The Difference Between a Compliance Gap Analysis and an Effectiveness Evaluation

Key Points:

• A gap analysis reports on missing or incomplete elements of a compliance program.
• An effectiveness evaluation reports on how well the compliance program functions.

The Department of Justice and the Department of Health and Human Services Office of Inspector General both call for third party independent reviews of compliance programs to evidence their progress and continued improvement. However, when seeking third party reviews of  compliance programs, consultants respond with two distinctly different approaches; a gap analysis or an effectiveness evaluation. While both methods are similar, they have different goals, scopes, methodologies, and pricing. Reviewing proposals where vendors are offering two different approaches is like comparing apples to oranges. The major differences are in costs and benefits. A gap analysis, by definition, is a more limited check list review, requiring less time, effort, or expertise. As a result, it provides less serviceable information and carries less credibility for regulatory authorities, but costs 30-40 percent less than a full compliance program effectiveness evaluation.

Compliance Gap Analysis. This analysis is a structured checklist review that measures how well an organization’s current practices align with applicable laws, regulations, industry standards, or internal policies. It identifies missing or inadequately implemented elements or operations of a compliance program in relation to legal, regulatory, or policy standards or requirements. The goal of a gap analysis is to detect non-compliance and risk due to absent or insufficient practices and assist in building or strengthening the structure of the compliance program. Gap analyses focuses on compliance program process outputs. For example, it may involve comparing current privacy policies to HIPAA requirements; reviewing whether all required training or documentation exists; number of parties sanction screened; and identifying missing internal controls or policies. This type of review can help those organizations in the initial stages of development to identify areas where the organization is not incompliance, or where improvements are needed to reduce legal, financial, or reputational risk. This methodology has limited value for established programs.

Compliance Effectiveness Evaluations. These reviews focus on whether the compliance program is functioning as intended to prevent, detect, and correct compliance issues. This is different from a gap analysis because the outcomes of the processes are evaluated, not the processes themselves. The objective of an effectiveness evaluation is to measure the impact and performance of compliance activities and to determine if the program is effective in promoting a culture of compliance and reducing risk. The review looks deeper into how the program is functioning and closely examines supporting documentation and interviews of executives, board members, and front-line staff on their understanding and support for the program. It includes such things as (a) how well employees understand policies through surveys or interviews; (b) how well compliance processes are functioning; (c) degree by which program managers identify and monitor risks affecting their areas of responsibility; (e) how identified compliance issues are resolved; and (f) level of executive and board support and analysis of trends in hotline reporting or audit outcomes over time. This type of review is for organizations with established programs that desire improvement, enhancements, and independent evidence of program progress to date.

Gap Analysis versus Effectiveness Evaluation Examples

1. Evaluates regularly performed initial stages of program development vs. the ongoing evaluation of results or outcome from the program operations.
2. Focuses on process and outputs vs. on the results or outcome of the process.
3. Identifies missing or inadequate components vs. determining how well existing components work.
4. Measures how well requirements are being met vs. the results, outcomes, and behavioral impact from what has been implemented.
5. Assesses the number of parties trained in compliance vs. how well the lessons are retained and applied to the work.
6. Reports results as a list of gaps and action items vs. performance metrics and recommendations for improvement.

For more information on this topic contact [email protected].

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.