Common Sense Record Compliance
Litigation and regulatory investigations aren’t “black swan” events. They’re a cost of doing business. How much it costs the business is impacted by how well a business can explain itself. Assuming the same underlying set of facts, a business that can promptly and clearly explain what it did, and why it did it, is more likely to survive the trauma relatively unscathed. Sustainable and pragmatic compliance programs contemplate and plan how to respond to litigation and regulatory crises. It’s not enough to do the right thing. A business should be prepared to irrefutably document:
- What it did. The behavior or product feature that is the focus of the dispute. For example, develop or revise policy or process. Create or change a design. Add or change vendors. Add or remove critical characteristics. Engage or disengage employees, consultants, etc.;
- How it did it. This refers to the procedures or steps followed to make the change. For instance, investigation, benchmarking, lobbying, testing, validation, approval, etc.
- Why it did it. This is the rationale or basis for the change. For instance, we: (1) reduced this tolerance to improve assemble-ability; (b) consolidated these three suppliers to a single source to improve reliability and accountability, reduce cost, and increase our margin, (c) acquired competitor X to increase market share, and (d) tested for Y to comply with customer requirement X or regulation Y.
The best way to be prepared to demonstrate WHAT, HOW, and WHY is by having an integrated framework of processes that address the creation, distribution, retention, and subsequent use of documents and records. Examples of processes that can be included in the integrated framework include: (1) issue escalation; (2) record retention; (3) litigation hold; (4) e-discovery; (5) engineering change orders; (6) payment authorization; (7) contract approval; (8) language and symbol usage guides; (9) requirements engineering; (10) roles and responsibilities – RASIC; (11) crisis communications; (12) confidentiality & privilege; (13) structured problem solving; and (14) Sarbanes-Oxley contingent liability reporting.
Make no mistake, organizing and implementing an integrated framework of processes is no small undertaking, and it is not a one-time purchase. But many companies already have many such activities covered by policy or process, just not in an integrated manner. Periodic employee training and process audit are necessary to remain relevant.
In conclusion, regulators and juries don’t expect perfection. They get that a business can’t monitor employees 24/7 or realistically enforce compliance with every process 100% of the time. In short, regulators and juries understand that companies are made up of people and that to err is human. Having said that, in the event of a compliance failure, large or small, you should be able to prove that your compliance program is rigorous, state-of-the-art, and effective. You will need to demonstrate that you offer periodic training and guidance regarding the prevention, detection, and discipline of compliance problems. Your team should be able to point to the business rationale behind your compliance program decisions. My hope is that this post and the embedded slides will help you get a little closer to the ideal.
If you have any comments or questions about how these concepts might benefit your business, please contact the author at email@example.com or +1 (415) 324-8818.