Evaluating Compliance Programs: Gap Analysis or Effectiveness Evaluation?

Key Points:

• Having a Compliance Program does not mean it is effective.
• A Gap Analysis tells you what is missing.
• An Effectiveness Evaluations tell you what is succeeding or failing.
• One focuses on outputs; the other focuses on outcomes.
• Both are best conducted in the first quarter of the year.

The difference between a Gap Analysis and an Effectiveness Evaluation of a compliance program is that the former assesses the existence and adequacy of required compliance elements, while the latter evaluates whether the compliance program is functioning in a manner that mitigates the risk of wrongful actions. Regulators such as the Department of Health and Human Services (HHS) Office of Inspector General (OIG) and the Department of Justice find both types of reviews beneficial. A Gap Analysis focuses on document examination (charters, Code of Conduct, policies, etc.), program structure, training, compliance communication channels, oversight, and monitoring processes. Essentially, it examines whether required compliance elements are in place, complete or missing, and current or outdated. The results of a Gap Analysis will identify missing or outdated policies, inconsistent disciplinary standards, weak training programs, poor awareness of hotline reporting, inadequate monitoring and auditing, insufficient leadership oversight, and weak responses to violations.

On the other hand, Compliance Effectiveness Evaluations include what would be a Gap Analysis but further examine whether the compliance program is functioning in a way that reduces exposure to wrongdoing by measuring process, performance, behavior, outcomes, and culture. The focus is on whether (a) employees understand compliance; (b) policies are understood and followed; (c) the board and leadership actively demonstrate support for compliance; (d) compliance processes operate as intended; (e) reports of suspected wrongdoing are investigated properly; (f) discipline is applied consistently; and (g) weaknesses and problems are detected and resolved early. An Effectiveness Evaluation seeks to determine whether training changes behavior, reporting systems are trusted and used, compliance activities actually reduce risk, and leadership promotes and sustains a culture of compliance.

Concluding Comments. The OIG makes it clear that having a compliance program “on paper” is not enough. The program must be operational and effective. From their perspective, conducting a Gap Analysis early makes sense; however, once established, the compliance program should be independently evaluated for effectiveness. Therefore, if a compliance program is new, informal, or recently restructured, it is best to start with a Gap Analysis to confirm that all required compliance elements exist before evaluating whether they work. A program that does not fully exist cannot be assessed for effectiveness. An Effectiveness Evaluation is most valuable for organizations with fully functioning compliance programs, as it goes beyond checking the box to focus on the results of the program. For either approach, conducting the review in the first quarter of the year allows findings and corrective actions to be incorporated into the annual compliance workplan.

For more information on this topic, such as differences in time, effort, and cost between the two types of reviews, email [email protected].

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.