“He did WHAT?  Are you kidding me?  How did this happen?  How can we stop it from ever happening again?  Change the policy immediately.  Shut down access to the system.  Suspend everyone on the team right now!  This is a disaster.” 

In Compliance, our job is to put controls and processes in place that reduce the likelihood of misconduct, then investigate when things go wrong, then change the systems and controls when we find that one is lacking.  However, when something goes wrong, too often we stampede to respond with ill-thought-through plans, panicking instead of looking critically at what went wrong in an individual case.  It can be difficult to stop to consider whether the situation was caused by a rogue employee or whether there truly was a deficiency that needs to be addressed.  

Why we overreact

According to behavioral economist Andy Reed, overreaction is a natural human instinct.  Reed states that humans are instinctively risk-averse and frequently are overly influenced by what has just happened instead of looking at long-term patterns.  We may fear that a compliance failure looks like we haven’t been doing our job properly, so overreaction can be a defense mechanism to protect ourselves.  Likewise, when a major failure occurs, we may be so overwhelmed that we fail to step back to see the longer-term patterns.

People who go into compliance tend to like fixing things.  However, in an effort to fix the problem, many times we take a sledgehammer to a problem that could be addressed with a fly swatter.  Overreaction has consequences, especially…

Attracting the ire of the business

If the compliance department overreacts to a situation with dramatic new controls that don’t substantially reduce risk, the business will quickly tire.  New controls may simply be ignored, or the next time you need to implement real change, you will face resistance. It’s hard to find the balance between raising substantial concerns and ensuring that your program remains pragmatic and pro-business.

What to do

When a novel problem arises, step back and look critically at the cause.  If a policy was flagrantly violated, was it one individual’s intentional disregard?  Or was it a lack of comprehension?  Was the training on the topic insufficient?  Or was a need for a new control highlighted by the unethical actions?  Use your analysis to guide your response before you react.

Consider the various ways you could respond to the problem.  Write each solution down, and evaluate the amount of risk reduction that would occur from each reaction compared with the nuisance and challenges it would create for the business.  This evaluation will help you to decide whether the solution is worse than the problem.

Edward Whymper, the first man to climb the Matterhorn said, “Do nothing in haste; look well to each step, and from the beginning think what may be the end.”  Good advice from a man who knew something about avoiding overcorrection.