The Cost of Non-Compliance and How to Avoid it | Instructional Design Lite

 

Picture this: someone on your team has gone the “extra mile” only to have those solid efforts backfire so far and so hard that now not just your team will suffer, but your company may miss earnings goals and lose gains made in the marketplace for at least a year.[1]

[1]Our Minnesota neighbor Target is all too aware of the negative impact a single event can cause. Target’s Red Card security issue was announced January 2014. The stock price immediately fell and did not return to normal until December. What opportunity costs did it suffer during 2014? Chief competitor Amazon made short term gains in its stock price during Target’s year of recovery.

Today we’re going to discuss the enormous impact of non-compliance and how better training, policies and procedures – utilizing instructional design – can help prevent non-compliance in the first place.

Definition Instructional Design is a framework for creating instructional and training experiences that are more appealing, efficient and effective.

 

The Costs of Non-Compliance

Such errors can cost millions of dollars in direct costs and incalculable other costs such as opportunity costs, tarnished personal and corporate reputation, and so on. Let’s call these direct and indirect costs Detritus, and the unproductive meetings, breakroom angst, and speculating by the company’s employees Churn.

Definition Detritus: The direct and indirect business costs following an adverse event.
Definition Churn: Unrecoverable time and energy expended by employees following an adverse event

Detritus + Churn = Waste

At first glance, the Waste seems grossly disproportionate to the triggering event. But dig in and you see that between the event—for example, an employee forgets her work papers on the subway[2]—and the Waste, is the organization’s negligence or gross negligence (or worse).

[2]The Massachusetts General Hospital settlement in April 2011 included $1 million fine and 3 years under a monitoring program with the federal government for HIPAA violations. MGH’s employee brought paperwork home with her, and then forgot it on the subway the following morning.  One can only imagine what a superstar she thought she was being the night before, bringing work home with her. The paperwork included information concerning 192 HIV patients.

 

Standards vary by state but the difference between negligence, gross negligence, and willful disregard (which in some states is the same thing as gross negligence) could be seen as the degree to which indifference is systemic to the organization.

 

Culpability Spectrum

 

There probably are situations where the organization behaved reasonably and the fines seem disproportionate, nonetheless. Even so, it is not logical to throw up one’s hands and say “I might as well do nothing because the government is going to get me one way or the other.” The difference in financial penalty between exercising a very basic level of effort to prevent and correct compliance incidents and doing nothing is substantial.

Bottom line, the employee’s act is just a symptom; the organization has the disease.

 

Fortunately, a vaccination against Waste is available. It is not 100% guaranteed, and it is not easy, but it is fair to innocent bystanders to inoculate everyone.

Vaccination requires deploying effective training.

Effective training requires effective plans of action, i.e., effective job aids and policies[3] upon which to train.

[3] In the compliance world, policies, procedures, job aids, and work instructions are not the same thing. However, they all have a primary purpose: communicating the business’s expectation of behavior to the employee. What this post says about “policies” is equally valid for “procedures,” “job aids,” “work instructions,” “SOPs,” and similar documents. I use “policies” to mean all such materials.

There is an entire field of knowledge around how to make training efficient, effective, and engaging. If you are fortunate enough to have a background in instructional design, the rest of this post is NOT for you. If you are even more fortunate and work at a place where it is your role to inspire others to do good work, but a course in instructional design isn’t in budget this year, read on.

 

Where is the White Antelope?

Effective policies are like white antelope: people say that they exist, but few have ever seen one. While I am not an expert on what makes a perfect policy (or on Saharan herbivorous mammals), I know that a typical policy in the service and knowledge industries is not it.    

Photo of a white antelope taken during a snow storm, January 2018.  Actually, see here.

 

Policies in many service organizations are so stuffy, outdated, or generic that they are not useful. (Let’s call the style found in such policies Old School). Old School policies may be in paper format or distributed via a web portal. Either way, they also commonly suffer from being difficult to consume by employees with disabilities.[4]

[4] If your audience includes people with, for example, color blindness or low vision, hearing loss, limited fine motor control, or cognitive impairments like distractibility or learning disabilities, your policies and training tools need to adapt. Fortunately, the changes will make your content clearer for everyone. See WebAIM for more info and guidelines to make your content perceivable, operable, understandable, and robust.

Ah, but you say ‘our lawyer wrote our Old School policies X years ago at great expense. Don’t touch them!’ It is a strange business indeed where neither the operating environment nor the risk the policies were designed to mitigate have not changed. Furthermore, if employees aren’t able to provide input on improving (i.e., revising) the policies, can the team really take the policies seriously?

 

5 Advantages of Playbook Policies and Instructional Design

A playbook approach to policies surpasses an old school strategy in at least 5 ways.

 

GOAL Old School Strategy Playbook Strategy
1 Easy for users to access and understand. The length and complexity of interwoven policies, whether on paper or poorly executed digital, make them hard to consume. Digital distribution allows for chunking into shorter, consumable bits, hyperlinking, and flowing changes through all related materials, with accessibility features. [5]
2 Empower employees to make good decisions. Policies are either too broad or too specific and do not deal well with variations or outlier events.

 

Use sample scenarios and explain the logic behind the desired decision.
3 Be ‘in sync’ with operations as the business and people change. Policies lag real life operations.

 

Policies in multiple locations means there is no single source of truth.

 

Digital content with appropriate permissions and approval gating means the business can iterate policies to address changing needs and distribute in near real time.
 4 Users comply with the documented expectations. Users responsible for executing the policies have little enthusiasm for or influence on the development and maturation of those policies, and thus, compliance with the policies may be lackluster.

 

The organization doesn’t know if users comply until there is a large failure, or the organization monitors compliance with such general requirements that it can’t be sure users will know what to do in a true conflict.

Content is as engaging as it can be, using graphics, white space, and short, active direction when possible.

 

Too few people make time to review policies to see if they are even being followed, before something goes wrong, or to determine if they are even relevant to the team anymore.

5 Sensitize employees to identify unusual patterns or variation, and then seek help Use broad language lacking specifics such as “We comply with law.”  Too grandiose to be meaningful. Provides scenarios, or briefly explains why a step is required (or recommended), so the user can apply the same logic to events that don’t exactly fit the policy.

[5] Melinda Sewell, Sr. Compliance Manager at vRad, discovered well organized, interlinked policies by an FDA-regulated business, Tidepool.  See Tidepool Google Docs Sample

 

If these issues are endangering compliance at your organization, consider adopting a playbook content and distribution strategy.

 

What is a Playbook?

A playbook focuses on practical guidelines that should be considered in given scenarios and why. It is presented in a manner that is easy for users to consume (white space around text, graphics, screen shots), and thus does not adhere to a strict format.  A playbook may involve many people and many decision points. This is both a strength and a weakness.6

6There should be a good reason for using a paper manual. At vRad, users are advised to print a paper version of the business continuity plan and have it available off-site in the event of a “smoking hole” scenario. However, there are no other paper-based policies. If your organization “needs” paper policies, ask “why?” Keep asking why at least 5 times to get to the root of the issue.

The playbook approach can help achieve 3 metrics of an effective policy that other SOPs simply don’t accommodate: flexibility, clarity in meaning, and visual clarity.

 

Effective Policy Goal #1: Flexibility

Old school policies undermine flexibility because they:

  • Provide limited do’s and don’ts
  • Do not acknowledge that unique situations may call for unique solutions.

In contrast, playbooks are ripe with flexible options because they:

  • Provide factors that should be accounted for, and
  • Provide a pathway for user to implement an alternative solution.

Playbook thinking means including alternatives for users, such as:

[from a Crisis Communications Plan and Playbook]

Manage the situation with these goals in mind:

  • Accelerate resolution of a crisis
  • Minimize negative profile or public image
  • Reduce business interruption
  • Not impact financial performance

 

Effective Policy Goal #2: Clarity in Meaning

Old school policies are vague, with overarching purpose or scope statements that add little value. For example:

This procedure ensures SuperCo complies with all laws and regulations governing the confidentiality of employee data. It applies to all SuperCo employees worldwide who have access to confidential data.

A playbook explains the benefit or purpose at each step. The net result isn’t necessarily fewer words, but users know the “why” behind what they are doing.

For example:

Steps 1-4 prevent unauthorized access to employee data.
User should perform step 5 or a similar test to verify that steps 1-4 were performed.

Or:

(A). Export monthly log for prior calendar month. Review for anomalies and store at location xyz. 

This log is an audit trail showing what users accessed which files and when. Our Compliance Plan and the OIG require proactive review of audit trails for compliance with HIPAA and SOX.

(B) Store the file on server abc using naming convention RecordAYearMoDate.

This server has limited permissions as required by our SOX policy, # 123.
Contact Helpdesk if you wish to store elsewhere.

 

Effective Policy Goal #3: Visual Clarity

You can tell you have an old school policy if it:

  • Uses a lot of text without enough white space;
  • Provides few visual markers to indicate key concepts, roles, or decision points.

Playbooks embrace design fundamentals. Your policy is a playbook if it:

  • Uses sign posts consistently;
  • Adds screen shots when useful;
  • Leaves generous margins and adequate spacing between sections,
  • Conscientiously uses formatting, color and other design elements.

 

For example:

User A

  1. Action               
  2. Action

User B

  1. Action
  2. Action

 

What about Strict Procedures?

Some processes simply must be followed to the letter. Accounting transactions should be executed the same way every time, for the integrity of the financial records. Worker safety requires that heavy equipment be maintained and used according to certain parameters, all of the time. IT Security requires that all new laptops are set up and deployed a certain way, every time.  Though there may not be a lot of choice allowed during certain processes, there are many choices one makes in how the material is presented that can affect whether or  not the information will be put into practice or not.  Basics applicable to any policy, job aid or other tool:

  • Use bullets.[6]
  • Use action words.
  • Use parallel structure, with as few words as possible. Adjectives and adverbs are not necessary.
  • Add white space, roadmaps, and other graphic design fundamentals.
  • Provide the “why.”  Steps that are flexible should be broken when it makes sense to do so, and users should know when they have the freedom to decide. Steps that are nonnegotiable should also be identified as such.

[6]Pros and cons of bullets could be a whole ‘nother blog post. Oh wait, there are already such posts. See: http://fi.deluxe.com/community-blog/financial-marketing-insights/bullet-points-some-pros-and-cons/  and http://websitecopywritingservices.com/blog/bullet-point-secrets/ and https://www.copyblogger.com/writing-bullet-points/ 

 

Playbook Sites: This Electric Interwebs Thing Just Might Work

An electronic playbook is ideal because the user can search, click hyperlinks, and suggest annotations or updates that can be deployed with relative ease compared to paper manuals or overly-strict SOPs. Each playbook and site hosting several playbooks are best owned by the department or team responsible for executing on it.

Playbook sites are frequently colorful, engaging, and even a bit whimsical. Two examples of SharePoint playbook sites at vRad are shown below.

One vRad team puts a heavy dose of “play” in its playbook site.

 

 

The Office of General Counsel playbook site similarly makes good use of the flexibility afforded by Microsoft’s SharePoint platform.

At vRad, we are gradually using more playbook-style guides and wikis. Complex processes include narrative augmented by diagrams. Below is an example from a cyber-incident response playbook.

 

 

We break down department-oriented playbooks into buckets that can be visually appreciated or taken in all at once. For example:  a privacy wiki is shown at left.

The content on a wiki page is similar to what one would find in a typical process, but provides a digest version for a quick reminder on how to do something.

 

 

The Impact of Avoiding Fines and Churn

Arming staff with easy-to-consume support documentation enables them to do their job quickly, confidently and correctly – whatever challenges arise.

And while we certainly can’t measure the number of non-compliance events a particular strategy will prevent, we can be certain that preventing even a single lapse in compliance – or simply reducing the severity of that lapse – will be worthwhile.

The delta between a fine for negligence and gross negligence is at least 2x, and the delta between negligence and fraud or willful disregard is easily 10x. It is 30x in the case of HIPAA violations. These figures may be a useful estimation of the difference in Detritus and Churn that accompanies each situation. The severity levels below indicate increasing indifference to the regulations and the steps necessary to ensure an entire organization is committed to “how we do things around here.”

 

Regulatory Issue Severity 1 Severity 2 Severity 3
Customs violations, civil penalty; 19 USC sec. 1592 negligence

 

lesser of (a) domestic value of the merchandise; (b) 2x the duties, taxes, and fees on that merchandise; or (c) 20% x the dutiable value of the merchandise.

gross negligence

 

lesser of (a) domestic value of the merchandise; (b) 4x the duties, taxes, and fees on that merchandise; or (c) 40% x the dutiable value of the merchandise.

Fraud

 

not to exceed domestic value of the merchandise

 Differential
(Compared to Level 3) 
0.20 0.40 1.00
OSHA; 29 USC sec. 666 serious violation

 

$12,675 per violation

serious + failure to abate

 

$12,675 per day beyond abatement date

willful or repeated

 

$126,749 per violation

Differential
(Compared to Level 1)
1.00 2.00 10.00
HIPAA; 42 U.S. Code § 1320d–5 negligence

 

$1,118-$55,910 per violation

willful neglect, but corrected within 30 days of either knowing, or by exercising reasonable diligence, would have known, that the violation occurred.
$11,182-$55,910
willful neglect and not corrected within 30 days…:

 

$55,910-$1,677,299

Differential
(Compared to Level 1)
1.00 1.00 30.00

[7]As of January 13, 2017.

[8]Assuming 2 days.

 

So, where is the white antelope?

I don’t know, but I have a good place we could look.

Karen Scott

 

About the Author

Karen is Deputy General Counsel and Head of Compliance – vRad. She has been helping vRad colleagues understand the “why” behind rules and policies for almost 14 years, so they can deliver a solution to vRad customers or internal stakeholders that makes everyone happy. She’s actively involved in millions of dollars of deals every year. When she’s not making the world a better place through telemedicine, she’s likely listening to a podcast about biohacking or physics, working out, or making dinner for her husband and kids, ages 3 to college.

Share this post