CEP Magazine (April 2024)
Much has been written about the importance of identifying lessons learned and taking remedial action in the aftermath of an investigation into compliance failures. But an equally valuable exercise can result from exploring the circumstances associated with compliance issues that our internal controls prevented from escalating into failures.
It’s great when we determine that one of our preventive or early detective controls stopped a potential compliance failure before something more serious occurred. But there are a few questions we should ask ourselves:
-
Where in the process did our controls stop this? Were there still several subsequent steps that likely would have protected us, or was this the last line of defense?
-
Is there something we could do to reduce our risk further?
These are separate but obviously related questions. The second question is most critical from an organizational protection standpoint, while the first is practical. Does it make sense to use resources to strengthen internal controls—which will never be foolproof—when we caught this before, and three subsequent controls could also have prevented it?
Studying what happened prior to the compliance failure being stopped often leads to one of two measures. First, it might simply lead to the conclusion that some refreshed training or a reminder is all that’s necessary. The process did what it’s supposed to—it stopped a failure in its tracks. But things could be even better if nothing needed to be stopped.
The other measure is the addition or modification of a process-specific internal control. This is done to either add a layer of protection or to provide for even earlier prevention of the issue. These measures may be either human (adding a layer of review and approval to a process) or automated (for processes that use technology in some manner along the way). Weighing the cost and effect on efficiency with the reduction in compliance risk is an important consideration when taking either of these types of actions.
Close calls give us a unique opportunity to identify weaknesses in our preventive and detective processes without enduring the pain of an actual compliance failure.
[View source.]