Editor’s Note: The following article was originally published on the web site of Compliance Architects (www.compliancearchitects.com). Permission to republish has been granted by the author.
Step 1: Create a three-month, strict timeframe for an enforcement risk reduction project. Why three months? For one thing, it’s a manageable timeframe—it is short enough to be real. Also, three months puts pressure—and focus (which is what you want)—on your team to deliver.
Step 2: Prepare to get things done. If you’ve got a staff of 20 people that are already overworked, you can’t just add more work to their plate. You have to eliminate low-value work items to free staff up for a big project push. There’s no magic here—even the best people need to go home and relax after a hard day’s work—and therefore, to focus on enforcement risk reduction, you will likely have to eliminate some other activities for the three month period. Get your staff together for one-hour and go through and ask them what activities should be put on hold for three months so that you can achieve focus. In all likelihood, you’ll get an earful from them.
Step 3: Turn your staff into a project-based team. There is a big difference in how people work on routine, base-business business responsibilities, as distinguished from tight, project-focused, project-managed activities. I personally believe that humans are “hard-wired” for project type work: cross the river; hunt the animal; build the shelter; plant the crops. By turning your workforce from a “staff” into a focused “project team” you immediately convert passive content consumers into active content producers.
Make sure you appoint a project lead (project manager) and break down the project sufficiently to make it manageable. Make sure the project lead is a “can-do” type of individual that will not only get things done, but will make sure that the other people with task responsibilities get their things done!
Step 4: Conduct a hyper-critical assessment (deep dive) of your operation. The objective here is to not provide a report for management to beat anyone up with. The objective here is to quickly, and without attribution of fault, figure out where there is risk in your operation. I would suggest that no names be included with the report, and perhaps, the report should not even be published or circulated. The report should only be used as the basis for an aggressive project remediation plan.
Step 5: Review/Analyze/Triage. Get together with your quality and compliance team in a conference room with multiple stacks of Post-It Notes, flipcharts and markers. Take each of the findings / risk areas from Step 4 and for each finding, identify the level of risk exposure from the finding (high, medium, low) and what specific actions and resulting deliverables can be taken to reduce or mitigate the risk within a finite 90 day window. It is essential that you focus on activities that can be completed within the 90-day window. Capture everything, but if it’s a longer-term remediation project, analyze it separately, after the fact.
After you prioritize the risk exposure, re-prioritize within each classification of risk exposure to get a prioritized list of activities that needs completion within the 90 day window.
Step 6: Plan. Project management should be a core skill of any quality, regulatory or operations professional but unfortunately, it often isn’t. A checklist or to-do list is not a plan—plans are documents that provide a roadmap—with details, resources, explanations, etc., of how you are going to get from Point A (in this case a list of things that need completing) to Point B (a list of things that are completed).
The project leader you appoint (with overall responsibility for project timing and commitments) should develop a fully-resourced project plan with realistic completion deadlines, identified predecessor tasks, and containing the prioritized list of items you identified as necessary to drive down enforcement risk. Ensure supporting documents exist to help project members understand the project purpose, governance, support structure, etc.
Step 7: Execute. No matter how well you plan, if you don’t execute, everything up to this point has been for nothing. Good execution is hard—people need to focus on completing activities within pre-defined timeframes. If they run into problems, make sure they ask for help. I once worked for a company that told me that one of the few things that would simply be considered unacceptable was failing to ask for help if I needed it.
Track progress closely; meet regularly and update status; update project plans (and GANTT charts if you have them); identify task delays that disrupt the critical path; communicate regularly and consistently. By ensuring you execute strictly to plan, you will walk away in 90 days with a huge level of progress, and will have reduced substantial risk.
Enforcement risk reduction is hard work. Systems need to be remediated; documents rewritten; training conducted; procedures redeveloped; stories developed; gaps plugged. All this work is generally above and beyond the role of base business personnel. By providing focus, project-based approaches, and good project execution discipline, however, your organization can begin to reduce enforcement risk without a great deal of expenditure.
About the Author
Jack Garvey is the founder and Principal of Compliance Architects LLC. He has extensive, hands-on leadership experience at top-performing FDA-regulated companies, and has developed a portfolio of operating approaches and methods that create sustainable compliance outcomes for small, medium and large companies. Jack received his Bachelor of Science in chemical engineering from Clarkson University and his Juris Doctor from Pace University School of Law, and is admitted to practice law in the states of New York and New Jersey.