance programs.
-
The greatest value of using a prevent, find, and fix master strategy is this approach’s simplicity—making compliance an easier sell to senior leadership and boards.
-
The prevent, find, and fix strategy provides a simple framework that can significantly help us manage the vast complexity that is compliance.