Hard-Boiled Compliance

NOTE: This originally appeared on this date at Quest Software's ToadWorld, on the expert blog "John Weathington's Quest for Compliance". The link to the actual ToadWorld article is at the bottom.

You may have noticed that I recently took a short break from my “Quest for Compliance” blogging duties, to handle some unexpected priorities, but now I’m back and it feels great to plug in again. In my case, it’s pretty easy to jump right back into the swing of things, but sometimes coming back from a break can be quite disruptive. This applies to many situations, including your company’s compliance programs. Fortunately with your support, an unexpected break shouldn’t break your company’s stride. In this article, we’ll explore what you can do aid the cause.

Why Your Company Might “Take a Break” from Compliance

Although unpleasant to deal with, breaks from normal operation are not uncommon for a compliance program. That’s because your company’s compliance policies are created and maintained by your compliance organization, however the activities that keep your company in compliance are largely executed outside of the scope of your compliance program. For instance, if your company sells goods and services to the government, your company should have a program devoted to your government contract maintenance and compliance. However, to stand in good stead when dealing with government auditors, the activities of your sales staff need to be under control.

This puts your company in a position where the rules are coming from one organization, and the duties are executed by another. In a perfect world the alignment of both organizations would be in sync however in the real world the two organizations will have different primary strategic objectives. Your government compliance program’s primary objective is to maintain compliance with your government contract. Your sales organization’s primary objective is to make sales.

What does all this have to do with a break?

Well, assuming your sales department and your compliance department have a good relationship and are in sync with each other, following the proper compliance procedures isn’t a problem. However, let’s say there’s a crisis in the sales organization, and they need to forget everything else and focus purely on what it takes to make a sale. As much as your compliance program doesn’t like it, compliance procedure will go out the window. Your sales force will in effect “take a break” from your compliance policy for a while. There’s no way for your compliance program to formally enforce compliance policy, since the compliance organization doesn’t have formal control over the sales organization.

Okay, Crisis Over but Why Aren’t Things Back to Normal?

So what happens when the sales crisis is over? The sales organization returns to normal operation, following all the appropriate compliance procedures, right? Wrong!

What has happened is that too much time has gone by, and the organization has done a collective loss of information regarding compliance procedure. Why only compliance procedures, and not the rest of the procedures? It goes back to the primary objective of the organization. The sales organization is not motivated by staying in compliance, they’re motivated by making sales.

So how do we get the sales organization back on track? Sure, the compliance organization can reinstitute training, but that’s time consuming and the longer your organization is out of compliance, the greater the risk your company is taking. Wouldn’t it be ideal if your sales organization could snap right back into compliance mode? That’s where you come in.

To pull this off, your data around compliance needs to be extremely organized, and accessible to the sales organization. When I mention your data around compliance, I’m referring to policy, like I described in Policy Data Management in 3 Stages. The trick however, is to prevent compliance information loss, even though the procedures are not being followed through the “break.”

Let’s take the last holiday break as an example, which for some of us lasted two weeks or longer. Without any judgment, some of us made a complete break from any work activity, and some of us sort of monitored what was going on by checking emails or possibly taking some calls. For the people that took an absolute break from work for a week or two, this “back to work” week was either very tough, very unproductive, or both. For the ones that kept in touch with what’s going on, it wasn’t so bad.

Continuity is the Key

The difference is continuity. Those that maintain continuity through a break (which sounds contradictory, but that’s only a frame of perception) have a much easier time jumping right back into normal operating procedure. Your goal is to design a data system that empowers your sales force (or any other organization that is required to follow compliance policy) to maintain continuity through a break.

This is an extension of your mature policy management system. I say mature, because you must be at the point where your policy management system is integrated with your process data system, like the one I described in Automated Process Auditing. Also, it needs to be matured to the point where it’s a preventative control system, and not a corrective or adaptive control system (see Prevention over Intervention for an in depth explanation of the difference). This in effect gives you a policy early warning system.

What you’ve done by creating this type of architecture, is given the sales force the ability to review policy at the time of activity (i.e. process of the sale), even though the policy is not being followed. This will keep the policy and procedures fresh in their minds while they navigate through their crisis. To go a step further, you might consider creating a sort of acknowledgment feature in your transaction processing system, that electronically validates that the policy has been reviewed, and it’s purposely not being followed.

Wait, Something Doesn’t Sound Right!

It might sound a little odd that you’re capturing evidence of purposefully violating policy, however in reality it’s the most responsible thing you can do, given the circumstances. I’m not advocating the willful disregard for policy; I’m assuming your company is in a position where it cannot follow policy, and I’m showing you how to lessen the impact from a compliance continuity standpoint. Your sales force is not following policy anyway, and not acknowledging it is not a defense in an audit or investigation.

Having the policy information display as a constant reminder while transactions are being processed will serve the same effect as the person on break that is checking emails. This process will prevent the inevitable decay of policy information retention that will geometrically progress as time goes on.

Breaks in policy are an unfortunate but sometimes necessary reality in the normal course of business. It’s not a popular statement, but it’s a reality that your organization need to be mature enough to face; even if it’s from a risk management standpoint (meaning we don’t expect it to happen, but if it does …). If your company is fortunate enough to come around to that conclusion, they will need your help to architect a system that minimizes the impact. Start drawing plans for the construction of a policy early warning and acknowledgment system to serve the need you now know is there.

...read the article on ToadWorld