Guide to a compliance gap assessment

Alisa Lewis

Alisa Lewis

By Alisa Lewis, CHC, CRISC

Alisa Lewis (alisa.m.lewis@hotmail.com) is Director, Privacy and Compliance, at Diameter Health, Farmington, Connecticut.

Would you be surprised if I told you we perform gap assessments in our daily lives? Take, for example, meal planning. You determine what you are going to eat for the week, identify the ingredients you will need, find out which of the ingredients you have already, make a list of the additional ingredients needed, and then go grocery shopping.

A gap assessment (or gap analysis) is a comparison between the current state and the desired state. The difference between the current state and desired state are the gaps. Once gaps have been identified, they should be documented, shared with management and appropriate stakeholders, and remediated by the appropriate personnel.

In the meal-planning example, the desired state is having all the recipe ingredients you need to make your meals for the week. The current state is the ingredients you already have in your home. The gaps are the ingredients you need to make the meals but you do not have on hand. The documentation of the gaps is the grocery list. And the remediation takes place when you buy the missing ingredients at the grocery store.

Five uses of a gap assessment

Gap assessment can be performed for a variety of circumstances. I have used them in several ways and have gained valuable information each time. Let us look at five uses of a gap assessment.

To determine whether your compliance program is adequately designed

Title 9 of the U.S. Department of Justice Justice Manual states, “critical factors in evaluating any [compliance] program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives.”[1] Additionally, the manual states that to determine whether a program is well designed, the “prosecutor should consider the comprehensiveness of the compliance program.”

While the Evaluation of Corporate Compliance Programs recommends a risk assessment be performed to determine whether an organization is adequately designed,[2] a gap assessment can be an important step before the risk assessment.

Here’s why: No two organizations face the same sets of requirements. A compliance program that is adequately designed for one organization may not be adequately designed for another. To determine what “adequately designed” means to your organization, you need to consider the services you provide, your customers, and applicable laws and regulations. Do you use offshore resources? Are you a federal subcontractor or do you receive Medicare or Medicaid payments? Are you a covered entity or a business associate? Answering questions like these will help establish applicable requirements.

Once you have determined your requirements, you can perform a gap assessment to determine what gaps exist between requirements and your current program. After gap remediation and once your controls have begun operating within your environment, you can perform an accurate risk assessment to ensure the remediation put in place is appropriate and is meeting the needs of your organization.

When you are new to the organization

Starting a new job at a new organization can be daunting. There is so much to learn and absorb. While employers have new-hire training programs in place, the training program most likely will not teach you everything you need to know about compliance within the organization. A gap assessment can be used to understand what requirements the organization has in place, identify how the organization is currently meeting requirements, and whether there are any gaps in meeting the requirements. It gives you a formal process for learning about the organizational requirements and using the information in a real and meaningful way.

When you are a part of a merger or acquisition

When your organization acquires or merges with another organization, each organization may have different controls in place, or controls implemented differently. The gap assessment process can help you identify compliance requirements, or other sets of requirements, under the new organizational structure. Through the gap assessment, you can systematically document the existing controls and determine whether there are any gaps.

To prepare for new regulations or requirements

Are you considering exporting goods or services? Are you expanding offerings to the European Union? Such changes affect your compliance landscape. If your organization is considering expanding services or tapping new markets, you need to be aware of compliance implications these changes will have on your current program. Through the gap assessment process, you will identify and document the requirements the new service or market will bring to your organization and assess what you may already have in place. It is possible your current processes may meet some of the new requirements or can be modified to meet the new requirements. The gaps identified can be used to create a list of tasks that can be incorporated into a project plan to bring your organization to compliance with the new service or market segment requirements.

To improve the maturity of your program

A compliance program maturity model is a tool that is used to measure program maturity. There are various compliance maturity models available. Each model may have different terminology, but in general, maturity levels range from ad hoc or incomplete to optimizing. Ad hoc or incomplete means the program is not formalized and processes are not repeatable. Optimized means the program is in a continual improvement state and is agile and can anticipate needs. To perform a maturity model gap assessment, you use a compliance program maturity model as the framework you are measuring against, determine the maturity you want to achieve (desired state), identify where your program currently falls on the model (current state), and assess gaps that exist between the two states. Remediation of the gaps increases the maturity level of your organization.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings