Veronica Root Martinez (vrootmartinez@nd.edu) is Associate Professor of Law at Notre Dame Law School in Notre Dame, Indiana, USA.
Compliance in the 21st century is challenging. There are countless handbooks, textbooks, classes, programs, seminars, and magazines all dedicated to explaining and demystifying compliance. These materials valiantly attempt (some more successfully than others) to simplify the complicated legal and regulatory chaos we live in today. Yet despite their best efforts—and despite the best efforts of managers near and far—compliance failures still happen all too often. Some, quite spectacular in their gory details.
You certainly know them: the downfall of Enron, the General Motors ignition switch catastrophe, the Wells Fargo fake accounts debacle, the allegations of sexual harassment at 21st Century Fox—all very notorious compliance failures leading to public outcry and outrage and, in the case of some, a concomitant wave of regulatory change. Yet if history has taught us anything, it is that companies like Enron, General Motors, Wells Fargo, and 21st Century Fox are not alone. Compliance failure is both inevitable and ubiquitous in today’s complex administrative and regulatory environment. And while it is commonly accepted that effective compliance programs will never result in perfect compliance, we certainly can and must do better going forward.
The status quo
When confronted with a compliance failure, we often ask “Why did the failure occur?” But that question can result in imprecise and incomplete assessments about the true cause of the compliance failure. Take the case of General Motors, for instance. Reports of the faulty ignition switch first came to light in 2004. However, when General Motors first analyzed the potential problem, it classified the issue as one of customer convenience instead of a safety issue. And as a result, the company failed to take actions that would have prevented harm to its customers and other members of the public.
By focusing only upon the issue of misclassification, the full extent of the failure at General Motors can be difficult to discern. Upon first glance, the cause of the compliance failure at General Motors appears to be the failure of its engineers to detect the full scope of the defect, and admittedly, that is likely a primary cause of the ignition switch scandal. But when one drills deeper, one also finds that individuals at General Motors failed to properly and fully investigate the extent of the problems with the ignition switch. Indeed, in 2005 an investigation into the ignition switch was opened and closed in the span of a month. Moreover, a group of internal lawyers at General Motors, charged with using settlement data to generate settlement forecasts and, according to accounts from some employees, to detect trends indicating safety issues failed to do so, which impeded General Motors from properly responding and remediating the problems with the ignition switch.
When conducting a root cause analysis into why a compliance failure occurred, the challenge is to do so in a manner that allows the complexities of the situation to be revealed. To do so effectively, it may be time to reframe the inquiry from “Why did the compliance failure occur?” to something else.
The compliance process
Building off the work of others in the compliance field, I posit that the compliance function is a process made up of four distinct yet interrelated stages: prevention, detection, investigation, and remediation (see figure 1). If those charged with assessing compliance failures ceased asking the broad question, “Why did a compliance failure occur?” and instead asked, “At what stage(s) within the compliance process did the failure(s) occur?” a more precise root cause analysis might be revealed.
Although these categories appear simple, they can be powerful when used to systematically think through a compliance failure and ultimately help to reveal the root cause of the issue. The four stages are necessarily interconnected, and a complex compliance failure may include failings at every single stage. Yet thinking of the stages separately when analyzing a compliance failure aids in analytical clarity and helps managers and leaders alike reach the true root cause of a failure. Getting to the root cause of the failure is a critical and necessary step toward remediating the immediate problem as well as drafting a solution likely to prevent a similar failing in the future.
1. Prevention
The prevention stage is all about having policies and systems in place to stop misconduct within an organization. It is the first line of defense, and thus must be rigorous enough to withstand multifaceted attacks. A prevention failure occurs when an organization is not fully cognizant of its responsibilities related to prevention, meaning it either does not know of its risks and obligations or does not take the appropriate steps to prevent the risks from occurring. Accordingly, some sort of misconduct eventually occurs.
The importance of prevention within compliance efforts is, of course, well known. Many legal and regulatory mechanisms require firms to engage in effective prevention efforts. But it is just the first of four stages those charged with overseeing the implementation and creation of effective compliance programs must take into account. The importance of prevention may get lost after a compliance failure occurs, as the company focuses on the compliance program more generally.
2. Detection
Detection involves a firm’s policies designed to discover errors, misconduct, aberrations, or risk within the organization. Detection is one of the most complicated stages because it must not only pick up on the acts of the firm’s agents that are outside of the internal policies put in place by the firm, but it must also find potential risks that can result in harm to outsiders or the firm itself. This is a complex and challenging task.
Corporate officers are responsible for detecting misconduct within their ranks, yet detection can be difficult for a number of different reasons. Sometimes the data is not readily available to allow leaders to look for patterns or abnormalities. Other times, the misconduct is misclassified as unimportant, when it should have been seen as a warning sign of a larger and more pervasive issue (e.g., the General Motors ignition switch). And occasionally the wrongdoing is hidden, so it is not detectible at all. Any or all of these reasons can have disastrous consequences and magnify what otherwise would have been a small compliance issue.
3. Investigation
The investigation stage includes an organization’s policies and procedures for discovering the existence and scope of any compliance failure. This includes gathering the relevant facts surrounding the potential failure so that informed steps to escalate or address the failure can occur.
Although the investigation stage is often particularly difficult to separate analytically from the detection phase (because investigation often begins as soon as a significant issue is detected), thinking of the stage independently is important. Investigation is the first step to determining the root cause of a compliance failure, or determining whether there is actually such a failure in the first place. Declining to properly investigate misconduct within an organization can create devastating consequences and add difficulties to an already complex compliance challenge.
4. Remediation
Finally, remediation, which involves an organization’s efforts to respond to and alleviate the discovered misconduct, is one of the most overlooked stages, namely because it cannot and does not occur absent a failure at one of the three preceding stages. Yet remediation is a critical step that continues to be emphasized by those in the regulatory and compliance fields. And indeed, without proper remediation, organizations can often get stuck in the same systemic cycle of compliance lapses. Consequently, evaluating the success or failure of a company’s remediation effort is of the utmost importance.
Reframing: How to utilize the process framework
The key to the process framework is to use it—even if you can already tell at what stage the compliance failure occurred—to determine why something went wrong. It is not enough to know that something went wrong. For firms that want to ensure that compliance failures are identified early, responded to completely, and unlikely to recur in the future, they must ensure that they enter into an effective root cause analysis. This is important, because it may be that when a firm uses the process framework, it will reveal failures at all four stages within the process. It is possible that none of these failures would be revealed if one asked the broader question of “Why did the failure occur?”
The sexual harassment scandal at 21st Century Fox is a good illustration. In 2016, Gretchen Carlson, a former anchor at Fox News, filed a lawsuit against Roger Ailes, then CEO of Fox News, accusing him of sexual harassment. Amidst these public allegations of misconduct, which were substantiated by secret recordings Carlson had made for more than a year and a half, Ailes was dismissed from the company. In the wake of Carlson’s lawsuit, other women came forward with similar experiences of sexual harassment by Ailes, which led to a reckoning of sorts within the organization. Many came to believe that the organization had failed to implement a successful compliance and sexual harassment program in the workplace. Yet this conclusion does not get us to the root causes of the compliance failure. Using the process framework can.
1. Prevention
Analyzing the Fox News sexual harassment scandal beginning with the prevention stage, it is clear that the company could have done more to prevent sexual harassment. The organization, as many do, relied on training to prevent misconduct. Yet 2015 guidance by the Equal Employment Opportunity Commission noted that much of sexual harassment training done by companies over the last number of years had been ineffective. Fox, however, failed to respond to this guidance and did not implement any changes to its sexual harassment prevention program. More problematically, Fox is reported to have had a culture where men were valued for their skill and women for their looks. This certainly contributed substantially to the compliance failure, by perpetuating a certain status quo and culture at Fox. With more deliberate efforts focused on changing this culture for the better, Fox may have been able to prevent misconduct of this nature from occurring.
2. Detection
Fox also failed to detect sexual harassment. Women were allegedly afraid to come forward and report instances of sexual harassment, meaning that even if Fox’s training was on the whole effective in preventing most sexual harassment, its detection mechanisms would never have caught the unwanted behavior. Additionally, and equally problematic, Ailes himself headed up the human resources department—the department that would have received any sexual harassment complaints. Accordingly, even if such misconduct were properly detected by the Fox News organization, Ailes allegedly could effectively use his position to block any complaints. This indicates a potential detection issue.
3. Investigation
Likewise, the organization failed to investigate sexual harassment, even when alerted to potential misconduct. A biography of Ailes published in 2014, for instance, contained numerous stories of women who reported that Ailes sexually harassed them. It does not appear that this information was ever investigated or acted upon by the Fox News organization. Indeed, Fox simply investigated allegations too late; not until Carlson’s allegations became public did the company hire an outside law firm to investigate Ailes’ potential misconduct. Better investigation into the compliance failure earlier on could have helped Fox minimize the scope of its ultimate compliance failure.
4. Remediation
Finally, Fox allegedly had issues remediating the culture of sexual harassment within its ranks. For instance, the company learned of allegations against Bill O’Reilly, another star at Fox News, but granted him a four-year contract extension in 2017 instead. The contract extension was granted in the aftermath of the revelations regarding Ailes, despite multiple sexual harassment settlements involving O’Reilly in 2002, 2004, 2011, and 2016. Although Fox eventually fired O’Reilly in April of 2017, the remediation attempt does not appear as successful or robust an effort as it should have been to appropriately address the apparent compliance failure.
This quick examination of the Fox News sexual harassment scandal indicates that compliance failures are complex and multifaceted. Indeed, the root cause of any compliance failure may not be readily apparent even after a deep and detailed inquiry, let alone a briefer one such as this. But although getting to the root cause or causes of a compliance failure may be difficult, framing the inquiry as one of prevention, detection, investigation, and remediation is certainly a helpful start. And as a manager, this framework may be one of your best and most potent tools.
Applications for managers
There are many reasons to care about creating, sustaining, and evaluating your organization’s compliance systems: (1) minimizing legal costs and fines, (2) maintaining public perception, (3) minimizing the potential for loss of hard-earned goodwill, and (4) preventing the loss of your own job due to a compliance failure that occurs on your watch. These are just a few of the myriad reasons.
Admittedly, the compliance framework suggested here cannot change the culture of your organization. If you work at a company where harassment is tolerated or corners are frequently cut, then compliance failures likely abound. But if you work in a company that is dedicated to achieving effective compliance—and is striving toward that goal—then the framework presented here may allow you to get there. If that’s the situation you find yourself in (and I hope it is), here’s a few ways the framework can benefit you.
1. Assist in narrowing the cause of systemic compliance failures
As demonstrated above, the principal benefit of a rigorous commitment to using the four stages of prevention, detection, investigation, and remediation to frame your inquiry after a compliance failure is that such a commitment might lead to an in-depth root cause analysis. This analysis in turn might lead to the underlying reason for your compliance failure; it will get you to the root of “why.”
You may be wondering why these four stages in particular are beneficial in “getting to why” when there are already other tools, such as fishbone diagrams or Pareto charts, that do the same. Although any inquiry into the why of a compliance failure is better than none at all, these four stages represent the common “whys” of countless compliance failures both large and small. Thus, the four stages conveniently frame the inquiry and hone the mental analysis toward those issues that matter most when evaluating a compliance failure.
2. Assist in institutional design efforts
Moreover, the framework allows for a path forward. A compliance failure is magnified and perpetuated when it is improperly remediated, and the surest way to another failure is to fail to determine the root cause of the original one. Yet the process framework should provide managers with useful information about why the failure happened and hint accordingly at what needs to be done to prevent a similar failing in the future. Of course, the framework itself will not provide design solutions; those must be crafted elsewhere. But the framework can be used to direct your efforts more effectively toward designing a system that will prevent a similar failing in the future.
3. Improve perceptions of procedural fairness
Finally, a less obvious, but nonetheless important, benefit of utilizing the process framework is that by using such a framework in your decision-making after a compliance failure, you demonstrate a commitment to an unbiased and thoughtful process. Countless studies have shown that employees hate feeling like decisions are reached unjustly or unfairly. Publishing this tool and explaining it to your employees may help them understand the efforts you and others are taking to reform the organization after a compliance failure. A greater understanding means a greater potential that employees will view the ensuing compliance process as procedurally fair. And although in no way does the framework provide a guarantee of universal understanding and acceptance, it is at a least a common language and starting point for you and your employees. That, in and of itself, may be significant.
Conclusion
There is certainly no panacea for compliance failure. If history has taught us anything, it is that compliance failures will continue to happen despite our best efforts. Yet perhaps, by changing our way of thinking about such failures, we may be able to catch wrongdoing within firms at an earlier stage, while also working to ensure other similar misconduct does not occur.
Takeaways
-
After a compliance failure, it is beneficial to frame the related inquiry as four stages: prevention, detection, investigation, and remediation.
-
Using the process framework of prevention, detection, investigation, and remediation better allows institutions to get to the root cause or causes of a compliance failure.
-
Analyzing each stage of the compliance process framework separately, while acknowledging the inherent interrelatedness of each, promotes analytical clarity.
-
The process framework can assist in institutional design efforts by more effectively directing an organization’s remediation efforts.
-
The process framework can also improve perceptions of procedural fairness within an organization when managers use the framework to guide the remediation effort.
