Anytime a compliance violation occurs—or even a breakdown in compliance controls that doesn’t ultimately result in noncompliance—the remediation process takes center stage. And this is where questions of how and why are critical.
Whether noncompliance occurred or there was only a close call resulting from a breakdown in controls, remediation steps are determined by understanding how it happened. Did an existing compliance control break down, or is there a flaw in the design of our controls? If a control is well designed but broken down, a follow-up how needs to be addressed. Was it skipped entirely, improperly carried out, or what? Each of these leads to a different approach to remediation, which may point to a need for training, additional clarity in our procedures, or a variety of other outcomes.