Where is the 'Q' for 'quality' in compliance?

Calvin London

Calvin London

By Calvin London, PhD

Calvin London (calvin@thecomplianceconcierge.com) is the Founder and Principal Consultant for The Compliance Concierge in Melbourne, Victoria, Australia.

In 2020, industry was given new guidance from the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) with the second edition of A Resource Guide to the U.S. Foreign Corrupt Practices Act.[1] Of importance were new headings that related to continuous improvement (periodic testing and review), investigation analysis, investigation analysis and remediation of misconduct, and evaluation of corporate compliance programs.

For many companies, I am sure this was received with a degree of contempt: “More rules and regulations that we are expected to meet instead of making money!” Such companies, however, need to take a serious look at their compliance program and indeed their culture, because the world is changing. It is no longer acceptable for a compliance program to simply tick boxes; there needs to be a lot more substance behind the actions and the processes that guide the company’s compliance. Research conducted some years ago now demonstrated that companies that embrace a combined attitude of quality and compliance can result in higher levels of efficiency and profitability and, although not stated, fewer compliance issues.[2]

There is a lot that compliance can learn from their quality colleagues about implementation. I can see the compliance purists shuddering from this thought. I had one client who outwardly expressed to me their displeasure that I should mention quality in the same breath as compliance: “Just give us the bare minimum so I can get through audits; we want a compliance program, not another quality process!”

Many of the requirements of modern-day compliance programs require elements that have been in play for quality for a number of years: investigations, corrective actions, monitoring, and continuous improvement. But before we look at some of these, let’s address a fundamental issue if compliance is going to join forces with quality: what is the difference between quality and compliance? Once answered, it is then possible to show why I think there is room for ‘Q’ (quality) in compliance.

Putting the ‘Q’ in compliance

Fundamentally, compliance is something that we do in order to meet regulations or standards that have been imposed, Foreign Corrupt Practices Act (FCPA) guidelines, Food and Drug Administration (FDA) guidelines, or International Organization for Standardization (ISO) standards, for example. They are nonnegotiable and, theoretically, the same rules apply to all companies. Many companies view these as a necessary evil that immediately sets up an attitude of “just get it done already.”

Quality, on the other hand, is a standard that is largely set by a company; it is not so much demanded by law but rather seen as good for business. A company that establishes a high consistency in delivering a quality product or has a healthy respect for how it treats its customers is viewed as a quality company.

When compliance and quality are combined, the result is a company that ticks all the required boxes for compliance not just to pass an audit but also to make sure that its reputation is solid and its customers feel confident that they are getting a compliant quality service. What’s more, in such companies, people tend to “want to do the right thing,” because the company’s culture is based on both quality and compliance embedded as fundamental values.

If you are the person responsible for compliance in your company and your company has a person responsible for quality, you should be best friends. There is so much that you can do to improve your compliance program by putting even just a little bit of “Q” in it. Here are five reasons why you should have a closer relationship with your quality peers.

1. Quality is a continuum with no end.

I have never been a big fan of the term compliance program. To me this inadvertently says you do something (put in place a program consisting of policies and procedures), and that is it. When the program is in place, the job is done.

Quality people have over many years realized that this is one of the biggest mistakes a company can make. Thinking back to the early days of ISO 9001, which was considered the gold standard for service delivery, if you wanted to be recognized (and in some cases if you wanted to do business with the government), you had to have ISO certification. Consultants made a fortune by going from company to company with a cookie-cutter approach changing the names of the company and making slight adjustments. Many companies wrongly believed this was all that was required. Get a set of policies and procedures to say what you are going to do and stick it on the shelf. When the first performance audit came, they failed miserably because no one had adopted the concept of this being a process rather than a program.

I believe this has also been the downfall of a lot of compliance programs, and some of the intent of FCPA guidance revision is to say, “We want you to actually do something with your program so that we do not see the same mistakes reoccurring.” In other words, your program is a process that keeps going through cycles of adjustment as your company—and the world—changes.

Several areas of compliance, such as training, third-party risk management, and policy and procedural review, are now viewed through the eyes of this continuous process, rather than as a static implementation that is performed once. Although we refer to compliance as a program, it is important for companies to understand that the program is a process that keeps repeating—not just a one-off program.

2. Live with less risk.

Some years ago, DOJ issued a guidance document entitled Evaluation of Corporate Compliance Programs.[3] This evaluation raised three fundamental questions that are still pertinent to the structure and function of a compliance program today:

  1. What did you do to prevent it?

  2. What did you do to detect it?

  3. What did you do when you found out about it?

The concept of living with less risk is fundamentally dependent on finding the cause as much as the culprit and modifying processes, be it policies, procedures, or training to try to prevent the same mistakes from happening again. Detection (investigation), remediation, and prevention are the elements of corrective and preventive actions. I am sure many compliance people have heard of these, but have they employed these techniques in their compliance programs?

Data analytics is the growth area of compliance following reinforced expectations from regulators (DOJ’s revised guidance as an example). The excuse that a company does not have the resources to conduct a data analysis does not hold water anymore as technical platforms for data analytics are being developed to cater to different-sized companies. Quality functions have cut their teeth on collecting, trending, and data analysis, and there is no reason why any of their processes, systems, and platforms cannot be adapted to conduct the same level of monitoring for compliance. What a wonderful opportunity for collaboration to maximize both efficiency and risk minimization.

Data collection provides a valuable tool for understanding trends, process improvement, and ultimately education of employees, all with a view of minimizing future risk. Regulatory bodies expect companies to analyze their compliance risks and take active steps to enhance their compliance programs to prevent mistakes from reoccurring. Regulators do not like to see repeat offenses, especially when they are due to poorly implemented compliance systems and a lack of ongoing monitoring. This has been discussed in recent publications.[4] The significance of these as contributing factors to what is seen as a low level of corporate recidivism has also been analyzed.[5]

The compliance world now seems to be catching up to the quality world in terms of the power of monitoring and data analysis. Again, you have to ask the question, if your quality function already has processes in place, why wouldn’t you want to use them for compliance monitoring and reduce future risk?

3. Quality can confirm: the ‘dump and run’ technique does not work.

I have already used the example above of the implementation of ISO 9001 and how many companies simply “bought” a program, told everyone to read and understand it, and that they now had a quality program. The same is true of many companies regarding compliance programs. We have a policy that says “thou shalt not bribe,” and, “If we catch you, we will fire you”; what more could you want?

Constantly changing regulatory standards require regular updating of policies and procedures, accompanied by employee re-education on the changes. Quality functions already have systems and processes in place for document management with defined review periods. They can also provide valuable guidance on the benefits of documenting evidence as an essential component of a modern-day compliance programs, so why reinvent the wheel?

4. You will be proactive instead of reactive.

As we discussed earlier in this article, compliance is about minimizing risk, and quality is about recognizing continual improvement. Consider the following example:

Mary is a sales manager in a medium-sized technology company. She has 10 direct reports, each of whom is responsible for several clients. During an audit by an outside consultant, it was discovered that one of Mary’s team members had an unusually high entertainment spend compared to the others. The same individual also had the highest sales.

A compliance person may look at this and say, “I smell a rat”; the individual must wine and dine clients to get sales. There is a tendency for compliance folks to address the issue at hand as a solution to minimize the risk. Collecting evidence to substantiate the suspicion and then getting rid of the person, as an act of risk minimization, is a reactive approach with little long-term consideration of the situation.

A quality person may have the same suspicion, but the approach will be different. With a continuous improvement hat on, they would look at the bigger picture and apply a corrective and preventive action approach. There still needs to be an investigation that may well end up at the same conclusion (the person is bribing customers and is the sole problem), but a further look as to how this can be prevented from happening again (continuous improvement) is more effective from a minimization perspective.

5. Joining forces with quality will change the culture for the better.

The phrase “been there, done that” immediately comes to mind when talking about changing culture from a quality perspective. Quality functions, to varying degrees of success, have all had to deal with the negativity and naysayers when it comes to implementing policy and procedures, conducting investigations, and dealing with deviations from the norm that are discovered via continual monitoring.

Lessons can be learned from quality folks as to how to deal with this negativity because it is only in well-adapted, mature companies that quality (and in turn compliance) are not despised. By providing employees with a united front between quality and compliance, embracing shared systems and a philosophy of executing processes with the aim of consistency and continual improvement can only be beneficial.

Compliance functions are now adopting a more comprehensive process that embraces systems-based ideology that goes beyond a policy and a process. There are significant opportunities for compliance functions that are grappling with this cultural change to piggyback on the processes and cultural changes that have already been implemented by quality functions. As an example, introducing the long-established “Plan-Do-Check-Act” cycle used by quality functions in compliance programs can address a lot of the newer requirements that DOJ is looking for in their revised guidelines.[6]

What’s the quality of your program?

Whether there is a quality function within the same company or by going outside to gain knowledge of these processes, there is a lot to be gained by putting “Q” into compliance. Companies that focus on compliance without consideration of the quality of compliance and with little regard for innovation, continuous improvement, or maximizing efficiency will continue to step from audit to audit or compliance incident to incident to their detriment.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings