Has your company ever gone through a serious problem or crisis? Even if you have, you likely want to learn more about the best way to handle it. And, if you have not yet dealt with such wrenching times, you should prepare now.
If you’ve experienced the pain of a compliance failure, you are surely motivated to ensure similar mishaps don’t happen again. Any in-house counsel worth their salary knows that learning from the mistakes of others is free tuition in the school of life.
Knowing the pitfalls is the easy part. Getting people to pay sufficient attention to potential problems before they arise is much harder. Or, as I’ve said elsewhere, “We do not lack for knowledge of what to do, we lack the will to do it.” (On Good Examples - Moral Letters for Modern Times .) I’ll help you find the will to act by making your task easier.
While serious problems in companies can arise without warning as a result of single acts, such instances are thankfully rare. We don’t need to spend much time on them because, for truly one-off failures, it’s difficult to anticipate them so challenging to maneuver in advance.
Most significant problems are the result of multiple issues
In my experience, most significant problems are born of multiple causes in the sense that they result from several, cascading failures. Often one or more of these failures sets off warning signals to vigilant watchers. The first lesson: Be aware of any signs of crisis considered averted. When one of your monitoring systems nips an issue in the bud, be thankful. But look carefully at what allowed the risk to arise at all. Something is not right.
Small problems by definition don’t cause significant harm. It’s tempting therefore to ignore them to focus on bigger issues. But small problems have a way of growing when you’re not looking. A mantra I repeated often with my team was: “Don’t let small problems become big problems.” So study your small problems and understand root causes wherever possible.
In diagnosing your non-catastrophic failures, consider what standards of behavior you expect of your colleagues. Do you expect employees to first remember all relevant rules and then to understand and follow them correctly at all times? If so, you may be new to the job. (Or you may have better colleagues than I did; I liked mine a lot despite their failings.)
So, we need to assume that people are imperfect. They will be distracted, make mistakes, and sometimes try to subvert our systems. Although people are wonderful as individuals, in groups they are predictably and depressingly unreliable. Some people, perhaps most people, will not follow all the rules all of the time. People make exceptions for themselves and happily refuse to follow rules they don’t agree with.
The Swiss cheese strategy
If we expect mistakes and noncompliance from the start, we can design our systems to anticipate them. For one, we pay more attention to incentives. Can we design incentives to directly encourage the behavior we want and discourage otherwise expected but unwanted behavior? Further, we usually seek to build in redundant protections, assuming that one or even several layers of defense may be insufficient. And in redundancy lies the Swiss cheese strategy.
Simply put, consider each of your defenses as a slice of Swiss cheese* in the sense that it has holes in it. Each slice of your compliance system will stop some problems, but not all. So you layer on another slice of cheese, aligned slightly differently, which stops many of the issues that made it through the first line of defense. But again, perhaps not all. So you add a third slice of cheese.
Take your contracting process as an example of the strategy in operation:
- You will have carefully prepared standard terms and conditions, and maybe some standard agreements, the first line of defense. But you won’t be able to use your agreement in every transaction.
- So then you prepare a contracting guideline as a second layer. Your guideline sets out in simple and clear terms the must- haves and nice-to-haves in every deal. But your team won’t negotiate every point successfully, and will make exceptions.
- As a third line of defense, you may require nonstandard terms to be approved by successive layers of management. The approval requirement serves two purposes: It means teams try harder to get compliant terms to avoid having to ask for approval and it gives management a chance to influence the deal.
The beauty of this system is that each of the individual defenses may be simple and inexpensive. After all, they don’t need to be perfect. Just add another simple and inexpensive layer. Simple systems are easier to explain and implement, meaning you get less resistance.
The Swiss cheese approach of layering redundant and backup systems greatly reduces the chances that one or a series of small problems will grow into something catastrophic. And here you thought the Swiss just melted their cheese.
* My Swiss friends are yelling at the screen now saying, “There are literally hundreds of types of Swiss cheese! What do you mean ‘Swiss cheese’?” To an American’s eyes, not to mention taste, Swiss cheese usually means something resembling Emmental, with large yellow slices containing eyes or holes.
Disclaimer: The information in any resource in this website should not be construed as legal advice or as a legal opinion on specific facts, and should not be considered representing the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical guidance and references for the busy in-house practitioner and other readers. Information/opinions shared are personal and do not represent author’s current or previous employer.