Veronica Root Martinez (email@example.com) is Associate Professor of Law at Notre Dame Law School in Notre Dame, Indiana, USA.
Compliance in the 21st century is challenging. There are countless handbooks, textbooks, classes, programs, seminars, and magazines all dedicated to explaining and demystifying compliance. These materials valiantly attempt (some more successfully than others) to simplify the complicated legal and regulatory chaos we live in today. Yet despite their best efforts—and despite the best efforts of managers near and far—compliance failures still happen all too often. Some, quite spectacular in their gory details.
You certainly know them: the downfall of Enron, the General Motors ignition switch catastrophe, the Wells Fargo fake accounts debacle, the allegations of sexual harassment at 21st Century Fox—all very notorious compliance failures leading to public outcry and outrage and, in the case of some, a concomitant wave of regulatory change. Yet if history has taught us anything, it is that companies like Enron, General Motors, Wells Fargo, and 21st Century Fox are not alone. Compliance failure is both inevitable and ubiquitous in today’s complex administrative and regulatory environment. And while it is commonly accepted that effective compliance programs will never result in perfect compliance, we certainly can and must do better going forward.
The status quo
When confronted with a compliance failure, we often ask “Why did the failure occur?” But that question can result in imprecise and incomplete assessments about the true cause of the compliance failure. Take the case of General Motors, for instance. Reports of the faulty ignition switch first came to light in 2004. However, when General Motors first analyzed the potential problem, it classified the issue as one of customer convenience instead of a safety issue. And as a result, the company failed to take actions that would have prevented harm to its customers and other members of the public.
By focusing only upon the issue of misclassification, the full extent of the failure at General Motors can be difficult to discern. Upon first glance, the cause of the compliance failure at General Motors appears to be the failure of its engineers to detect the full scope of the defect, and admittedly, that is likely a primary cause of the ignition switch scandal. But when one drills deeper, one also finds that individuals at General Motors failed to properly and fully investigate the extent of the problems with the ignition switch. Indeed, in 2005 an investigation into the ignition switch was opened and closed in the span of a month. Moreover, a group of internal lawyers at General Motors, charged with using settlement data to generate settlement forecasts and, according to accounts from some employees, to detect trends indicating safety issues failed to do so, which impeded General Motors from properly responding and remediating the problems with the ignition switch.
When conducting a root cause analysis into why a compliance failure occurred, the challenge is to do so in a manner that allows the complexities of the situation to be revealed. To do so effectively, it may be time to reframe the inquiry from “Why did the compliance failure occur?” to something else.
The compliance process
Building off the work of others in the compliance field, I posit that the compliance function is a process made up of four distinct yet interrelated stages: prevention, detection, investigation, and remediation (see figure 1). If those charged with assessing compliance failures ceased asking the broad question, “Why did a compliance failure occur?” and instead asked, “At what stage(s) within the compliance process did the failure(s) occur?” a more precise root cause analysis might be revealed.
Although these categories appear simple, they can be powerful when used to systematically think through a compliance failure and ultimately help to reveal the root cause of the issue. The four stages are necessarily interconnected, and a complex compliance failure may include failings at every single stage. Yet thinking of the stages separately when analyzing a compliance failure aids in analytical clarity and helps managers and leaders alike reach the true root cause of a failure. Getting to the root cause of the failure is a critical and necessary step toward remediating the immediate problem as well as drafting a solution likely to prevent a similar failing in the future.
The prevention stage is all about having policies and systems in place to stop misconduct within an organization. It is the first line of defense, and thus must be rigorous enough to withstand multifaceted attacks. A prevention failure occurs when an organization is not fully cognizant of its responsibilities related to prevention, meaning it either does not know of its risks and obligations or does not take the appropriate steps to prevent the risks from occurring. Accordingly, some sort of misconduct eventually occurs.
The importance of prevention within compliance efforts is, of course, well known. Many legal and regulatory mechanisms require firms to engage in effective prevention efforts. But it is just the first of four stages those charged with overseeing the implementation and creation of effective compliance programs must take into account. The importance of prevention may get lost after a compliance failure occurs, as the company focuses on the compliance program more generally.
Detection involves a firm’s policies designed to discover errors, misconduct, aberrations, or risk within the organization. Detection is one of the most complicated stages because it must not only pick up on the acts of the firm’s agents that are outside of the internal policies put in place by the firm, but it must also find potential risks that can result in harm to outsiders or the firm itself. This is a complex and challenging task.
Corporate officers are responsible for detecting misconduct within their ranks, yet detection can be difficult for a number of different reasons. Sometimes the data is not readily available to allow leaders to look for patterns or abnormalities. Other times, the misconduct is misclassified as unimportant, when it should have been seen as a warning sign of a larger and more pervasive issue (e.g., the General Motors ignition switch). And occasionally the wrongdoing is hidden, so it is not detectible at all. Any or all of these reasons can have disastrous consequences and magnify what otherwise would have been a small compliance issue.
The investigation stage includes an organization’s policies and procedures for discovering the existence and scope of any compliance failure. This includes gathering the relevant facts surrounding the potential failure so that informed steps to escalate or address the failure can occur.
Although the investigation stage is often particularly difficult to separate analytically from the detection phase (because investigation often begins as soon as a significant issue is detected), thinking of the stage independently is important. Investigation is the first step to determining the root cause of a compliance failure, or determining whether there is actually such a failure in the first place. Declining to properly investigate misconduct within an organization can create devastating consequences and add difficulties to an already complex compliance challenge.
Finally, remediation, which involves an organization’s efforts to respond to and alleviate the discovered misconduct, is one of the most overlooked stages, namely because it cannot and does not occur absent a failure at one of the three preceding stages. Yet remediation is a critical step that continues to be emphasized by those in the regulatory and compliance fields. And indeed, without proper remediation, organizations can often get stuck in the same systemic cycle of compliance lapses. Consequently, evaluating the success or failure of a company’s remediation effort is of the utmost importance.