Fake Compliance

9
1297

By Frank Ruelas
Facility Compliance Professional, St. Joseph’s Hospital
and Medical Center/Dignity Health

Help me out here. Understand that if this may apply to you and your organization, it is by no means a negative comment but a genuine request to help me understand how compliance professionals in the following situation can genuinely believe they have effective compliance programs.

We are all familiar with the seven elements as defined by the OIG, the eight elements as defined by the ACA, and the nine elements as described in the FSG.  No problem there. The problem or challenge is that despite which of these three frameworks are used, there are a few of the elements that are consistent to each.  One, in particular, is the element of auditing and monitoring.

For years it seems that people have stayed away from developing the auditing and monitoring element within their compliance program framework.  Some of these reasons quite frankly are related to the fact that some compliance professionals simply don’t know “how to” set up auditing and monitoring.

Oh sure, many compliance professionals can talk the talk.  They may even have a few “metrics” that they display to the Board as some type of dashboard in an attempt to show the general health or state of the compliance program, but in the end, are these Boards really getting a good picture or idea of the overall effectiveness of the organization’s compliance program?  In my view, I can’t understand how that can be so I am genuinely asking for perspectives from those to help shed some light on this question.

I also want to pose the following for your consideration and feedback.  We can have some of the best policies and procedures in place in terms of how the staff can clearly understand their content, very effective training and education to inform the staff on what it needs to know, and timely and effective responses to incidents that may also include enforcement that may result in sanctions or disciplinary actions.  These are all very positive.  But I ask you, what are we relying on to know if what we propose in policy and procedure is translating itself into action?  For some, maybe most, we are in the reactive mode.  We wait and see what comes our way by means of incident reports or the hotline, which I know for some, if they get one or two calls a week that is a noteworthy occurrence.

Auditing and monitoring is an essential function that can serve a vital role in a couple of ways.  For one, and I hesitate to use the tried and true…and tired…idea that allows compliance professionals to be proactive.  Rather, I think it allows compliance professionals to be active.  Active in looking for those instances where noncompliance exists so the causes can be identified and mitigating efforts done to align what needs to be brought back into compliance.  Auditing and monitoring also serves as a powerful “reinforcer” though it may be sometimes perceived primarily as a way to find when people are doing something wrong.  Consider the following.  How often do we as compliance professionals communicate a message of a “job well done” to others when we see that their behavior and conduct is promoting the objectives contained in our compliance programs?

There is more to share for thought for sure.  However, my point remains the same.  I fail to understand how compliance professionals with little or no auditing and monitoring function within their compliance programs can honestly say to themselves and others that they have an effective compliance program, but I am the first to admit I am willing to learn!

9 COMMENTS

  1. Fake is a pretty strong word, but it is an important point you make, Frank!

    I agree that auditing and monitoring is very important to be able to consider a Compliance Program as “effective”. I have comments too long for this space extolling the benefits to be derived.

    One hypothesis that I would like to put forward regarding why implementing a solid auditing and monitoring elements can be challenging is that this may well be the element of the Compliance Program that requires the most involvement and engagement of other departments. If that overall support is lack luster or absent, it makes it more difficult for the auditing and monitoring to be meaningful. Certainly with data analytics and other tools there are some things that a Compliance Department could do “on its own” and produce reports and statistics but in my experience the best results are when the departments are engaged — performing their own departmental monitoring, providing management response to audit findings, etc.

    This is not to say that other elements don’t require other departments’ involvement (education, for instance, requires that managers ensure that staff complete required training). Just an observation regarding auditing and monitoring from prior observation.

    Would be interested in others’ comments as well. Have a great weekend, Frank!

  2. I agree with your thoughts, both on the importance of this element as well as it’s difficultly of “knowing how” to do this, determine what needs to be audited and monitored, etc. I struggle with this daily. It seems there is so much so determining priorities and actually knowing how to do it, is difficult!

    I also agree that engagement is key. You must have the support of your administration and department managers. The culture and attitudes about compliance must be in line and encouraged. That’s not always the case.

    I would be greatly interested in any suggestions or ideas others have to bring this important element to the forefront!!!

    Thanks for the opportunity to comment.

  3. I agree also. We have a department charter that outlines what our responsibilities to the company are as a department, including what we will do for investigations and its reporting. Our Board of Directors require our compliance department to go through an annual risk assessment (the OIG has some good templates). We base our audit/monitoring/mitigation priorities off of it, as well as other department’s and their risk assessment. Additional training and monitoring may be added based off of recent compliance incidents or discovered risk. This is in turn reported back to the Board as part of our monitoring and mitigation effort for the potential risk.

    Getting buy-in for internal audits may be difficult as the word “audit” seems to have a negative connotation. We explain to other departments the monitoring and internal audits are for the department’s/company’s benefit. We would rather find an issue internally and have the chance to mitigate it before it gets worse, or worst yet – before an external auditor (or senior management) finds it. Your department/company may already be doing a version of this but may not realize it. When coworkers check over their peer’s work/process beforehand, they are essentially auditing the work. The only difference is its documentation. Documenting that work/process has been independently validated it was correctly done, and if not, another review of that work/process down the road to make sure it had been corrected, and documenting how it was mitigated.

    Good luck! I don’t know if this helps, and I hope you find your answers!

  4. Frank – Thanks for this. Despite the fact that standards like the Sentencing Guidelines are crystal clear that without things like auditing and monitoring you do not really have a program, people still cling to paper and preaching. Having a code and giving PowerPoint presentations is not a compliance program, and has very limited ability to prevent misconduct.

    I fully agree that companies need to do auditing and monitoring if they are even going to claim they have a program. They also need to read carefully all of the other elements and follow them. Do incentives play a role in your program? Are you evaluating how well your program (including all its parts) is working? Are you actively doing something (besides mouthing the right words) to prevent retaliation? Are you disciplining senior people for failing to take reasonable steps to prevent misconduct?

    Yes, auditing and monitoring is tough work. It can make people avoid you in the halls. But if compliance programs are to be effective, they require tough work.

    Keep making the point, Frank. We are not going to prevent business crime by paper and preaching. Tough work like auditing and monitoring is essential. No real auditing? No use of incentives? No bosses being held accountable? Then the word “fake” hits the nail right on the head.

  5. Great points!

    Some organizations are afraid of the compliance department being the “enforcer” or police of the organization.

    There are times when there is lackluster support at the higher end of Management. I call those the “check in the box” programs.

  6. I agree with you,”the compliance function should be active in looking for those instances where noncompliance exists so the causes can be identified and mitigating efforts done to align what needs to be brought back into compliance”…Without this aspect,a compliance program is as good as” fake”.

    Auditing & Monitoring helps the function to; detect any non compliance incidents and resolve them in time, put in place mechanisms to mitigate future non compliance especially for issues that cannot be resolved, know the status quo and plan for a way forward(Be in charge).

    This requires the support of the business functions and top management ,in terms of responsiveness to close any gaps brought to their attention.

    Major challenges;

    1.Business managers indirectly delegating their supervision role to the compliance function which is not sustainable.Whereas supervisors play a key role in mitigating most compliance risks since they are directly involved in business,they may wait for auditing and monitoring to be done by the compliance.This issue may be addressed by education & Training.
    2.In presence of a separate internal audit function which also does auditing & Monitoring of the same policies or regulatory requirements,it is perceived as duplication of work.Would like to know how others over come this……..

    ”Auditing and monitoring also serves as a powerful “reinforcer” though it may be sometimes perceived primarily as a way to find when people are doing something wrong”—–This is inevitable,to build a strong compliance culture ,every body needs to be on board ,therefore people who often do things wrong be it intentional or by error have to be given feed back and necessary steps taken to bring them on board.This also depends on how reinforcement is done,whenever it’s purely negative or positive or both.To get buy in and people to openly come out on areas where they need the compliance functions support to comply,i think it’s better to use both approach.Negative reinforcement alone creates alone creates panic,fear and negative attitude,once in a while people need to be appreciated for what they are doing right as motivation to improve in the other areas.

    Thank you Frank for this topic.

  7. I agree that auditing and monitoring plays an important part in a Compliance Program but if the CO does not have the buy-in from senior officials, a budget for learning and help to discipline supervisors then the program is a waste of time.

  8. All great comments that emphasize the importance of identifying potential risks and auditing to assure that there are proper controls that are effective to mitigate those potential risks. Compliance officers should understand both auditing and monitoring, which are different functions. Partnering with operations through compliance committees is a great way to encourage real-time monitoring, expose the risk assessment to raise awareness, and receive reports (documentation) of monitoring activity in identified risk areas.

  9. First, understand the difference between auditing and monitoring. The former is generally a look-back review – say of the last quarter or year. Monitoring is real-time review. For the former, consider the “risk assessment” approach. Begin with a typical internal financial auditor protocol. Have each component do its own risk analysis. This would be a self-review of the pain points that came up and the CAPs used to correct them. Then rank these as high, medium or low risk. Put the review on a rolling 3 or 5 year plan (high risk every year, medium every two years, low three years). Adjust as new risks are identified, risks continue and risks are corrected and roll off.
    For the latter, do periodic monitoring like the widget makers – sample your processes in real-time to make certain they are working. Allow the components to do this too. This is not meant to supplant the audit. These are samplings – high level reviews.
    These are merely suggestions. The point is to start.
    Good luck

Comments are closed.