Being prepared to handle situations of non-compliance is as important as putting in place controls to prevent non-compliance. For many legal and other requirements, actually preventing non-compliance is unrealistic and unwise expectation. Instead the effective compliance professional should implement strategies to minimize, not necessarily prevent non-compliance and also to prepare for non-compliance. When you find that someone has violated the required standard. And I say when and not if, again, to be more realistic about this topic. Having the steps laid out and understood in advance is extremely helpful. Let's talk about some of those steps. For starters, any incident should have an incident manager identified at the outset. This sounds pretty easy, but it may not be. If an environmental regulation has been violated in a particular location, you can argue that the leadership of that location is the point person. Or that the person in a central corporate office charged with complaints regarding this regulation is the point person. Or the compliance officer is in charge, or council, or government relations, or public relations, or an outside crisis management firm, and so on. The truth is that all of those people likely play important roles in responding. However, things may become confusing and uncoordinated if too many people are directing. Instead, there should be an understanding, ideally among these people of who's in charge to direct day-to-day activities and to manage communications among the stakeholders. Once the incident manager is identified, that manager will then define and oversee the deployment of an action plan. Often, one can and should follow a predefined playbook of how to respond to an incident. Many playbooks are out there in industry literature, and one can use what is existing as a starting point. One step-by-step approach in a somewhat generalized format is the following. >> First, identify any immediate urgent and/or safety needs. If the non-compliance in question is putting lives at risk, or safety is affected in any way, the first order of business must be to address that urgent problem. Identifying any such emergency situation must be part of the process, and mitigating that emergency is paramount. >> With such urgency handled, the next step is to scope out the incident. Determine what has occurred using interviews, system analysis, report reviews and any other information at your disposal. >> From there, one can then contain the incident, consulting people knowledgeable about the people, the process, the technology to ensure that there's no further spread of the problem and try to narrow the current impact. >> Next, one should assess the impact of what has occurred, as well as next required, or desired steps. This is where you are after you've taken care of emergencies, scoping the problem out and containing it. This is where you can take a few deep breaths and start your next round. What did this problem effect? Have operations been disrupted? Our systems offline are not functioning as intended. Are employees responding to the problem inappropriately? Is the public starting to know and react to the problem? The list of possibilities is endless and cannot be made exhausted or even close. But there must be a point in incident response where people calmly, and very thoroughly determine the range of possible negative effects of the incident and identify strategies to address them. >> And then there are other aspects of incident response including having a senior response team, reporting, communications, enforcing discipline and of course, lessons learned Those are covered in the next videos.
