Leigh Faugust (lafaugust@gmail.com) is Enforcement Counsel at a not-for-profit international regulatory authority in Washington DC.
Finding a problem, assessing the risk and cause of that problem, and addressing and preventing recurrence of that problem are key factors in establishing an effective compliance program. I have had a unique perspective on internal controls related to compliance at the end of the life cycle of non-compliance. Although I have personally reviewed thousands of instances of non-compliance, few of these have posed a serious risk. Companies with robust internal controls find problems early, address those problems, and prevent repeat issues, thereby — most importantly — reducing the risk those problems may pose.
Identifying non-compliance
“Sense and deal with problems in their smallest state, before they grow bigger and become fatal.”
― Pearl Zhu
When considering an internal compliance program, the first question I ask is always, “How did the company discover there was an issue?” If an entity’s internal compliance program cannot find a problem, then how good of a program is it? Compliance programs must put an emphasis on finding issues and encourage company employees to report non-compliance quickly and accurately. If a culture does not encourage identifying issues, or inadvertently incentivizes hiding non-compliance to protect financial gain or for other reasons, there can be only bad results.
A company that truly wants to create a culture of compliance will encourage its employees to proactively identify potential issues. A program could include a variety of methods of detection. These may include regular internal reviews, hiring external compliance professionals, or performing spot checks of records and procedural documents to identify areas of concern. Many companies perform internal reviews when they know a regulator audit is approaching, but the companies that review on a regular basis, regardless of audit schedule, receive the greatest benefit — both in improving culture and, potentially, from reduction or elimination of regulator sanctions.
When a company identifies a problem, a robust compliance program must determine the full scope of that problem. If investigating and determining the extent of the condition would prevent notifying its regulator in a timely manner, then the entity could perform this step later as part of mitigation. No matter if the company determines the extent of condition at the time of discovery or through mitigation, reviewing the following helps ensure a full picture:
-
Other facilities across the corporate structure;
-
Procedures, assets, facilities, or personnel that could be affected as part of the non-compliance;
-
Whether other regulations were violated based on the facts of the identified issue;
-
Prior compliance history; and
-
Additional instances discovered during mitigation.