University of Southern California Dissertations and Theses

Closing the compliance gap: an evaluation of influences impacting appropriate compliance risk response among pharmaceutical company managers

(USC Thesis Other)

Closing the compliance gap: an evaluation of influences impacting appropriate compliance risk response among pharmaceutical company managers

PDF

Download

Open document

Flip pages

Download a page range

Download transcript

Copy asset link

Request this asset

Transcript (if available)

Content Running head: CLOSING THE COMPLIANCE GAP 1

CLOSING THE COMPLIANCE GAP:
AN EVALUATION OF INFLUENCES IMPACTING APPROPRIATE COMPLIANCE
RISK RESPONSE AMONG PHARMACEUTICAL COMPANY MANAGERS

by

Amanda Kizer

A Dissertation Proposal Presented to the
FACULTY OF THE USC ROSSIER SCHOOL OF EDUCATION
UNIVERSITY OF SOUTHERN CALIFORNIA
In Partial Fulfillment of the
Requirements for the Degree
DOCTOR OF EDUCATION

December 2017

Copyright 2017 Amanda Kizer
CLOSING THE COMPLIANCE GAP

2
2
Acknowledgements
Thank you to my Dissertation Chair, Dr. Anthony Maddox, for providing a very long leash. Your
“Flexi Lead” approach to advising ensured the final product reflected my process.
Thank you to committee members Dr. Kenneth Yates and Dr. Holly Ferguson. I could not have
asked for a more supportive committee. Your direction and advice has significantly impacted my
personal growth as a researcher-practitioner.
I was fortunate to have the support of several talented and generous writing professionals. Thank
you Dr. Amy Eisenfeld and Toddy Sewell for your enthusiasm in providing feedback. I was also
fortunate to have learned from two knowledgeable methodologists. Thank you Dr. Esther Kim
and Dr. Frances Martinez Kellar for your support and thoughtful feedback.
Without the support of my USC Cohort peers, this endeavor would not have been possible.
An extra special shout-out goes to team TCB, peers whom I owe much of my academic success.
Shea-Allison Thompson, Herb Payan, and (the late) Michelle Lanz – together for years of
Saturday mornings and endless revisions. Michelle is crossing the finish line with all of us.
I have been lucky to have many strong, women mentors in my life who may not realize the
positive impact they’ve had on me. Thank you to Cindy, Mary, Shelly, Kathie, and many others.
You all believed in me, listened to me, trusted me to learn from my mistakes, and led me down
this path. You all inspire me to be the best version of me possible.
Thank you to my family and friends for your patience over the last few years.

Finally, thank you to my sister and best friend, Holly. You are my rock. Thank you for your
unconditional support. I only wish you had mastered statistics before I collected data.

CLOSING THE COMPLIANCE GAP

3
3
TABLE OF CONTENTS

Table of Contents ............................................................................................................................ 3
List of Tables .................................................................................................................................. 8
List of Figures ................................................................................................................................. 9
Abstract ......................................................................................................................................... 10

Chapter 1: Introduction ................................................................................................................. 11
Introduction to the Problem of Practice .................................................................................... 11
Organizational Context and Mission ........................................................................................ 12
Organizational Goal .................................................................................................................. 13
Related Literature...................................................................................................................... 14
Importance of the Evaluation .................................................................................................... 15
Description of Stakeholder Groups ........................................................................................... 16
Stakeholders Groups’ Performance Goals ................................................................................ 17
Stakeholder Group for the Study .............................................................................................. 17
Purpose of the Project and Questions ....................................................................................... 18
Definitions................................................................................................................................. 19
Organization of the Report........................................................................................................ 19

Chapter 2: Review of the Literature .............................................................................................. 22
General Compliance Program Elements and Program Effectiveness ....................................... 22
Compliance Programs ........................................................................................................... 22
Documentation .................................................................................................................. 22
Resource allocation ........................................................................................................... 23
Training and communication ............................................................................................ 23
Discipline and incentives .................................................................................................. 23
Monitoring and auditing ................................................................................................... 24
Competent program management ..................................................................................... 24
Clark and Estes’ (2008) Organizational Problem-Solving Framework .................................... 27
Stakeholder Knowledge, Motivation, and Organizational Influences ...................................... 28
Knowledge influences ....................................................................................................... 28
Motivation ............................................................................................................................. 32
Expectancy-value theory ................................................................................................... 33
Task value and managers .................................................................................................. 33
Self-efficacy theory ........................................................................................................... 34
Self-efficacy and managers ............................................................................................... 35
CLOSING THE COMPLIANCE GAP

4
4
Organizational Influences ....................................................................................................35
Cultural Models and Cultural Settings .................................................................................. 36
Cultural setting: modeling................................................................................................. 37
Modeling and managers .................................................................................................... 37
Cultural setting: workload................................................................................................. 38
Workload and managers ................................................................................................... 38
Cultural setting: documentation ........................................................................................ 39
Documentation and managers ........................................................................................... 39
Conceptual Framework ............................................................................................................. 40
Summary ................................................................................................................................... 42

Chapter 3: Methodology .............................................................................................................. 43
Participating Stakeholders ........................................................................................................ 43
Survey Sampling Criterion and Rationale: Managers .......................................................... 44
Criterion 1 ......................................................................................................................... 44
Criterion 2 ......................................................................................................................... 44
Criterion 3 ......................................................................................................................... 44
Survey Sampling (Recruitment) Strategy and Rationale ...................................................... 44
Data Collection and Instrumentation ........................................................................................ 44
Surveys .................................................................................................................................. 46
Documents and Artifacts....................................................................................................... 47
Data Analysis ............................................................................................................................ 47
Surveys .................................................................................................................................. 47
Documents and Artifacts....................................................................................................... 48
Validity, Reliability, Credibility, and Trustworthiness ............................................................. 48
Ethics......................................................................................................................................... 51
Generalizability and External Transferability ........................................................................... 52
Limitations and Delimitations ................................................................................................... 53
Limitations ............................................................................................................................ 53
Delimitations ......................................................................................................................... 53
Summary ................................................................................................................................... 54

Chapter 4: Results and Findings ................................................................................................... 55
Participating Stakeholders ........................................................................................................ 55
Survey Results (Quantitative) ................................................................................................... 59
Knowledge Findings ............................................................................................................. 59
Information technology security (ITS) knowledge findings ............................................. 60
Environmental, health, and safety (EHS) knowledge findings ......................................... 62
CLOSING THE COMPLIANCE GAP

5
5
Motivation Findings .............................................................................................................64
Information technology security (ITS) motivation findings ............................................. 65
Environmental, health, and safety (EHS) motivation findings ......................................... 66
Organizational Findings ........................................................................................................ 68
Information technology security (ITS) organizational findings ....................................... 68
Environmental health and safety (EHS) organizational findings ..................................... 70
Documents and Artifacts Results (Qualitative) ........................................................................ 71
Documentation ...................................................................................................................... 72
Availability and accuracy ................................................................................................. 72
Relevancy .......................................................................................................................... 74
Resource Allocation .............................................................................................................. 75
Financial resource allocation ............................................................................................ 76
Human capital resource allocation and compliance program management ...................... 76
Training and Communication ............................................................................................... 77
New employee training ..................................................................................................... 78
Ongoing training ............................................................................................................... 79
Communication ................................................................................................................. 80
Discipline and Incentives ...................................................................................................... 81
Monitoring and Auditing ...................................................................................................... 81
Summary of Validated Needs ................................................................................................... 83

Chapter 5: Recommendations ....................................................................................................... 86
Recommendations for Practice to Address KMO Influences ................................................... 86
Knowledge Recommendations ............................................................................................. 86
Introduction ....................................................................................................................... 86
Declarative knowledge solutions ...................................................................................... 89
Procedural knowledge solutions ....................................................................................... 90
Metacognitive knowledge solutions ................................................................................. 91
Motivation Recommendations .............................................................................................. 93
Introduction ....................................................................................................................... 93
Expectancy-value solutions .............................................................................................. 95
Self-efficacy solutions ...................................................................................................... 96
Organizational Recommendations ........................................................................................ 98
Introduction ....................................................................................................................... 98
Role model solutions......................................................................................................... 99
Workload solutions ......................................................................................................... 100
Documentation solutions ................................................................................................ 101
Integrated Implementation and Evaluation Plan ..................................................................... 102
CLOSING THE COMPLIANCE GAP

6
6
Implementation and Evaluation Plan Framework..............................................................102
Organizational Purpose, Need, and Expectations ............................................................... 104
Level 4: Results and Leading Indicators ............................................................................. 105
Level 3: Behavior ................................................................................................................ 106
Critical behaviors ............................................................................................................ 106
Required drivers .............................................................................................................. 107
Organizational support .................................................................................................... 109
Level 2: Learning ................................................................................................................ 109
Learning goals ................................................................................................................. 109
Improvement Program .................................................................................................... 110
Documentation ......................................................................................................................... 110
Resource allocation ................................................................................................................... 110
Training and communication .................................................................................................... 110
Discipline and incentives ........................................................................................................... 112
Monitoring and auditing ........................................................................................................... 112
Competent program management ........................................................................................... 113
Components of learning .................................................................................................. 113
Level 1: Reaction ................................................................................................................ 116
Evaluation Tools ................................................................................................................. 116
Immediately following the program implementation ..................................................... 116
Delayed for a period after the program implementation ................................................. 118
Data Analysis and Reporting .............................................................................................. 120
Summary ................................................................................................................................. 122
Strengths and Weaknesses of Approach ................................................................................. 122
Limitations .............................................................................................................................. 123
Future Research ...................................................................................................................... 124
Conclusion .............................................................................................................................. 125

References ................................................................................................................................... 127
Appendix A Assessment Tools to Evaluate Assumed KMO Influences .................................... 144
Appendix B Survey Instrument .................................................................................................. 145
Appendix C Survey Items, Measurement Scales, and Influencer Details .................................. 150
Appendix D Survey Information Sheet....................................................................................... 153
Appendix E Survey Analysis and Presentation Plan .................................................................. 155
Appendix F Qualitative Codes .................................................................................................... 158
Appendix G Survey Data ............................................................................................................ 159
Appendix H Example EHS Asynchronous Knowledge Assessment .......................................... 160
Appendix I Example ITS Asynchronous Knowledge Assessment ............................................. 161
CLOSING THE COMPLIANCE GAP

7
7
Appendix J Lunch and Learn Facilitator Observations .............................................................162
Appendix K Post “Lunch and Learn” Participant Survey .......................................................... 164
Appendix L Periodic Survey ....................................................................................................... 166
Appendix M Blended Evaluation Tool and Quarterly Reporting Dashboard............................. 170

CLOSING THE COMPLIANCE GAP

8
8
List of Tables
Table 1 Organizational Mission, Global Goal, and Stakeholder Performance Goals .................. 17
Table 2 General Compliance Program Factors ............................................................................. 27
Table 3 Summary of Assumed Knowledge Influences................................................................. 32
Table 4 Summary of Assumed Motivation Influences ................................................................. 35
Table 5 Summary of Assumed Organizational Influences ........................................................... 40
Table 6 Data Collection Timeline ................................................................................................. 46
Table 7 Survey Recruitment Communications ............................................................................. 57
Table 8 ITS Knowledge Influence Validation Status ................................................................... 62
Table 9 EHS Knowledge Influence Validation Status .................................................................. 64
Table 10 ITS Motivation Influence Validation Status .................................................................. 66
Table 11 EHS Motivation Influence Validation Status ................................................................ 68
Table 12 ITS Organizational Influence Validation Status ............................................................ 70
Table 13 EHS Organizational Influence Validation Status .......................................................... 71
Table 14 Summary of Validated KMO Needs .............................................................................. 85
Table 15 Summary of Knowledge Influences and Recommendations ......................................... 88
Table 16 Summary of Motivation Influences and Recommendations .......................................... 94
Table 17 Summary of Organization Influences and Recommendations ...................................... 99
Table 18 Four Levels of the New World Kirkpatrick Model ..................................................... 103
Table 19 External and Internal Outcomes, Metrics, and Methods for Evaluation ..................... 106
Table 20 Critical Behaviors, Metrics, Methods, and Timing for Managers ............................... 107
Table 21 Required Drivers to Support Managers Critical Behaviors ......................................... 108
Table 22 Components of Learning for the Program ................................................................... 115
Table 23 Components to Measure Reactions to the Program ..................................................... 116
Table 24 Immediate Risk Response Improvement Program Evaluation Tools and Measures ... 118
Table 25 Delayed Risk Response Improvement Program Evaluation Tools and Measures....... 120

CLOSING THE COMPLIANCE GAP

9
9
List of Figures
Figure 1. Organization of this project and report .......................................................................... 20
Figure 2. Conceptual framework .................................................................................................. 42
Figure 3. Convergent parallel mixed methods design. ................................................................. 45
Figure 4. Survey responses by SpinCo department. ..................................................................... 58
Figure 5. Survey responses by duration of SpinCo employment.................................................. 59
Figure 6. ITS knowledge influence survey responses. ................................................................. 61
Figure 7. EHS knowledge influence survey responses. ................................................................ 63
Figure 8. ITS motivation influence survey responses ................................................................... 65
Figure 9. EHS motivation influence survey responses ................................................................. 67
Figure 10. ITS organizational influence survey responses ........................................................... 69
Figure 11. EHS organizational influence survey responses .......................................................... 70
Figure 12. The New World Kirkpatrick Model .......................................................................... 104

CLOSING THE COMPLIANCE GAP

10
10
Abstract
Pharmaceutical companies must have comprehensive compliance programs to support the
product development pipeline. The purpose of this study was to use Clark and Estes’ (2008) gap
analysis framework to evaluate the knowledge, motivation, and organizational (KMO) influences
among pharmaceutical company managers that impact their appropriate response to compliance
risks in two organizational compliance programs: information technology security (ITS) and
environmental, health, and safety (EHS). Assumed KMO influences, supported by the literature,
were investigated through convergent parallel mixed methods design, including quantitative
survey data collection and qualitative examination of existing data within the study setting.
Assumed KMO influences were validated through descriptive statistical analysis and qualitative
analysis. In addition to manager needs, this study explored how to revise current organization
practices to facilitate appropriate manager response to ITS and EHS compliance risks. A
comprehensive program to improve ITS and EHS compliance risk response is presented along
with an evaluation plan to monitor effective application of recommended interventions, based on
the New World Kirkpatrick Model (Kirkpatrick & Kirkpatrick, 2016). The resulting
recommendations in Chapter 5 are designed to increase critical compliance behaviors among
managers and facilitate desired organizational compliance outcomes.

CLOSING THE COMPLIANCE GAP

11
11
CHAPTER 1: INTRODUCTION
Introduction to the Problem of Practice
Organizations spend millions of dollars annually to develop and maintain effective
organizational compliance programs. Compliance is conformity with standards, policies, best
practices, regulations, and laws set forth by regulatory agencies (Compliance, n.d.).
Organizational compliance programs typically leverage leadership, risk assessment, standards,
controls, training, communication, and oversight to establish and maintain compliance with
regulatory agency standards (Baker & McKenzie, 2011; Baker & McKenzie, 2012;
Compliance360, 2010; Fox, 2013; U.S. Sentencing Commission, 2010). While an average
pharmaceutical organization spends more than $12.8 million annually on compliance resources;
the cost of noncompliance is nearly three times higher (Ponemon Institute, 2011).
Noncompliance significantly impacts an organization’s market competitiveness through
business disruption, productivity loss, revenue loss, fines, and penalties (Ponemon Institute,
2011). Organizations that develop and commercialize pharmaceuticals can experience specific
noncompliance consequences such as lower stock prices, site closures, product recalls, reputation
damage, and legal consequences for executive management (Erickson, 2012; Gallagher v. Abbott
Laboratories, 2001; Keller and Heckman, (n.d.); Thompson Reuters, 2014). Small
pharmaceutical organizations incur per capita noncompliance costs at a rate ten-times higher than
larger organizations due to economies of scale (Ponemon Institute, 2011). Despite the
significantly higher cost and business impact of noncompliance, small organizations do not
prioritize building and maintaining effective compliance programs (Sheridan, 2014). By ignoring
compliance as a top priority, small pharmaceutical companies put themselves at a significant
competitive disadvantage
CLOSING THE COMPLIANCE GAP

12
12
Organizational Context and Mission
Names of the three organizations discussed in this study are pseudonyms. All identifying
citations and references are omitted. Identifying, non-critical details regarding the study site are
altered for anonymity (e.g., location, dates).
The odds were stacked against the founders of NewCo, a biotechnology start-up, in 2002.
Most likely, NewCo, would fail within a few years, never to be heard from again. Yet, for 15
years, the biotechnology professionals working in the Cincinnati, Ohio facility persisted as the
company evolved from start-up, to partner, to acquisition, to spin-off. NewCo was established in
2002 by venture capitalists and managers from other Cincinnati-based biotechnology companies.
NewCo, a privately-held company, focused on creating a pipeline of therapeutic product
candidates. As NewCo’s product pipeline grew, so did opportunities for partnerships and
collaborations with larger pharmaceutical firms. NewCo and collaborators moved products
through Phase I and II clinical trials. In 2005 NewCo “went public” with an initial public
offering (IPO) of stock. Going public allowed NewCo to raise capital and present itself as a more
attractive candidate for acquisition by larger pharmaceutical firms
Results of a 2006 placebo-controlled, clinical trial of NewCo’s lead pharmaceutical
candidate underwhelmed investors. In response, in 2008 NewCo cut one-fourth of its workforce
and continued to partner with larger companies to push other product candidates in the pipeline
through clinical trials. NewCo's situation, with two partnerships, three drugs in clinical trials, and
struggling momentum with investors, made the company an attractive option for larger
organizations looking to acquire and develop new product pipelines.
In 2010 ParentCo acquired NewCo’s product pipeline, technology, and partnerships.
ParentCo is a publicly traded, pharmaceutical company that offers medical products globally.
CLOSING THE COMPLIANCE GAP

13
13
ParentCo employed 1,500 associates worldwide and in 2015 generated $360 million in
product sales. The employees working at NewCo’s Cincinnati site were retained as part of the
acquisition agreement. They would continue the development of ParentCo’s acquired product
pipeline. Although executive and administrative redundancies were eliminated, and some turn-
over occurred post-acquisition, the majority of NewCo employees remained, becoming
employees of ParentCo.
At the time of NewCo’s acquisition, ParentCo had two product divisions. The divisions
produced products that attracted significantly different investors. This divergent investor base
became a challenge for ParentCo since one division drew stable revenue from recurring contracts
and the other division, by contrast, dealt with novel treatments. The type of investor willing to
invest in a company developing novel drugs must be much more risk tolerant than those
investing in a company with products with stable revenue. Due to the differences in target
investors, ParentCo spun-off its high-risk division in 2017 into a new, publicly-traded company
called SpinCo. SpinCo is comprised of numerous ParentCo acquisitions, including the entirety of
the company once known as NewCo.
SpinCo's mission is to provide therapeutics that improve the lives of patients. SpinCo
employs around 100 associates, many of whom have worked at the Cincinnati site for nearly ten
years and have been through two changes of technology ownership. Completion of the spin-off
occurred January 1
st
, 2017. SpinCo generates annual sales of an estimated $40 million, making
the company 90% smaller than ParentCo.
Organizational Goal
Although SpinCo received a cash contribution of nearly $70 million from ParentCo, all
company assets and resources were separated at the time of the spin. This separation had a
CLOSING THE COMPLIANCE GAP

14
14
significant impact on SpinCo’s compliance programs. Compliance programs once in place at
NewCo were integrated into ParentCo’s systems upon acquisition – redundancies in finance,
safety, legal, and human resources were eliminated as part of the acquisition in 2010. As
consequence of the 2017 spin-off, SpinCo no longer has access to ParentCo’s regulatory
compliance programs and is in the process of building comprehensive programs of their own.
Lack of formalized, comprehensive compliance programs creates a significant gap. SpinCo must
quickly build compliance programs to address a variety of organizational risk areas.
This evaluation focused on two SpinCo compliance programs that directly impact every
employee at the company:
• Information technology security (e.g., protecting company computers, networks,
programs, and data from unintended or unauthorized access, change, destruction)
• Environmental, health, and safety (e.g., hazard identification and employee protection,
emergency preparation and response, hazardous waste management)
Related Literature
The drug development process includes several stages: drug discovery, preclinical
development, clinical development, FDA approval, launch, patient consumption, and patient
outcomes (Andrade et al., 2016; Aon, 2015; Prajapati & Dureja, 2012; U. S. Food and Drug
Administration, 2004). Companies are impacted by an increasing number of risk areas as they
move through the drug development process. Research shows that small, new companies are at
higher risk for noncompliance (Lu & Mande, 2014; Owusu-Ansah, 2005). Typical small
biotechnology start-ups may only incur the risks associated with preclinical development.
CLOSING THE COMPLIANCE GAP

15
15
Because SpinCo had commercial drug products and a robust pipeline from its
beginning, it immediately incurred the full spectrum of compliance risk. Organizational risks for
companies with commercial products include (Aon, 2012; Deloitte, 2006; Deloitte, 2015a;
Deloitte, 2015b; KPMG, 2009; Sample, 2015):
• Labor and employment • Clinical development
• Environmental, health, and safety • Medical and scientific exchange
• Information technology security • Promotional activities
• Intellectual property • Labeling and marketing
• Preclinical development • Patient safety
• Regulatory/legislative • Manufacturing
• Supply chain • Product quality
• Market access, pricing, and
reimbursement
• Public relations, patient advocacy, and
government affairs
• Data management, integrity, and
transparency
• Financial compliance and corporate
governance

Importance of the Evaluation
Lack of comprehensive compliance programs puts SpinCo at a competitive disadvantage
in the pharmaceutical marketplace (Ponemon Institute, 2011). Negative consequences for
ineffective programs and noncompliance across all risk areas outlined by Deloitte (2015) impact
employees (workplace injuries, labor issues, information security), customers (patient safety),
revenue (delays in approvals, sanctions), and SpinCo’s reputation. To thrive, SpinCo must have
comprehensive compliance programs in place as soon as possible to support the product
CLOSING THE COMPLIANCE GAP

16
16
development pipeline. Otherwise, SpinCo may ultimately experience the fate of most start-
ups: failure (Shane, 2009).
Description of Stakeholder Groups
A stakeholder group is a group of individuals who directly contribute to and benefit from
the achievement of SpinCo’s organizational goals. The following three stakeholder groups
contribute to the achievement of SpinCo’s performance goals in unique ways: (1) top-level
organizational leadership, (2) managers, and (3) employees. Top-level organizational leadership
at SpinCo includes executive level managers including Chief Executive Officer (CEO), Chief
Operating Officer (COO), President, General Counsel, Senior Vice President (SVP), and Vice
President (VP). Top-level leadership focuses on the strategic direction of the organization and
identifies global goals. They determine the organizational framework and resource allocation
across departments in the organization and provide direction to management on how to achieve
business objectives. Top-level leadership is also accountable to external stakeholders such as the
Board of Directors, shareholders, regulators, and customers. Managers at SpinCo include
departmental leadership and any employee with a direct report. Managers control the distribution
of financial, human, and technological resources within their department and are responsible for
mobilizing these resources to achieve organizational goals. Employees at SpinCo who do not
have direct reports are mainly responsible for the execution of daily tasks that move the
organization toward achievement of the business goals.
CLOSING THE COMPLIANCE GAP

17
17
Stakeholders Groups’ Performance Goals
Table 1
Organizational Mission, Global Goal, and Stakeholder Performance Goals
Organizational Mission
SpinCo’s mission is to provide therapeutics that improve the lives of patients.
Organizational Performance Goal
SpinCo's goal is to implement comprehensive compliance programs across priority compliance
risk areas, identified by an internal auditor, within 18 months of spin-off.
SpinCo Top-Level Leadership SpinCo Managers SpinCo Employees
By October 31, 2017, top-level
leadership will establish a
resource allocation strategy for
response to all priority
compliance risk areas
identified by an internal
auditor.
By February 28, 2018,
managers will appropriately
respond to all priority
compliance risks identified by
an internal auditor.
By April 30, 2018, all
employees will complete 100%
of organizationally mandated
compliance training.

Stakeholder Group for the Study
Although a complete analysis involves all stakeholder groups, for practical purposes,
SpinCo managers were the focus of this evaluation. Management’s authority in the dissemination
of knowledge, motivation, and organizational (KMO) resources make them the ideal stakeholder
group for analyzing impact on organizational goals. Although top-level leadership establishes
organizational goals, frameworks, and direction, they exert little influence in the execution of
daily tasks. Top-level leaders delegate daily task management to departmental managers.
Employees exert a significant impact on the daily execution of tasks but have little decision-
making authority to close knowledge, motivation, or organizational gaps. Managers control the
distribution of financial, human, and technological resources within their departments and hold
CLOSING THE COMPLIANCE GAP

18
18
the authority to initiate action to close identified knowledge, motivation, and organizational
gaps highlighting them as the ideal stakeholder group for this analysis.
In conjunction with the spin-off, SpinCo executives issued informal global goals to create
a culture of ownership, empowerment, and professionalism. Additionally, there is a desire to
engage employees in the development of SpinCo operational processes, procedures, policies, and
guidelines. Effective compliance programs are an area where a culture of ownership,
empowerment, and professionalism is essential. Several SpinCo managers set implicit,
intermediate goals targeting compliance programs. The gaps in knowledge and organizational
resources created by the spin-off are of significant concern for managers. Their informally stated
goals include maintaining compliance after the spin-off and implementing comprehensive
compliance programs within 18 months of the spin-off. The global performance and intermediate
goals outlined in Table 1 reflect their targets.
To thrive, SpinCo must have effective compliance programs in place to support the
product development pipeline. Although SpinCo has begun the process of developing
organizational compliance programs, it is essential that these programs grow quickly and
efficiently across the company to avoid the possible consequences for noncompliance.
Purpose of the Project and Questions
The purpose of this project was to study the knowledge, motivation, and organizational
influences among SpinCo managers that impact their appropriate response to compliance risks.
Specifically, this analysis focused on methods to achieve the organizational performance goal of
implementing comprehensive compliance programs across two SpinCo risk areas within 18
months of spin-off: (1) information technology security and (2) environmental, health, and
CLOSING THE COMPLIANCE GAP

19
19
safety. For practical purposes, SpinCo managers were the focus of this evaluation. As such,
the questions that guided this study were:
1. What are the knowledge, motivational, and organizational influences among SpinCo
managers that impacted their appropriate response to compliance risks?
2. How could organizational practices in the areas of knowledge, motivation, and
organizational resources be changed to facilitate appropriate manager response to
compliance risks?
Definitions
Information technology security: Protection of organizational computer systems and information
against unauthorized access or attack when connected to the internet (Merriam-Webster.com,
n.d.).
Environment, health, and safety: An area of compliance that determines how companies protect
the public, employees, and the environment (Environment, health, and safety, n.d., para. 1).
Organization of the Report
Five chapters are used to organize this report. Chapter 1 provides the reader with the key
concepts and terminology commonly found in a discussion about organizational compliance
programs. The organization’s mission, goals, stakeholders, and the framework for the project are
introduced. Chapter 2 provides a review of the Clark and Estes’ (2008) gap analysis conceptual
framework and current literature surrounding the scope of the study. Elements of effective
compliance programs and how program effectiveness should be measured are addressed in
Chapter 2. The chapter continues by discussing assumed knowledge, motivation and
organizational influences specific to SpinCo managers. Chapter 2 closes with the presentation of
the conceptual framework for this study. Chapter 3 details how the knowledge, motivation and
CLOSING THE COMPLIANCE GAP

20
20
organizational elements were examined, including methodology, choice of participants, data
collection, and analysis. In Chapter 4, the data and results are assessed, analyzed, and presented.
Assumed knowledge, motivation and organizational influences are described as either validated,
validated in part, or not validated. Chapter 5 provides recommended solutions, based on data and
literature, for closing the compliance response gaps as well as recommendations for solution
implementation and evaluation. See Figure 1 for a visual representation of the organization of the
study in relation to the Clark and Estes’ (2008) gap analysis conceptual framework discussed in
Chapter 2.

Figure 1. Organization of this project and report are based on the Clark and Estes’ (2008) gap
analysis conceptual framework and Kirkpatrick and Kirkpatrick’s (2016) training evaluation
model. Refer to Chapter 2 for a detailed description of the Clark and Estes (2008) organizational
CLOSING THE COMPLIANCE GAP

21
21
problem-solving framework. Refer to Chapter 5 for a detailed description of the Kirkpatrick
and Kirkpatrick (2016) New Work Kirkpatrick Model.

CLOSING THE COMPLIANCE GAP

22
22
CHAPTER 2: REVIEW OF THE LITERATURE
This study evaluated the knowledge, motivation, and organizational (KMO) influences
among SpinCo managers that impact their appropriate response to compliance risks in two
organizational compliance programs: information technology security (ITS) and environmental,
health, and safety (EHS). This chapter outlines factors influencing organizational compliance
programs. The first section provides a general overview of the six key elements found in
organizational compliance programs. The second section addresses considerations for measuring
compliance program efficacy, including both outcomes and processes. Finally, sections three,
four, and five expand on knowledge, motivation, and organizational influences, respectively,
among SpinCo managers, who are responsible for responding to organizational compliance risks
within their departments.
General Compliance Program Elements and Program Effectiveness
Compliance Programs
Organizational compliance programs must address the risk areas and activities most
likely to result in misconduct among employees (Webb & Molo, 1993). Once these risk areas are
identified and goals established, compliance programs must be developed to fit compliance
goals. Compliance programs should include six key elements: (1) documentation, (2) resource
allocation, (3) training and communication, (4) discipline and incentives, (5) monitoring and
auditing, and (6) competent program management.
Documentation. Compliance program documentation can include policies, procedures,
guidelines, workflows, standard operating procedures and a myriad of other resources. Parker
and Nelson (2009) found that compliance program documentation, especially written policies,
positively impact compliance in practice. Compliance program documentation must connect with
CLOSING THE COMPLIANCE GAP

23
23
existing practices and assumptions of the organization to make a positive impact on
performance (Parker & Nielson, 2009). A relevant, functional system of detailed documentation
guides those required to follow specific procedures (Andreisova, 2016). The quality of written
policies also demonstrates and communicates the organization’s overall commitment to
compliance (Andreisova, 2016; Parker & Nielson, 2009).
Resource allocation. According to Deloitte (2015), resource allocation for compliance
programs is a matter of empowerment. For compliance programs to be effective in practice,
organizational resources must be allocated appropriately (Parker & Nielson, 2009). Andreisova
(2016) found that “an under-funded and unsupported [compliance] program is predestined to
fail” (p. 26). Individuals who mitigate risks, either through compliance program management or
the execution of day-to-day compliance tasks, require sufficient financial and human capital
resources to meet organizational compliance goals (Deloitte, 2015; Andreisova, 2016).
Training and communication Employee training positively impacts compliance in
practice, especially among new employees (Parker & Nielson, 2009). Stokols, McMahan,
Chiltheroe, & Wells (2001) found that irrespective of the size of the organization, participation in
safety training led to positive changes in employee knowledge around safety requirements.
Spreading knowledge about compliance programs, whether through formal training or internal
marketing efforts, is essential for program success (Andreisova, 2016).
Discipline and incentives. Organizations should use both incentives and progressive
discipline to achieve compliance goals (Andreisova, 2016; Sample, 2015). Specifically,
organizations must discipline employees who violate compliance mandates (Andreisova, 2016;
Sample, 2015; Webb & Molo, 1993). Webb and Molo (1993) go a step further and recommend
the extension of incentives and discipline into prevention and detection of noncompliance.
CLOSING THE COMPLIANCE GAP

24
24
Expectation and consequences regarding noncompliance must be effectively communicated
throughout all levels of an organization to be effective (Andreisova, 2016). Incentives and
discipline mechanisms put into place must also be applied evenly and consistently (Andreisova,
2016). Compliance incentive and discipline programs are among the most difficult compliance
elements to implement (Andreisova, 2016). Compliance incentive and discipline mechanisms
should be appropriate for the context and risk. Incentive and discipline mechanisms should serve
to encourage compliance, deter noncompliance, and be punitive where necessary (Webb &
Molo, 1993).
Monitoring and auditing. Changes in laws, organizational business practices, industry
practices, and compliance violations often require context-specific modifications in compliance
programs (Webb & Molo, 1993). Without robust monitoring, many of these programmatic
change catalysts could be missed, resulting in costly noncompliance. Implementing a formal
reporting system for ongoing identification and rectification of compliance gaps demonstrates
management commitment to compliance and increases the probability that program changes will
be made promptly (Parker & Nielson, 2009). Further, hiring independent auditors or consultants
to audit compliance programs positively impacts overall compliance management in practice
(Andreisova, 2016; Parker & Nielson, 2009).
Competent program management. As with resource allocation, compliance program
management is an issue of empowerment (Andreisova, 2016). Executive and other top
management should be responsible for organizational compliance programs (Andreisova, 2016).
In large organizations, the establishment of a dedicated, formal compliance function or
department positively impacts compliance management in practice (Parker & Nielson, 2009).
Smaller organizations with fewer resources can see positive impacts in compliance behavior
CLOSING THE COMPLIANCE GAP

25
25
among employees by dedicating experienced professionals to manage compliance programs
(Andreisova, 2016). Technology does not replace competent program management. The
importance of experienced compliance professionals is shown by Parker and Nielson (2009) who
found organizations with robust compliance technology often lacked the in-house expertise to
implement the technology appropriately, rendering the systems of little use. Sample (2015)
warns, “to ignore or diminish [compliance] support functions is to invite dysfunctional employee
behavior” (p. 302). Organizations must build capacity to support competent compliance program
management either through a dedicated compliance department, hiring compliance professionals,
or developing compliance program management capabilities among existing employees.
Table 2 summarizes general background literature regarding compliance program
elements. In summary, six key elements (documentation, resource allocation, training and
communication, discipline and incentives, monitoring and auditing, and competent program
management) are essential for a comprehensive compliance program regardless of compliance
program size or scope. These six elements shape compliance performance behaviors across an
organization, serving as guidelines and support for appropriate response to compliance risk.
Missing or weak compliance program elements invite noncompliance and inappropriate response
to compliance risk. These elements should be thoroughly developed and highly contextualized to
an organization and industry to maximize compliance program efficacy.
Measuring Effectiveness of Compliance Programs
An effective compliance program produces critical and desired compliance behaviors in
employees, minimizing risk to the organization and its stakeholders (Effective, n.d.). Measuring
compliance program efficacy helps an organization manage risk and set appropriate compliance
CLOSING THE COMPLIANCE GAP

26
26
goals (Kroll, 2012). Yet, it’s been reported that over 35% of companies don’t actively measure
the effectiveness of their compliance programs (Deloitte, 2015; Kroll, 2012).
Compliance program efficacy cannot be determined by a single metric or indicator
(Kroll, 2012). However, up to 62% of life sciences companies use either qualitative or
quantitative measures (Accenture, 2013). Compliance program measures vary from program to
program, but measures based on both outcomes and processes paint a more complete picture of
program effectiveness (Kusserow, 2013). For example, outcome measures include the number of
noncompliance incidents, training sessions completed, and number of penalties. Example process
measures include whether employees have the appropriate level of compliance program
knowledge, self-assessments, and whether resources are appropriate to support compliance
programs.
In addition to outcome and process measures, incorporating both objective and subjective
measures paint the most complete picture of compliance program effectiveness (Kirkpatrick &
Kirkpatrick, 2016; Kroll, 2012). For example, objective process measures include assessment
scores to measure employee compliance knowledge. A subjective version of the same process
metric is a survey asking employees about their level of knowledge. Objective measures are most
useful for benchmarking or comparing against standards (Kroll, 2012). Subjective measures
provide deeper meaning into objective measurements (Kroll, 2012). For instance, no calls to an
ethics hotline could be a result of full organizational compliance or it could be a result of
employees not knowing the number to call or where to find it. Organizations cannot take
outcome metrics at face value to measure effectiveness.
To collect information reflective of actual compliance program effectiveness, key
performance indicators should be numerous, capturing both process and outcomes. Data should
CLOSING THE COMPLIANCE GAP

27
27
also be collected by both objective and subjective means, including employee surveys and
observation. Measurement metrics should be highly contextualized to an organization’s goals
(meaningful) and means (feasible) for accurate, actionable measurement of program and
performance gaps.
Table 2
General Compliance Program Factors
Compliance Program Factor Citations
Compliance program element
Documentation Andreisova (2016); Parker & Nielson (2009)
Resource allocation Andreisova (2016); Deloitte, (2015); Parker &
Nielson (2009)
Training and communication Andreisova (2016); Parker & Nielson (2009);
Stokols et al. (2001)
Discipline and incentives Andreisova (2016); Sample (2015); Webb & Molo
(1993)
Monitoring and auditing Andreisova (2016); Parker & Nielson (2009);
Webb & Molo (1993)
Competent program management Andreisova (2016); Parker & Nielson (2009);
Sample (2015)
Measuring effectiveness Deloitte (2015); Kroll (2012); Kusserow (2013)

Clark and Estes’ (2008) Organizational Problem-Solving Framework
Clark and Estes’ (2008) gap analysis conceptual framework is a comprehensive,
analytical method of evaluation that helps identify causal influences of organizational goal
achievement, or lack thereof. The systematic conceptual framework outlines three factors of
organizational performance: (1) knowledge, (2) motivation, and (3) organizational influences.
Employees must know the how, when, and why (knowledge) of their performance goals to
achieve them. Employees’ internal, psychological processes must facilitate sufficient choice,
CLOSING THE COMPLIANCE GAP

28
28
persistence, and mental effort (motivation) to achieve performance goals. Finally,
organizational tools, processes, and procedures (organizational factors) must support employee
performance and goal achievement. The next section explores knowledge, motivation, and
organizational influences impacting SpinCo managers’ ability to support the organizational goal
of comprehensive compliance programs through appropriate response to ITS and EHS
compliance risk.
Stakeholder Knowledge, Motivation, and Organizational Influences
Knowledge and Skills
The following literature review focuses on knowledge-related influences pertinent to the
achievement of SpinCo's organizational goal of implementing comprehensive compliance
programs across priority compliance risk areas, identified by an internal auditor, within 18
months of spin-off. Specifically, the literature review targets managers’ intermediate goal to
appropriately respond to priority compliance risks identified by an internal auditor by February
28, 2018. This intermediate goal supports the organizational goal of implementing
comprehensive compliance programs. Literature has been analyzed to identify the types of
knowledge influences impacting achievement of these goals.
Knowledge influences. The following review examines knowledge-related literature
relevant to SpinCo management’s intermediate goal to appropriately respond to priority
compliance risks identified by an internal auditor. Each knowledge influence is divided into one
of three knowledge categories, or types, as described by Krathwohl's (2002) revised taxonomy:
(1) declarative, (2) procedural, and (3) metacognitive (Bloom, Engelhart, Furst, Hill, &
Krathwohl, 1956; Rueda, 2011). SpinCo manager knowledge must be examined to identify its
impact on the achievement of organizational compliance goals (Clark & Estes, 2008).
CLOSING THE COMPLIANCE GAP

29
29
Knowledge is a critical factor in organizational performance gaps. Using Krathwohl's (2002)
revised taxonomy to categorize SpinCo manager knowledge facilitates effective gap analysis
(Clark & Estes, 2008). Integrating Clark and Estes’ (2008) gap analysis framework with
Krathwohl's (2002) revised taxonomy of knowledge types drills down to the identification of
more specific gaps in manager knowledge of facts, concepts, procedures, and self. Further,
accurate identification and categorization of manager knowledge gaps lead to refined solutions to
close knowledge gaps (Rueda, 2011).
Managers need to know the ITS and EHS compliance risks within the areas they
oversee and appropriate responses to address those risks. Research shows that declarative
compliance knowledge among managers has a significant impact on achievement and
maintenance of compliance across an organization. The declarative knowledge category includes
knowledge of basic compliance elements, such as terminology, definitions, as well as the
interrelationships among basic elements expressed as categories, principles, and models
(Krathwohl, 2002). Compliance programs are more effective when managers know the
compliance standards and actions to take to prevent noncompliance (Chia An & Chandra, 2012;
Singh, 2011). Noncompliance with regulations is often rooted in the lack of declarative
knowledge about standards, policies, best practices, regulations, and laws set forth by regulatory
agencies (Hawkins & Muir, 2014; Kelly, 2010; Massey & Campbell, 2013; Van Noorden, 2013).
For instance, Massey and Campbell (2013) found that 96% of small business stakeholders
answered incorrectly when asked about labor law compliance, contributing to their
noncompliance with standards. Thus, manager declarative knowledge is essential to
appropriately respond to compliance risk in all regulated organizational domains, including ITS
and EHS (Markovitz & Jones, 2012). Table 3 shows that SpinCo's managers require declarative
CLOSING THE COMPLIANCE GAP

30
30
knowledge of ITS and EHS compliance risks, and appropriate responses to risks, within the
areas they oversee. Managers also require enough declarative knowledge to know which
responses are appropriate for responding to priority ITS and EHS risks.
Managers need to know how to implement the appropriate response for
identified/priority ITS and EHS risks. The ability of managers to apply declarative compliance
knowledge through procedural knowledge has a significant impact on the implementation of
compliance programs across an organization. The procedural knowledge category includes
knowing how to complete a compliance response task and can involve techniques, skills,
process, and knowing when to use a procedure (Krathwohl, 2002). Inappropriate procedural
application of compliance knowledge could result in noncompliance and bring serious
consequences to an organization (Welty, 2010). For instance, Van Noorden (2013) found that
lack of procedural knowledge in safety regulations resulted in noncompliance regarding
employee safety. According to McGovern et al. (2000), procedural knowledge takes practice to
learn and effectively incorporate into compliance response behaviors. Effective implementation
of procedural knowledge is most often demonstrated by employees who have had the
opportunity to incorporate compliance risk response into their daily practices (McGovern et al.,
2000). Employees who can practice “the practical application of [compliance] knowledge to a
context,” are 5.7 times more likely to comply with compliance standards (McGovern et al., 2000,
p. 159). Rapid operationalization of compliance knowledge for compliance risk response serves
to indirectly increase organizational competitiveness, necessitating procedural knowledge among
SpinCo managers (Ponemon Institute, 2011). Table 3 shows that SpinCo's managers need to
know how to implement the appropriate response for identified/priority ITS and EHS risks. A
CLOSING THE COMPLIANCE GAP

31
31
firm grip on procedural risk response knowledge facilitates achievement of SpinCo’s
organizational compliance goals.
Managers need to reflect-on-action about how they responded to ITS and EHS
compliance risk. When managers understand their thinking, they can identify and monitor their
strategies for maximizing acquisition and application of other knowledge types for achieving
organizational goals (Flavell, 1979; Pintrich, 2002). The metacognitive knowledge category
includes awareness and control of one's thought processes, including how managers plan,
evaluate, and revise task strategy based on personal cognitive tendencies (Baker, 2006; Flavell,
1979; Krathwohl, 2002; Pintrich, 2002). In other words, when managers can observe, check, and
alter their existing thinking routines, they are better able to solve departmental compliance
problems (Berardi-Coletta, Buyer, Dominowski, & Rellinger, 1995; Flavell, 1979; Pintrich,
2002). Cho and Jung (2014) found metacognitive knowledge among organizational leaders had a
positive and significant impact on overall organizational performance, demonstrating the role of
metacognition in achieving intermediate and global organizational goals. Wilson (2008) builds
on Schön (1983) to describe three reflective practices SpinCo managers could use to improve
future performance: (1) reflection-on-action, (2) reflection-in-action, and (3) reflection-before-
action. This evaluation focused on the need for manager reflection-on-action, that is, thinking
retrospectively on past ITS and EHS compliance response actions for new learning (Schön,
1983). SpinCo's managers need to reflect-on-action, about how they have responded to ITS and
EHS compliance risk to uncover and learn from ineffective habits, biases, and assumptions (see
Table 3).
CLOSING THE COMPLIANCE GAP

32
32
Table 3
Summary of Assumed Knowledge Influences
Influence Selected Citations
Knowledge Types Bloom et al. (1956); Krathwohl (2002); Rueda
(2011)
Declarative Knowledge Krathwohl (2002)
Managers need to know the ITS and
EHS compliance risks within the areas
they oversee.
Chia An & Chandra (2012); Hawkins & Muir
(2014); Kelly (2010); Markovitz & Jones (2012);
Massey & Campbell (2013); Singh (2011); Van
Noorden (2013)
Managers need to know what types of
responses are appropriate to address ITS
and EHS compliance risks.
Procedural Knowledge Krathwohl (2002)
Managers need to know how to
implement the appropriate response for
identified/priority ITS and EHS risks.
McGovern et al. (2000); Van Noorden (2013);
Welty (2010)
Metacognitive Knowledge Baker (2006); Flavell (1979); Krathwohl (2002);
Pintrich (2002; Schön (1983); Wilson (2008)
Managers need to “reflect-on-action” on
how they responded to ITS and EHS
compliance risk.
Berardi-Coletta et al. (1995); Cho & Jung (2014)

Motivation
Motivation has a significant influence on the effectiveness of organizational compliance
programs. Knowledge is not enough to complete a task – managers must want to start a
compliance task, persist at the task, and invest mental effort toward completion of the task (Clark
& Estes, 2008; Rueda, 2011). In fact, Cantor and Terle (2010) found that only 7% of safety
compliance problems were attributed to lack of compliance knowledge, demonstrating that
motivation is essential for achieving compliance goals. The following literature review focuses
on motivation-related influences pertinent to the achievement of SpinCo's organizational goal of
CLOSING THE COMPLIANCE GAP

33
33
implementing comprehensive compliance programs across priority compliance risk areas,
identified by an internal auditor, within 18 months of spin-off. Specifically, the literature review
targets managers’ intermediate goal to appropriately respond to priority compliance risks
identified by an internal auditor by February 28, 2018. This intermediate goal supports the
organizational goal of implementing comprehensive compliance programs. Reviewed literature
has been analyzed to identify the types of motivational influences impacting achievement of
these goals.
Expectancy-value theory. The expectancy-value theory of motivation includes two
components: (1) value and (2) expectancy (Eccles, 2006). Value is the importance a manager
places on a goal or task and is a strong predictor of a manager’s choice to engage in a task
(Eccles, 2006). The value of a task is determined through a combination of four factors: (1)
attainment value or importance, (2) intrinsic value, (3) utility, and (4) cost. Expectancy is a
manager’s prediction of their success at a goal or task and is a strong predictor of effort once the
choice to engage in a task is made (Eccles, 2006). This analysis focused on management values,
that is, the importance SpinCo managers place on appropriate ITS and EHS compliance risk
response. According to Eccles (2006) value is determined by the extent to which a task is linked
to a manager’s identity (attainment value or importance), task enjoyment (intrinsic value), how
well the task fulfills other goals (utility), and perceived consequences of engaging in, or not
engaging in, the task (cost). Managers are more likely to engage in compliance tasks if the tasks
are perceived as enjoyable, personally meaningful, moves them toward a specific outcome, and
has a high cost for avoidance.
Task value and managers. SpinCo's managers need to see value in responding
appropriately to ITS and EHS compliance risks. The influence of value on a manager’s choice to
CLOSING THE COMPLIANCE GAP

34
34
engage in compliance tasks is shown by Hedström, Karlsson, and Kolkowska (2013), who
found that employees cited the creation of unprofessional inefficiencies (utility and attainment
value) and little/no perceived consequences (cost) to justify their deliberate noncompliance with
electronic record processes. Kamleitner, Korunka, and Kirchler (2012) found that subjective
perceptions of financial losses (attainment value, utility, cost) motivate some business owners to
engage in non-compliant tax collection and filing practices. Mixed value assessments can also
result in noncompliance. In the case of procedural audits, employees perceived an audit checklist
as useful for increasing desired compliance outcomes (utility) but also perceived its use as
deviating from their professional responsibilities (attainment value) resulting in poor completion
rates (Sendlhofer et al., 2016). Managers need to see value in responding appropriately to ITS
and EHS compliance risks (see Table 4). They must link compliance to their identity as SpinCo
managers and as a critical factor to facilitate achievement of personal and organizational goals.
Self-efficacy theory. Self-efficacy reflects confidence in one's ability to accomplish a
task (Bandura, 1997; Pajares, 2009; Wang & Rao, 2016). One’s confidence in task success
influences the “initiation, intensity, and persistence” of their compliance behaviors (Jenkins,
1994; Paglis & Green, 2002, p. 216). Self-efficacy beliefs are formed principally from four
sources: (1) mastery experiences, (2) vicarious experience, (3) social persuasions, and (4)
physiological reactions (Bandura, 1997; Pajares, 2009). In other words, confidence in the ability
to appropriately respond to compliance risk is determined by the extent to which managers have
successfully responded in the past (mastery experiences), observation of others appropriately
responding (vicarious experience), verbal messages from others about their ability to
appropriately respond (social persuasions), and the affective states or emotions appropriate
response evokes (physiological reactions).
CLOSING THE COMPLIANCE GAP

35
35
Self-efficacy and managers. When employees believe they can succeed at a specific
goal, they will choose to put effort toward goal achievement (Clark & Estes, 2008). Employee
self-efficacy in compliance tasks positively influenced their intention to comply with standards
(Bulgurcu, Cavusoglu, & Benbasat, 2010). Further, self-efficacy significantly predicted
employee adherence behaviors toward compliance standards (Jenkins, 1994; MacNab &
Worthley, 2008). Managers with high self-efficacy were more likely to discard existing
compliance strategies when they failed and attempted more innovative problem-solving
strategies to comply (Jenkins, 1994). Table 4 shows that managers need to feel confident in their
ability to respond appropriately to compliance risks since self-efficacy is one of the more relied
upon motivational constructs to consistently predict behavioral outcomes (Pajares, 2009).
Table 4
Summary of Assumed Motivation Influences
Influence Selected Citations
Motivation Clark & Estes (2008); Rueda (2011)
Expectancy Value Theory Eccles (2006)
Managers need to see value in
responding appropriately to ITS and
EHS compliance risks.
Hedström et al. (2013); Kamleitner et al. (2012);
Sendlhofer et al. (2016)
Self-Efficacy Theory Bandura (1997); Pajares (2009)
Managers need to feel confident in their
ability to respond appropriately to ITS
and EHS compliance risks.
Bulgurcu et al. (2010); Clark & Estes (2008);
Jenkins (1994); MacNab & Worthley (2008)

Organizational Influences
Organizational features have a significant influence on the effectiveness of organizational
compliance programs. Knowledge and motivation are not enough to complete a task – managers
must have the necessary resources for completion of the task (Clark & Estes, 2008; Rueda,
CLOSING THE COMPLIANCE GAP

36
36
2011). The following review examines literature that focuses on organizational-related
influences pertinent to the achievement of SpinCo's organizational goal of implementing
comprehensive compliance programs across priority compliance risk areas, identified by an
internal auditor, within 18 months of spin-off. Specifically, the literature review targets
managers’ intermediate goal to appropriately respond to priority compliance risks identified by
an internal auditor by February 28, 2018. This intermediate goal supports the organizational goal
of implementing comprehensive compliance programs. Literature has been analyzed to identify
the types of organizational influences impacting achievement of these goals.
Cultural Models and Cultural Settings
Culture is defined as basic assumptions generated over time through group problem
solving, or learning, taught to new group members as norms, or informal rules (Schein, 2004).
Shared systems of meaning can exist at several interrelated levels, including individually, on
teams, organizationally, nationally, and globally (Erez & Gati, 2004). Cultural strength, or the
strength of shared assumptions, is dependent on the homogeneity of individual perceptions, that
is, on stable membership within the group (Erez & Gati, 2004; Schein, 2004). An organization
with a high rate of employee turnover and change, such as that of a spin-off, holds fewer shared
assumptions, thus has a weakened culture (Schein, 2004).
Cultural settings are the tangible components of organizational culture. The foundation
for cultural settings is cultural models. Cultural models are the invisible components of
organizational culture and often go unnoticed (Gallimore & Goldenberg, 2001). Cultural models
are automated values, beliefs, and attitudes expressed through cultural practices (Rudea, 2011).
Examples of these invisible, cultural models in organizations include a general environment of
conflict avoidance, lack of accountability, and presence of authoritarian leadership. Cultural
CLOSING THE COMPLIANCE GAP

37
37
settings, or social contexts, are cultural models manifested in visible, concrete, and measurable
practices (Rudea, 2011). Examples of cultural settings include lack of effective role models,
assignment of busy work, and unnecessary rules or policies. To assess the impact of
organizational factors on achievement of compliance response goals, three components of
SpinCo’s cultural setting were evaluated. Exploring the relationship between compliance risk
response and cultural settings enables a holistic view of organizational influences on compliance
goal achievement.
Cultural setting: modeling. Employees observe organizational leaders to determine
acceptable behaviors in the workplace and mirror the actions of leaders and (Andreisova, 2016;
Berger, 2014). Employees were 2.9 times more likely to be compliant when leadership modeled
a consistent commitment toward safety goals (McGovern et al., 2000). Because leaders have a
significant impact on employee behaviors, leadership modeling is crucial for establishing desired
compliance response behaviors among employees (Sample, 2014). This means that when leaders
demonstrate non-compliant or unengaged behaviors, their employees mirror them, significantly
eroding the effectiveness of organizational compliance programs.
Modeling and managers. SpinCo managers need role models who demonstrate how to
appropriately respond to compliance risks (see Table 5). Role models who are credible and
similar can foster expectancy and positive values in SpinCo managers (Pajares, 2009). Role
models could include peers, superiors, compliance leaders, or company executives. When
credible role models demonstrate appropriate ITS and EHS compliance risk response, managers
may mirror them, increasing their likelihood of appropriate compliance risk response
(Andreisova, 2016; Torp & Grogaard, 2009).
CLOSING THE COMPLIANCE GAP

38
38
Cultural setting: workload. Workload perception is a situational factor that impacts
compliance risk response. Workload is defined both generally and cognitively. Generally,
workload is defined as a demand on employee resources, including time and effort (Fieldston et
al., 2014). Mental workload, specifically, is the cognitive processing required for an employee to
complete a task (Subramanyam, Muralidhara, & Pooja, 2013). Bruggen (2015) found that a
moderate employee workload positively impacts performance, but a high workload significantly
decreases the quality of employee performance behaviors. Increasingly high demands on
employee time, effort, and cognitive processing negatively impacts the performance of
compliance behaviors (Bruggen, 2015; Heart, Parmet, Pliskin, Zuker, & Pliskin, 2011; Torp &
Grogaard, 2009).
Workload and managers. High levels of perceived work demands generate stress,
cognitive fatigue, and feelings of being overwhelmed in employees, contributing to poor
performance in compliance behaviors (Babajide & Akintayo, 2011; Subramanyam et al., 2013;
Sutthiwan & Clinton, 2008). When faced with heavy work demands, managers shift effort
expenditure to tasks perceived as directly contributing to organizational production. Performance
in tasks perceived as secondary, such as compliance activities, is compromised when employees
encounter high demands to produce (Dai, Milkman, Hofmann, & Staats, 2015; Sutthiwan &
Clinton, 2008). Dai et al. (2015) found that employee compliance behavior decreased 8.7% over
a 12-hour shift due to the impact that pursuing multiple, high-demand goals had on self-
regulatory behaviors. Table 5 shows that SpinCo managers need to prioritize appropriate ITS and
EHS risk response in their workloads. Critical compliance risk response behaviors should be
primary, rather than secondary, tasks for managers so that they are not compromised due to
heavy workloads.
CLOSING THE COMPLIANCE GAP

39
39
Cultural setting: documentation. Organizational compliance programs that are
perceived by employees as impeding daily work, risk being ineffective in facilitating compliance
(Deloitte, 2015). Compliance policies, procedures, and processes are irrelevant if they are too
confusing or too numerous to be incorporated into the daily work of employees (Carthey,
Walker, Deelchand, Vincent, & Griffiths, 2011; Deloitte, 2015). Carthey et al. (2011) uncovered
five ways in which policies and guidelines create an environment that makes compliance in
practice highly unlikely: (1) volume, (2) multiple rules on the same topic, (3) accessibility and
naming, (4) length and complexity, and (5) triviality. For example, searching through volumes of
lengthy policies across numerous databases is complicated, time-consuming, and confusing
(Carthey et al.,2011). "Knee-jerk" policies, or those put in place as a response to a specific
incident, micro-manage employees and lower morale, making compliance with other important
policies less likely (Carthey et al.,2011). A culture of compliance facilitates the achievement of
organizational goals (Deloitte, 2015). Carthey et al. (2011) findings demonstrate that poorly
developed and communicated policies, procedures, and processes are barriers to building a
culture of compliance.
Documentation and managers. Compliance documentation can be written quickly, but a
culture of compliance is established once values and behaviors change (Andreisova, 2016).
Documentation must connect with existing practices and assumptions to make a positive impact
on performance (Parker & Nielson, 2009). To change compliance behaviors within the
organization, policies, procedures, and processes need to be written, accessed, and
communicated pragmatically, customized to the organization and the work employees are
engaged in (Deloitte, 2015; Lowry & Moody, 2015). SpinCo managers need ITS and EHS
compliance documentation that is succinct, consistent, accessible, and relevant (see Table 5).
CLOSING THE COMPLIANCE GAP

40
40
Without these qualities, compliance documentation becomes a barrier to appropriate manager
response to compliance risk (Clark & Estes, 2008).
Table 5
Summary of Assumed Organizational Influences
Influence Selected Citations
Organizational Clark & Estes (2008); Rueda (2011)
Cultural Settings Gallimore & Goldenberg (2001); Rudea (2011);
Schein (2004)
Managers need role models who
demonstrate how to appropriately respond
to ITS and EHS compliance risks.
Andreisova (2016); Berger (2014); Pajares
(2009); Sample (2014); Torp & Grogaard (2009)
Managers need to prioritize appropriate
ITS and EHS risk response in their
workloads.
Babajide & Akintayo (2011); Bruggen (2015);
Dai et al. (2015); Fieldston et al. (2014); Heart
(2011); Subramanyam (2013); Sutthiwan &
Clinton (2008); Torp & Grogaard (2009)
Managers need ITS and EHS
documentation that is succinct, consistent,
accessible, and relevant.
Andreisova (2016); Carthey et al. (2011); Clark
& Estes (2008); Deloitte (2015); Lowry &
Moody (2015); Parker & Nielson (2009)

Conceptual Framework: The Interaction of Stakeholders’ Knowledge and Motivation and
the Organizational Context
A conceptual framework identifies the core concepts studied and how they are assumed
to relate to one another (Maxwell, 2013). Conceptual relationships served as the foundation for
this research project and provided a structure for inquiry into organizational performance
(Maxwell, 2013; Merriam & Tisdell, 2016). See Figure 2 for the conceptual framework for this
project. Clark and Estes (2008) outline three factors of organizational performance: (1)
knowledge (K), (2) motivation (M), and (3) organizational influences (O). While KMO
influences are often presented as independent constructs, the conceptual framework illustrates
how they relate to each other and how they relate to a manager’s response to compliance risk
CLOSING THE COMPLIANCE GAP

41
41
using key elements of compliance programs. Effective compliance programs include six key
elements: (1) documentation, (2) resource allocation, (3) training and communication, (4)
discipline and incentives, (5) monitoring and auditing, and (6) competent program management
(Andreisova, 2016; Cantone, 1999; Deloitte, 2015; Parker & Nielsen, 2009; Sample, 2015;
Stokols et al., 2001; Webb & Molo, 1993). Compliance program elements serve as guidelines
and support for appropriate manager response to compliance risk.
Managers at SpinCo include departmental leadership and any employees with a direct
report. Managers control the distribution of financial, human, and technological resources within
their departments and are responsible for operationalizing many key compliance program
elements across compliance risk areas. As shown in the conceptual framework, manager
knowledge, motivation, and organization influences impact their ability to respond appropriately
to ITS and EHS compliance risks. For instance, if heavy workloads (O) prevent managers from
participating in compliance training activities (K), they may not see the value (M) of an
appropriate response to compliance risk. Lack of value (M) in appropriate responses to
compliance risk may result in manager resistance to reflecting on how appropriate their response
was (K), further limiting their ability to identify which responses are appropriate for the
identified risks (K). Using this conceptual framework to explain relationships between and
among researched concepts offers a more complete picture of gaps and assets with regard to
manager response to ITS and EHS compliance risks and impacts on SpinCo’s organizational
goal of implementing comprehensive compliance programs.
CLOSING THE COMPLIANCE GAP

42
42

Figure 2. Conceptual framework illustrating the relationships between compliance program
elements and knowledge, motivational, and organizational influences that impact manager
response to compliance risks.
Summary
Chapter 2 outlined factors influencing organizational compliance programs. The first
section provided a general overview of the six key elements found in organizational compliance
programs: (1) documentation, (2) resource allocation, (3) training and communication, (4)
discipline and incentives, (5) monitoring and auditing, and (6) competent program management.
The second section addresses considerations for measuring compliance program efficacy,
including both outcomes and processes, and qualitative and quantitative measures. Finally, the
chapter outlined knowledge, motivation, and organizational influences among SpinCo managers
that, based on the literature, were assumed to influence manager response to compliance risk.
Chapter 3 outlines the research methodology, data analysis, and validation process used for this
project.
CLOSING THE COMPLIANCE GAP

43
43
CHAPTER 3: METHODOLOGY
This study evaluated the knowledge, motivation, and organizational (KMO) influences
among SpinCo managers that impact their appropriate response to compliance risks in two
organizational compliance programs: information technology security (ITS) and environmental,
health, and safety (EHS). General literature relating to elements of effective compliance
programs and their effectiveness measurements were presented in Chapter 2. Assumed
knowledge, motivation, and organizational influences impacting appropriate manager response
to ITS and EHS compliance risks were also highlighted and verified against theories and related
literature in Chapter 2. The assumed KMO influences include:
• Declarative, procedural, and metacognitive knowledge
• Expectancy-value and self-efficacy theories of motivation
• Organizational modeling, workload, and documentation
Chapter 3 describes the research methodology and validation process used for this project.
Credibility, trustworthiness, validity, reliability, ethical considerations, and limitations are also
discussed, in detail, in this chapter.
Participating Stakeholders
SpinCo managers control the distribution of financial, human, and technological
resources within their departments. They hold the authority to initiate action to close knowledge,
motivation, and organizational gaps, making managers the ideal stakeholder group for this
analysis. Managers at SpinCo include departmental leadership and any employee with at least
one direct report. Participants were recruited according to the sampling and recruiting strategies
outlined below.

CLOSING THE COMPLIANCE GAP

44
44
Survey Sampling Criterion and Rationale: Managers
Criterion 1. Employed by SpinCo as a permanent employee, as reported through
organizational documentation. Contingent (contract, temporary, or consultant) employees were
not eligible to participate in this study.
Criterion 2. Employed by SpinCo for at least 60 days, as reported through organizational
documentation. SpinCo managers primarily participate in onboarding and acclimation activities
for the first 60 days after employment.
Criterion 3. Have at least one direct report, as reported through organizational structure
documentation or control (manage) the distribution of financial, human, or technological
resources for any departmental project. Managing direct reports and/or project resources
differentiates the manager stakeholder group from the employee stakeholder group who are
individual contributors.
Survey Sampling (Recruitment) Strategy and Rationale
Non-probability sampling was utilized for this study, as generalizability was not the
intention of this project. Purposeful, criterion based sampling was used, specifically, those who
qualify as SpinCo managers defined above. SpinCo is a small organization of around 100 people.
SpinCo is a “flat” organization, meaning it has few levels of management overall. Total
population sampling was anticipated to yield 40-50 managers for survey recruitment.
Data Collection and Instrumentation
CLOSING THE COMPLIANCE GAP

45
45
A convergent parallel mixed methods design was used for data collection (see Figure 3). The
mixed method design offered clarity and deeper-meaning through the triangulation of multiple
perspectives on assets and barriers related to appropriate manager response to compliance risks
(Creswell, 2014).This multi-phase design included concurrent quantitative survey data collection
(phase one) and the examination of existing data within the study setting (phase two). In phase
one of data collection, self-administered questionnaire data was collected from SpinCo
managers through an online survey. The survey assessed the significance of knowledge,
motivational, and organizational influences among managers that impacted their ability to
appropriately respond to compliance risks. The second phase of data collection included the
examination of existing physical evidence, or artifacts, that provided insight into SpinCo’s
organizational and cultural setting. Each phase of data collection was analyzed independently,
then results were compared for an overall quantitative and qualitative interpretation. See Table
6 for a summary of the data collection and analysis timeline. Appendix A presents a summary of
how each knowledge, motivation, and organizational influence was assessed within this project’s
multi-phase design.

Figure 3. Convergent parallel mixed methods design.

CLOSING THE COMPLIANCE GAP

46
46

Table 6
Data Collection Timeline
Data Collection Phase Duration
Phase One: Survey 6 weeks
Phase One: Analysis 2 weeks
Phase Two: Documents and Artifacts 6 weeks
Phase Two: Analysis 2 weeks
Comparison and Interpretation 2 weeks

Surveys
Self-administered questionnaires were delivered to participants through Qualtrics, a
secure, encrypted survey program. Forty-one (41) survey items collected information about
manager knowledge, motivation, and organizational influences on appropriate response to
compliance risk (see Appendix B for instrument and Appendix C for item-specific measurement
scales and influence alignment). Two demographic questions collected departmental and tenure
information. Thirteen items, presented to participants after the demographic items, asked
participants about compliance in general. The general compliance items were not used in results
or findings as they functioned merely as an orienting “warm-up” for survey participants. The
next 26 questions were targeted specifically toward ITS and EHS compliance.
Two existing survey instruments were adapted for use in this project, including
Bandura’s (2006) Teacher Self-Efficacy Scale and Hagemeier and Murawski’s (2014)
Postgraduate Training Value Instrument. Disclosures, such as the purpose of the study, the
ability to withdraw from the study without penalty, alternatives to participation, confidentiality,
and researcher contact information were provided to each participant through a study information
CLOSING THE COMPLIANCE GAP

47
47
sheet (see Appendix D). Survey participants were required to acknowledge the information
sheet, indicating consent, before the survey instrument was issued to the participant.
Documents and Artifacts
Although the researcher had access to the research setting, she was not allowed to
duplicate or photograph existing data due to confidentiality concerns. Therefore, observation
notes were generated while evaluating employee-accessible artifacts:
• Organization mission, vision, values, and goals
• Organizational structure, staffing, and resource allocation
• Performance, discipline, and incentive programs
• Offices, cubicles, break rooms, laboratories
• Training materials and training records
• Compliance program documentation and systems
Observations recorded through handwritten notes were transcribed into Microsoft Word for
analysis (see Data Analysis section).
Data Analysis
Surveys
Self-efficacy scales were used in the first half of the survey instrument to measure
respondents’ knowledge, motivational, and organizational influences. Likert scales items were
used in the latter half of the survey instrument to measure motivational influences. Ordinal data
from both self-efficacy and Likert scale items were analyzed through descriptive statistics to
provide manager perspectives about compliance response (see Appendix E for the survey data
analysis and presentation plan). Measures of frequency and central tendency (e.g., median,
CLOSING THE COMPLIANCE GAP

48
48
range) were analyzed. Patterns and themes from the descriptive statistical analysis of
questionnaires were compared to the document and artifact analysis.
Documents and Artifacts
Deductive and inductive coding of observer notes helped move existing data within the
research setting from concrete descriptions to abstract propositions. A priori codes are deductive
codes, typically developed before analysis begins (Harding, 2013). A priori, or deductive, codes
for this project reflected project areas of interest, such as knowledge, motivation, and
organizational influences in the context of key compliance program elements. Empirical codes
are inductive codes and were generated as important points emerged from analysis of the
observer notes (Harding, 2013). Positive, supportive evidence in the coded area was identified
with a plus symbol (+) while the lack of supportive evidence or contradictory elements was
identified with a minus (-) symbol. Appendix F lists codes used for this project. After application
of deductive and inductive codes, the coding was compared against the conceptual framework
for category identification. All inductive codes and categories fit within a priori categories. The
coded data was analyzed for patterns (frequent occurrences of codes) and themes (frequent
occurrences of patterns), and continually compared to the conceptual framework, research
questions, and quantitative data to develop findings. Results from both phases were compared for
an overall interpretation of quantitative and qualitative data
Validity, Reliability, Credibility, and Trustworthiness
The terms validity and reliability are traditionally used in quantitative research (Merriam
& Tisdell, 2016). Validity is concerned with accuracy, that is, accurately measuring the
phenomenon of focus. Internal validity is a measure of how accurately findings reflect contextual
reality. External validity is how accurate findings are when applied to the phenomenon in
CLOSING THE COMPLIANCE GAP

49
49
different settings (Creswell, 2014; Merriam & Tisdell, 2016). Reliability is a measure of
consistency concerning the ability to replicate the measures used to produce the findings. Internal
reliability is a measure of replicating results within the same context as the original work.
External reliability reflects the degree to which findings can be replicated in different settings
(Creswell, 2014; Merriam & Tisdell, 2016).
In qualitative research, philosophical debates have resulted in the common usage of
interchangeable terms similar in meaning to validity and reliability, such as credibility,
trustworthiness, dependability, confirmability, and rigor (Merriam & Tisdell, 2016). Regardless
of the term used to describe them, researchers must include strategies for increasing accuracy,
increasing consistency, and decreasing bias in their qualitative research designs (Creswell, 2014;
Maxwell, 2013; Merriam & Tisdell, 2016; Miles, Huberman, & Saldaña, 2014).
The principal strategy to increase internal validity, reliability, credibility, and
trustworthiness is triangulation (Creswell, 2014; Maxwell, 2013; Merriam & Tisdell, 2016;
Miles, Huberman, & Saldaña, 2014). The researcher used methods for triangulation as described
in the research literature, including using multiple theories, data sources, and data collection
methods (Maxwell, 2013; Merriam & Tisdell, 2016; Miles, Huberman, & Saldaña, 2014). Data
collection, analysis, and interpretation for this project included consideration of theoretical
knowledge categories (Baker, 2006; Bloom et al., 1956; Flavell, 1979; Krathwohl, 2002;
Pintrich, 2002; Rueda, 2011; Schön, 1983; Wilson, 2008), expectancy-value theory (Eccles,
2006), self-efficacy theory (Bandura, 1997; Pajares, 2009), and cultural theories (Erez & Gati,
2004; Schein, 2004) including the concept of cultural settings (Gallimore & Goldenberg, 2001;
Rudea, 2011; Schein, 2004). Integrating these theoretical perspectives into a single conceptual
framework ensures a higher degree of theoretical triangulation within this project.
CLOSING THE COMPLIANCE GAP

50
50
Two types of data were collected using both quantitative and qualitative methods.
Quantitative data was collected through self-administered questionnaires using close-ended
items. Two existing, validated survey instruments were adapted for use in this project, including
Bandura’s (2006) Teacher Self-Efficacy Scale and Hagemeier and Murawski’s (2014)
Postgraduate Training Value Instrument. To increase validity and reliability of survey data
collection, the researcher consulted with several methodology experts to adjust item number,
wording, format, and delivery before data collection initiation. Qualitative data was generated
through observer notes during the examination of documents and artifacts. Patterns and themes
from the descriptive statistical analysis of questionnaires were compared to the document and
artifact analysis. Employing triangulation strategies supported in the literature served to increase
the internal validity, reliability, credibility, and trustworthiness of this study (Creswell, 2014;
Maxwell, 2013; Merriam & Tisdell, 2016; Miles, Huberman, & Saldaña, 2014).
Several strategies for increasing validity and reliability are built into the dissertation
process (Merriam & Tisdell, 2016). For instance, a strategy for increasing internal validity and
credibility of study findings is called peer examination, or peer review. Study findings and
interpretations were thoroughly reviewed by academic and non-academic peers who are
knowledgeable enough about the topic and methodology to assess whether findings and
interpretations are plausible (Creswell, 2014; Merriam & Tisdell, 2016). For example,
knowledgeable student-peers, dissertation committee members, scientific writers/editors, and
research methodologists were recruited to review the manuscript either in part or in its entirety.
Audit trails are also integrated into the dissertation process, increasing reliability. As noted in
Merriam & Tisdell (2016), "readers can authenticate the findings of a study by following the trail
CLOSING THE COMPLIANCE GAP

51
51
of the researcher," typically described in the methodology section of a dissertation (p. 252).
The methodology section of this project lays a detailed procedural trail for readers to follow.
Ethics
The nature of researcher-participant relationships is the source of significant ethical
debate (Glesne, 2011; Merriam & Tisdale, 2016). In a qualitative study, the researcher is the
instrument though which data is collected, thus inherently biased to some degree (Maxwell,
2013; Merriam & Tisdale, 2016). Researchers must reflect deeply on the nature of relationships
to balance the generation of meaningful data with the protection of participants (Glesne, 2011).
Creswell (2014) lists several areas for ethical consideration, including permission from
gatekeepers, power balances, anonymity, disclosures, and Institutional Review Board (IRB)
approval. The following narrative describes these considerations and how they impacted the
researcher-participant relationship and research methodology of this project.
The researcher for this study had been a member of the study organization for 13 years.
She worked closely with the stakeholder group of focus within the compliance contexts under
study. In other words, the researcher was deeply embedded in the study context, complicating the
researcher-participant relationship. Actions taken to minimize bias while still generating
insightful data for this project are described below.
Although given informal, verbal permission from SpinCo gatekeepers to conduct
research onsite, the researcher obtained formal, written approval from the Legal Department to
conduct the research study. Since the researcher’s role as a member of the Human Resources
Department and a safety compliance associate created a complicated power balance among study
participants, only anonymous data was collected. Use of anonymous survey instruments
minimized the effect of researcher and participant bias (e.g., interviewer bias and social
CLOSING THE COMPLIANCE GAP

52
52
acceptability bias) resulting from these relationships. No identifiable information was obtained
in connection with this study. Although lacking legitimate authority, the researcher held varying
levels of informal expertise and referent authority within the context. Anonymity of participants
was intended to encourage participation and minimize researcher biases during quantitative data
review, analysis, and reporting. Only general demographic data was collected, including
department and tenure with the organization. This minimally biased quantitative data was used to
enrich qualitative observation notes about documents and artifacts within the research setting.
Disclosures, such as the purpose of the study, the ability to withdraw from the study
without penalty, alternatives to participation, confidentiality, and researcher contact information
were provided to each participant before quantitative data collection through study information
sheets. Participants were given an opportunity to download and print the study information
sheets in their entirety. The information sheets required electronic acknowledgment, indicating
consent, before the survey instrument was issued to the participant.
The goal of the University of Southern California (USC) IRB is to minimize risks to
study participants (Rubin & Rubin, 2012). Minimization of risk to study participants is achieved
through the review and approval of all proposed human subject research. Principles, including
informed consent to participate and the ability for participants to withdraw from study without
penalty, are paramount in IRB reviews (Glesne, 2011). A detailed proposal of this research study
was submitted to the USC IRB for review and approval before initiation of data collection to
ensure appropriate ethical considerations had been thoroughly addressed.
Generalizability and External Transferability
Although external generalizability was not the intention of this case study, external
transferability is possible through the provision of adequately detailed descriptive data (Creswell,
CLOSING THE COMPLIANCE GAP

53
53
2014; Maxwell, 2013; Merriam & Tisdell, 2016). It was the researcher’s responsibility to
provide enough information so that the reader may transfer study findings to other contexts if
applicable (Merriam & Tisdell, 2016; Miles, Huberman, & Saldaña, 2014). Sampling the entire
stakeholder population of 40-50 managers was intended to maximize the variety within the
sample, enhancing the validity of the study overall (Maxwell, 2013; Merriam & Tisdell, 2016).
The strategies outlined in this section are supported by research literature as contributing to the
validity and reliability of this project.
Limitations and Delimitations
Limitations
Some documented information may not have been available to the researcher, despite
permission by gatekeepers to evaluate it (Creswell, 2014; Johnson & Christensen, 2015). For
instance, the researcher could not evaluate documentation on financial resource allocation. A
second limitation is that existing documentation may have been inaccurate depending on where it
was found (Creswell, 2014; Johnson & Christensen, 2015). Strict document control was not
applicable to all information sought during this project, and there was a risk of using old,
outdated, or incomplete materials as the basis for data collection, analysis, and reporting. To
minimize this risk, the researcher attempted a thorough examination of both electronic and
physical records to confirm accuracy where possible. This limitation also provided insight into
resource availability among SpinCo employees.
Delimitations
Although a complete analysis of compliance response involves all stakeholder groups, for
practical purposes, SpinCo managers were the focus of this evaluation. Management’s authority
in the dissemination of knowledge, motivation, and organizational resources make them the ideal
CLOSING THE COMPLIANCE GAP

54
54
stakeholder group for analyzing impact on organizational compliance goals. Managers control
the distribution of financial, human, and technological resources within their departments and
hold the authority to initiate action to close knowledge, motivation, and organizational gaps
identified through this project.
Summary
Chapter 3 described the research methodology and validation process used for this project. Study
participants were selected according to the following sampling criterion: (1) employed by
SpinCo as a permanent employee, (2) employed by SpinCo for at least 60 days, and (3a) have at
least one direct report or (3b) control a portion of the distribution of financial, human, or
technological resources for any department. A convergent parallel mixed-method strategy
included quantitative surveys and qualitative environmental observations. Survey data collected
from self-efficacy and Likert scales, along with environmental observations of employee-
accessible artifacts and documentation, were used to validate the assumed KMO influences
among SpinCo managers. Credibility, trustworthiness, validity, reliability, ethical considerations,
and limitations are also discussed, in detail, in this chapter. Chapter 4 presents data collection
and analysis process details. Key findings in the areas of SpinCo manager knowledge,
motivation, and organizational resources are presented and assumed KMO influences are
identified as validated, validated in part, or not validated.

CLOSING THE COMPLIANCE GAP

55
55
CHAPTER 4: RESULTS AND FINDINGS
This study evaluated the perceived knowledge, motivation, and organizational
(KMO) influences among SpinCo managers that impact their appropriate response to compliance
risks in two organizational compliance programs: information technology security (ITS) and
environmental, health, and safety (EHS). The questions that guided this study were:
1. What are the knowledge, motivational, and organizational influences among SpinCo
managers that impacted their appropriate response to compliance risks?
2. How could organizational practices in the areas of knowledge, motivation, and
organizational resources be changed to facilitate appropriate manager response to
compliance risks?
Assumed knowledge, motivation, and organizational influences impacting appropriate manager
response to ITS and EHS compliance risks were verified against theories and related literature in
Chapter 2. Chapter 3 described the research methodology and validation process used to validate
assumed needs. This chapter presents key findings in the areas of SpinCo manager knowledge,
motivation, and organizational resources. Assumed KMO influences are identified as validated,
validated in part, or not validated.
Participating Stakeholders
In the first phase of data collection, self-administered questionnaire data was collected
from SpinCo managers through an online survey. The survey assessed the significance of
knowledge, motivational, and organizational influences among managers that impact their
appropriate response to ITS and EHS compliance risks. Participants were selected according to
the following sampling criterion: (1) employed by SpinCo as a permanent employee, (2)
CLOSING THE COMPLIANCE GAP

56
56
employed by SpinCo for at least 60 days, and (3a) have at least one direct report or (3b)
control a portion of the distribution of financial, human, or technological resources for any
department.
The following describes how the SpinCo manager population was determined. SpinCo is
a small organization of around 100 employees. It was originally estimated that total-population
sampling would yield between 40 and 50 managers for survey recruitment. First, all employees
who had at least one direct report were identified through an organizational chart accessible by
all employees. Then, all remaining employees were evaluated based on their overall position
within the company to see if they controlled the distribution of any financial, human, or
technological resources for any department. Career ladders, and job bands within the ladders,
categorize SpinCo positions. The first draft of participants included a direct interpretation of all
career ladders across the manager-level job band. There was gatekeeper concern that this direct
interpretation included too many individual contributors who did not qualify as managers
according to definition criteria described above insofar as they did not control the distribution of
any resources. The second list of potential study participants was generated by narrowing the
scope of positions without direct reports to include only senior-level positions in the scientific
and professional ladders. Further, only Cincinnati-based managers were included in the
participant pool for this study. The final list of SpinCo managers, as defined in this study,
included a sample population of 45 potential survey participants.
SpinCo gatekeepers expressed significant concern over whether survey recruitment
would violate solicitation and coercion norms (no formal policies in place). Significant
sensitivity was required during survey distribution to reduce the perception of unwelcome
solicitation and coercion among targeted employees In addition to complete participant
CLOSING THE COMPLIANCE GAP

57
57
anonymity, gatekeepers approved minimal use of SpinCo email addresses and servers for
distribution of study information to potential participants. Table 7 summarizes recruitment
communications to managers regarding their participation in this study. Recruitment
communications on Days 0, 2, 7, and 22, heavily emphasized the optional nature of the survey to
ensure manager awareness that participation was not required.
Table 7
Survey Recruitment Communications
Survey
Day
Description Sent From
0 Survey opened in Qualtrics. N/A
0
Investigator sent an email to the 45 potential participants outlining
information included in survey information sheet.
SpinCo
email servers
0 Investigator sent survey link to the 45 potential participants.
Qualtrics
distribution email
2
Investigator sent an email to 45 potential participants via SpinCo
email servers about emails from Qualtrics being routed to "Junk"
folders.
SpinCo
email servers
7 Investigator sent a reminder email to the 45 potential participants.
Qualtrics
distribution email
22 Investigator resent the survey link to the 45 potential participants.
SpinCo
email servers
40 Survey closed in Qualtrics. N/A
On Day 1, the researcher was notified by several potential participants that emails from
Qualtrics were found in SpinCo "junk" email folders. In response to the feedback, a follow-up
email was sent the next day to alert all potential participants of the issue. After the Day 2
communication, survey participation rose sharply (from 6 to 16) indicating not all potential
participants saw the Qualtrics survey email invitation. Survey data collection was targeted for
completion after 14 days. On Day 14, Qualtrics showed 22 survey responses. Due to known
barriers for participation, including Qualtrics emails going to “junk” folders, manager conference
CLOSING THE COMPLIANCE GAP

58
58
attendance, manager workloads, and manager vacations, the investigator decided it would be
appropriate to send an additional recruitment email, including the survey link, using SpinCo
email servers. This would ensure the survey link landed in all 45 potential participant inboxes.
By Day 40, Qualtrics showed 24 recorded responses, the last of which was recorded on Day 25.
The researcher decided to close the survey at that time. Three survey responses were discarded
due to less than half of the survey items having been completed. The final survey response rate
was 47% (21 of 45 mangers). Demographic information of survey respondents is displayed in
Figures 4 and 5.

Figure 4. Survey responses by SpinCo department.

CLOSING THE COMPLIANCE GAP

59
59

Figure 5. Survey responses by duration of SpinCo employment, including former ownership of
the company.
Survey Results (Quantitative)
Ordinal data from both self-efficacy and Likert scales were analyzed through descriptive
statistics. Measures of frequency and central tendency (e.g., median, range) were analyzed. Full
results from the descriptive statistical analysis are presented in Appendix G. Items 1-13 refer to
compliance in general. The general compliance items were not used in results or findings as they
functioned merely as an orienting “warm-up” for survey participants. Findings based on data
analysis of survey items 14-39 are presented below.
Knowledge Findings
Initially, it was assumed SpinCo managers needed knowledge regarding ITS and EHS
compliance risk (declarative knowledge), appropriate ITS and EHS risk responses (declarative
knowledge), and how to implement appropriate ITS and EHS risk responses (procedural
CLOSING THE COMPLIANCE GAP

60
60
knowledge). Additionally, it was assumed SpinCo managers needed to reflect on how they
have historically responded to ITS and EHS risks (metacognitive knowledge). Manager
knowledge is essential for establishing and maintaining compliance in all regulated
organizational domains (Markovitz & Jones, 2012). The ability of managers to apply declarative
knowledge through procedural knowledge has a significant impact on the implementation of
compliance programs across an organization. When managers understand their thinking through
metacognition, they can identify and monitor their strategies for maximizing acquisition and
application of other knowledge types for achieving organizational goals (Flavell, 1979; Pintrich,
2002).
Information technology security (ITS) knowledge findings. Survey data showed
SpinCo managers were confident in their knowledge of ITS compliance risks. Managers were
only moderately confident in their knowledge of appropriate ITS risk responses and of their
ability to implement ITS risk responses. Managers were confident they could reflect on the
appropriateness of their ITS risk response and quality of implementation. Survey results for ITS
knowledge items are displayed in Figure 6.
CLOSING THE COMPLIANCE GAP

61
61

Figure 6. ITS knowledge influence survey responses.
These survey results indicate an overall acceptable level of confidence in SpinCo
managers’ abilities around compliance risk knowledge and metacognitive knowledge (median
score ≥ 70). Declarative knowledge around appropriate ITS risk response and implementation of
risk response were validated as manager needs due to their moderate level of confidence. Survey
data across all five knowledge items showed a wide range of responses. Responses including
“cannot do at all” partially validated the need for compliance risk knowledge and metacognitive
knowledge for some SpinCo managers. Table 8 presents a list of ITS knowledge influences and
validation status based on these findings.
0
20
40
60
80
100
Item 14 Item 15 Item 16 Item 17 Item 18
Maximum 100 100 100 100 100
Median 70 50 50 70 70
Minimum 0 0 0 0 0
Confidence Score
Information Technology Security (ITS)
Knowledge Influences
CLOSING THE COMPLIANCE GAP

62
62
Table 8
ITS Knowledge Influence Validation Status
Category Assumed Need Validated
Validated
in Part
Not
Validated
Declarative
Managers need to know the ITS
compliance risks within the areas they
oversee.
X
Declarative
Managers need to know what types of
responses are appropriate to address ITS
compliance risk.
X
Procedural
Managers need to know how to
implement the appropriate response for
the identified ITS risk.
X
Meta-
cognitive
Managers need to “reflect-on-action” on
how they responded to ITS compliance
risk.
X

Environmental, health, and safety (EHS) knowledge findings. Survey data showed
SpinCo managers were confident in their knowledge of EHS compliance risks and appropriate
EHS risk responses. Managers were highly confident in their ability to implement EHS risk
responses. Managers were confident they could reflect on the appropriateness of their EHS risk
response and quality of implementation. Survey results for EHS knowledge items are displayed
in Figure 7.
CLOSING THE COMPLIANCE GAP

63
63

Figure 7. EHS knowledge influence survey responses.
These survey results indicate an overall acceptable level of confidence in SpinCo
managers abilities around EHS declarative, procedural, and metacognitive knowledge (median
score ≥ 70). However, survey data across items 29, 30, and 31 showed a wide range of responses.
Responses indicating “cannot do at all” partially validated the need for procedural knowledge
and metacognitive knowledge for some SpinCo managers. Refer to Table 9 for a list of EHS
knowledge influences and validation status based on these findings.
0
20
40
60
80
100
Item 27 Item 28 Item 29 Item 30 Item 31
Maximum 100 100 100 100 100
Median 80 80 90 80 80
Minimum 30 30 0 0 0
Confidence Score
Environmental Health & Safey (EHS)
Knowledge Influences
CLOSING THE COMPLIANCE GAP

64
64
Table 9
EHS Knowledge Influence Validation Status
Category Assumed Need Validated
Validated
in Part
Not
Validated
Declarative
Managers need to know the EHS
compliance risks within the areas they
oversee.
X
Declarative
Managers need to know what types of
responses are appropriate to address
EHS compliance risk.
X
Procedural
Managers need to know how to
implement the appropriate response for
the identified EHS risk.
X
Meta-
cognitive
Managers need to “reflect-on-action” on
how they responded to EHS compliance
risk.
X

Motivation Findings
Initially, it was assumed SpinCo managers needed motivation regarding the appropriate
response to ITS and EHS compliance risk. Motivation has a significant influence on the
effectiveness of organizational compliance programs. Knowledge is not enough to complete a
task. Managers must want to start a compliance task, persist at the task, and invest mental effort
toward completion of the task (Clark & Estes, 2008; Rueda, 2011). SpinCo managers needed to
see the value in responding appropriately to ITS and EHS compliance risks. Managers will be
more likely to engage in compliance tasks if the tasks are perceived as enjoyable, personally
meaningful, moves them toward a specific outcome, and have a low cost of engagement. SpinCo
managers also need to feel confident in their ability to respond appropriately to ITS and EHS
compliance risks since self-efficacy is one of the more relied upon motivational constructs to
consistently predict behavioral outcomes (Pajares, 2009).
CLOSING THE COMPLIANCE GAP

65
65
Information technology security (ITS) motivation findings. Survey data showed
95% of SpinCo managers agreed that being able to respond appropriately to ITS compliance
risks was important to them (attainment value). Seventy-five percent of managers liked being
able to appropriately respond to ITS compliance risks (intrinsic value). Fifty-five percent of
managers agreed that appropriately responding to ITS compliance risks is integral to company
and personal goal achievement (utility). Nearly half of respondents reported neutrality when
asked if appropriately responding to ITS compliance risk is difficult (expectancy). Half of
SpinCo managers disagreed that time spent responding to ITS compliance risks is better spent
doing other activities (cost). Survey results for ITS motivation items are displayed in Figure 8.

Figure 8. ITS motivation influence survey responses
These survey results indicate that, overall, managers see value in appropriate response to
ITS compliance risks. However, survey data showed areas of low value and expectancy that
CLOSING THE COMPLIANCE GAP

66
66
cannot be ignored. Some managers felt appropriate response to ITS compliance risks was not
integral to company or personal goals (25% and 10% respectively). Twenty-five percent of
SpinCo managers felt responding to ITS compliance risk was difficult. Another 20% of
managers felt responding to ITS compliance risk was time wasted. Expectancy, utility value, and
cost are areas of motivational need for some SpinCo managers. Refer to Table 10 for a list of ITS
motivation influences and validation status based on these findings.
Table 10
ITS Motivation Influence Validation Status
Category Assumed Need Validated
Validated
in Part
Not
Validated
Expectancy-
value
Managers need to see the value in
responding appropriately to ITS
compliance risks.
X
Self-efficacy
Managers need to feel confident in their
ability to respond appropriately to ITS
compliance risks.
X
a

a
Refer to Summary of Validated Needs section for justification.
Environmental, health, and safety (EHS) motivation findings. Survey data showed
95% of SpinCo managers agreed that being able to respond appropriately to EHS compliance
risks was important to them (attainment value). Ninety percent of managers liked being able to
appropriately respond to EHS compliance risks (intrinsic value). Fifty-two percent of managers
agreed that appropriately responding to EHS compliance risks was integral in company goals.
However, 76% felt appropriately responding to EHS compliance risks was integral in personal
goal achievement (utility). Fifty-seven percent of respondents reported disagreement when asked
if appropriately responding to EHS compliance risk is difficult (expectancy). Two-thirds of
SpinCo managers disagreed that time spent responding to EHS compliance risks was better spent
doing other activities (cost). Survey results for EHS motivation items are displayed in Figure 9.
CLOSING THE COMPLIANCE GAP

67
67

Figure 9. EHS motivation influence survey responses
These survey results indicate that, overall, managers see value in appropriate response to
EHS compliance risks. However, survey data showed an area of lower value around appropriate
EHS compliance risk response and organizational goal achievement. Nearly 30% of SpinCo
managers felt appropriate response to EHS compliance risks was not integral to organizational
goal achievement. It should also be noted that nearly 40% of SpinCo managers reported
neutrality when asked if appropriately responding to EHS compliance risk is difficult.
Expectancy and organizational utility are areas of motivational need for some SpinCo managers.
Refer to Table 11 for a list of EHS motivation influences and validation status based on these
findings.
CLOSING THE COMPLIANCE GAP

68
68
Table 11
EHS Motivation Influence Validation Status
Category Assumed Need Validated
Validated
in Part
Not
Validated
Expectancy-
value
Managers need to see the value in
responding appropriately to EHS
compliance risks.
X
Self-efficacy
Managers need to feel confident in their
ability to respond appropriately to EHS
compliance risks.
X
a

a
Refer to the Summary of Validated Needs for justification.
Organizational Findings
Initially, it was assumed SpinCo managers had needs in three cultural setting
components: role models, workload management, and documentation. Cultural settings, or social
contexts, are manifested in visible, concrete, and measurable practices (Rueda, 2011). People
mirror the actions of leaders (Andreisova, 2016). Therefore, SpinCo managers need role models
who demonstrate how to appropriately respond to ITS and EHS compliance risks. SpinCo
managers need to prioritize appropriate ITS and EHS risk response in their workloads. High
levels of perceived work demands generate stress, cognitive fatigue, and feelings of being
overwhelmed in employees, contributing to poor performance in compliance behaviors (Babajide
& Akintayo, 2011; Subramanyam et al., 2013; Sutthiwan & Clinton, 2008). Performance in tasks
perceived as secondary, such as compliance activities, is compromised when employees
encounter high demands to produce (Dai et al., 2015; Sutthiwan & Clinton, 2008).
Information technology security (ITS) organizational findings. Survey data showed
SpinCo managers were highly confident that they could identify company leaders who
demonstrate how to appropriately respond to ITS compliance risks. Managers were confident
CLOSING THE COMPLIANCE GAP

69
69
they could adjust their workload to appropriately respond to ITS compliance risks. Survey
results for ITS organizational items are displayed in Figure 10.

Figure 10. ITS organizational influence survey responses
These survey results indicate an overall acceptable level of confidence in SpinCo
managers abilities around identification of leadership role models and workload accommodation
for the appropriate response to ITS compliance risks (median score ≥ 70). However, survey data
for Items 19 and 20 showed a wide range of responses. Responses of “cannot do at all” partially
validates the need for identification of role models and workload accommodations for some
SpinCo managers. Refer to Table 12 for a list of ITS organizational influences and validation
status based on these findings.
0
20
40
60
80
100
Item 19 Item 20
Maximum 100 100
Median 90 80
Minimum 0 0
Confidence Score
Information Technology Security (ITS)
Organizational Influences
CLOSING THE COMPLIANCE GAP

70
70
Table 12
ITS Organizational Influence Validation Status
Category Assumed Need Validated
Validated
in Part
Not
Validated
Cultural
Setting
Managers need role models who
demonstrate how to appropriately
respond to ITS compliance risks.
X
Cultural
Setting
Managers need to prioritize appropriate
ITS risk response in their workloads.
X

Environmental health and safety (EHS) organizational findings. Survey data showed
SpinCo managers were highly confident that they could identify company leaders who
demonstrate how to appropriately respond to EHS compliance risks. Managers were confident
they could adjust their workload to appropriately respond to EHS compliance risks. Survey
results for EHS organizational items are displayed in Figure 11.

Figure 11. EHS organizational influence survey responses
0
20
40
60
80
100
Item 32 Item 33
Maximum 100 100
Median 90 80
Minimum 30 0
Confidence Score
Environmental Health & Safey (EHS)
Organizational Influences
CLOSING THE COMPLIANCE GAP

71
71
These survey results indicate an overall acceptable level of confidence in SpinCo
managers’ abilities around identification of leadership role models and workload accommodation
for appropriate response to EHS compliance risks (median score ≥ 70). However, survey data for
Item 33 showed a wide range of responses. Responses of “cannot do at all” partially validates the
need for workload accommodations for some SpinCo managers. Refer to Table 13 for a list of
EHS organizational influences and validation status based on these findings.
Table 13
EHS Organizational Influence Validation Status
Category Assumed Need Validated
Validated
in Part
Not
Validated
Cultural
Setting
Managers need role models who
demonstrate how to appropriately
respond to EHS compliance risks.
X
Cultural
Setting
Managers need to prioritize appropriate
EHS risk response in their workloads.
X

Documents and Artifacts Results (Qualitative)
The second phase of data collection included the examination of existing physical
evidence, or artifacts, that provided insight into SpinCo’s organizational and cultural setting.
Although the researcher had access to the research setting, she was not allowed to duplicate or
photograph existing data due to confidentiality concerns. Therefore, observation notes were
generated while evaluating employee-accessible documents and artifacts in real time. Sources
included company email, organizational networks and systems, paper files, and signage. A priori
codes based on the conceptual framework were used to organize contextual observations.
Specifically, elements of compliance programs described in Chapter 2 were targeted. Areas of
interest included documentation, resource allocation, training and communication strategies,
incentive and discipline resources, program monitoring, and compliance program management.
CLOSING THE COMPLIANCE GAP

72
72
Positive, supportive evidence and the lack of supportive evidence or contradictory elements
were identified through the observation and evaluation of employee-accessible documents and
artifacts. Qualitative findings are presented below.
Documentation
Compliance program documentation includes policies, procedures, guidelines,
workflows, standard operating procedures and a myriad of other resources. Parker and Nielson
(2009) found that compliance program documentation—especially written policies—positively
impact compliance in practice. A functional system of detailed documentation provides guidance
for individuals required to follow specific procedures (Andreisova, 2016). SpinCo managers
need ITS and EHS documentation that is succinct, consistent, accessible, and relevant.
Availability and accuracy. Compliance documentation at SpinCo is made available to
managers in multiple ways. Since the spin-off in January 2017, the most common method for
distributing compliance documentation has been through email attachments. For example,
policies are often provided to employees through a one-time email after policy approval. Another
method for distributing compliance documents is placement on the SpinCo network. Both ITS
and EHS documentation is available in network folders accessible by all employees. A third
method for distributing compliance documentation is using legacy (NewCo) intranet sites. EHS
policies and resources are available on a legacy Microsoft SharePoint site.
Three current Information Technology (IT) policy documents and 23 standard operating
procedure (SOP) documents are available to all employees under five folder levels within a
controlled document network folder. IT policies and procedures are listed by strict nomenclature
and document title format. Minor inaccuracies were noted in ITS documentation. For example,
one SOP refers to a specific corporate security department that existed at ParentCo but does not
CLOSING THE COMPLIANCE GAP

73
73
currently exist at SpinCo. Another policy states “accounts will be locked with 10 unsuccessful
password attempts” – in practice, from researcher experience, three unsuccessful attempts will
lock a user out.
One current EHS policy exists that describes emergency response and general safety
rules. Four outdated EHS policies covering specific risk areas, such as chemical, biological, and
radiation safety, are stored on a legacy SharePoint site that has been sporadically accessed by a
limited number of employees since 2010. This legacy site includes additional outdated safety
information such as inaccurate contact lists and broken links to regulatory agencies. A
formalized biennial document review cycle was observed within both ITS and EHS compliance
documents.
Overall, the level of availability and accuracy of the compliance program documentation
evidenced above is not adequate to facilitate appropriate manager response to ITS and EHS
compliance risks. Email distribution of compliance documentation is inefficient, especially for
new managers who may never receive the information to reference. Email and attachments are at
high risk for being overlooked in an otherwise full email inbox. It is incumbent on a manager to
recognize the importance of the attachment and enact his or her document management strategy.
Outdated and difficult to access documentation presents a significant barrier to appropriate
manager response to compliance risks. Inaccuracies in EHS and ITS compliance documentation
could be the result of transcriptions made from ParentCo compliance documentation and
approval before spin-off. The biennial document review frequency seems too infrequent to
adequately capture changes within the SpinCo ITS and EHS compliance programs.
As of the writing of this manuscript, SpinCo has begun to design and develop a new
internal Microsoft SharePoint site. According to project communications, the new intranet will
CLOSING THE COMPLIANCE GAP

74
74
provide a “one-stop-shop” for critical documentation and resources. This new internal site will
significantly facilitate consolidation and accessibility of ITS and EHS compliance documentation
and resources.
Relevancy. ITS policies and SOP documents contain a significant amount of factual
knowledge, including “dos and don'ts.” However, existing ITS policies and SOP documents
often lack instructions (procedural) and information for how to specifically respond to
compliance risks. Quantitative data showed that SpinCo managers were only moderately
confident in their declarative and procedural knowledge around appropriate ITS risk responses.
Lack of procedural information in ITS documentation may account for this. For instance, one
document states “employees must use reasonable and appropriate measures to secure Sensitive
Information.” However, declarative and procedural information about “reasonable and
appropriate measures” are not available within the document. ITS compliance documentation, in
some cases, are written in general terms so that the standards technically apply to “all” systems.
However, the practical intention is to include very few, critical systems. The language used in
ITS documentation is legal and technical. Acronyms are sometimes not defined.
The EHS emergency response document has been updated since the spin-off and is
relevant to the context of employees at the Cincinnati site. This document includes several tables
with an emergency in one column and appropriate response in another. Quantitative data showed
that SpinCo managers were confident and highly confident in their declarative and procedural
knowledge around appropriate EHS risk responses. The format of this EHS document may
account for this. As noted previously, four outdated EHS policies covering specific areas, such as
chemical, biological, and radiation safety, are stored on a legacy SharePoint site.
CLOSING THE COMPLIANCE GAP

75
75
Overall, the relevancy of the compliance program documentation evidenced above
could be improved to adequately facilitate appropriate manager response to ITS and EHS
compliance risks. Compliance program documentation must connect with existing practices and
assumptions of the organization to make a positive impact on performance (Parker & Nielson,
2009). SpinCo managers are a diverse audience with various backgrounds. It would be
misguided to assume all readers are familiar enough with ITS or EHS compliance to use
undefined acronyms, highly technical terminology, and legal language. Complex language
makes information difficult to understand, undermining the compliance purpose of the document
(Carthey et al., 2011). Overly general documentation does not support appropriate response and
may encourage inappropriate compliance risk response (over-response). The EHS emergency
response plan format (e.g., using tables) facilitates managers finding appropriate response
information efficiently. However, there is only one relevant EHS compliance document covering
a small portion of the EHS compliance program. While outdated EHS documentation may still
hold value in the communication of general declarative knowledge, their outdated context
reduces relevancy for managers who require knowledge of how to implement responses in the
SpinCo context. SpinCo managers need ITS and EHS documentation that is succinct, consistent,
accessible, and relevant. The evidence presented above validates this organizational influence.
Documentation improvement recommendations are discussed further in Chapter 5.
Resource Allocation
Compliance program resource allocation includes financial and human capital resources.
Parker and Nielson (2009) found that organizational resources must be allocated appropriately
for compliance programs to be effective. Compliance program managers require sufficient
CLOSING THE COMPLIANCE GAP

76
76
financial and human capital resources to meet organizational compliance goals (Deloitte,
2015; Andreisova, 2016).
Financial resource allocation. Limited information was available to evaluate ITS and
EHS financial resources. The IT function has an allocated budget (cost center) managed by the
IT Director. The EHS function also has an allocated budget (cost center) managed by a Safety
Specialist. Information was not available as to whether either budget was perceived as sufficient
to facilitate appropriate manager response to compliance risk. Annual budgetary exercises should
support proposed ITS and EHS compliance program improvements since, as evidenced above,
the cost centers already exist.
Human capital resource allocation and compliance program management. Resource
allocation in staffing demonstrates both assets and barriers for appropriate compliance risk
response. SpinCo’s human capital resources include the following ITS and EHS compliance
related positions: Internal Audit Director, IT Director, Safety Specialist, and Safety Officers. The
Internal Audit Director holds expertise in risk assessment and compliance. This individual is
accessible by all managers and compliance program leaders. The primary stakeholders for this
position are the organizational Board of Directors and external regulators. The Internal Audit
Director is often focused on Sarbanes-Oxley (SOX) compliance, that is, corporate governance
and financial accountability. The Internal Audit Director position has served as a critical resource
for other SpinCo compliance risk areas through the spin-off. The IT Director manages the ITS
compliance program as part their functional oversight role. This position also serves as a subject
matter expert on ITS compliance. The IT Director is an experienced program/project manager in
the ITS domain who is accessible by all SpinCo managers. The IT Director leverages the
expertise of external contractors for compliance projects when required. A Safety Specialist
CLOSING THE COMPLIANCE GAP

77
77
serves as the EHS compliance program manager and is accessible by all managers. The Safety
Specialist’s expertise is based on organizational experience and they spend approximately 10-
15% of their time on safety compliance program management. The Safety Specialist actively
leverages the expertise of external vendors, internal experts, compliance professionals, and safety
networks to supplement EHS compliance knowledge gaps. Three individuals serve as volunteer
Safety Officers, each responsible for specialized knowledge in specific safety risk areas
(biological, chemical, and radiation risks). Safety Officer expertise is also based on
organizational experience.
The existence and accessibility of ITS and EHS compliance staff serve to positively
impact appropriate manager response to compliance risk. The ITS compliance program appears
to have sufficient staffing (including contractors) and expertise for effective program
management. Divergent priorities and lack of expertise may be a concern within EHS
compliance program management. Although SpinCo does not have dedicated ITS and EHS
compliance staff, all employees responsible for ITS and EHS compliance program components
are easily accessible (physically and via electronic communication channels) to managers
looking for information and guidance in compliance risk response.
Training and Communication
Employee training positively impacts compliance in practice, especially among new
employees (Parker & Nielson, 2009). Stokols et al., (2001) found that irrespective of the size of
the organization, participation in safety training led to positive changes in employee knowledge
around safety requirements. Spreading knowledge, or communicating, about compliance
programs, whether through formal training or internal marketing efforts, is essential for program
CLOSING THE COMPLIANCE GAP

78
78
success (Andreisova, 2016). SpinCo ITS and EHS compliance programs include both new and
ongoing employee training and communication.
New employee training. New employee orientations include formal one-on-one
meetings with a variety of organizational compliance leaders, including those in Quality, Payroll,
Accounting, Facilities, Legal, Information Technology, and Safety. The Human Resource
Department schedules the meetings. The compliance leader determines occurrence and content
of the one-on-one meetings. No formal objectives or curriculum has been established for
organizational compliance orientations for new employees.
IT new employee training includes a 10-15 minute one-on-one orientation with a
helpdesk technician to set-up equipment and confirm network connectivity. An online training
module covering ITS is assigned to new employees. The IT Director runs periodic reports to
ensure all new employees have completed the online training module. Review and
acknowledgment of IT policy documents are not currently part of the new employee training.
EHS new employee training includes a 10-15 minute one-on-one orientation with a Safety
Specialist. Between five and seven online training modules are assigned to new employees based
on the risks an employee is expected to encounter in their work. Review and acknowledgment of
the EHS emergency response document is a component of EHS new employee training. The
Safety Specialist rarely runs reports to determine completion status of online training modules.
Although, as evidenced above, new employee orientations are not necessarily formalized
under learning objectives, the existence of both ITS and EHS training for new employees serves
to positively impact compliance in practice (Parker & Nielson, 2009). Newly hired managers are
provided a minimal level of awareness and tools, primarily through self-paced online training
modules, to appropriately respond to compliance risks. Improvement in new employee
CLOSING THE COMPLIANCE GAP

79
79
orientation organization, formalization, and leadership accountability could further empower
managers to respond appropriately to compliance risks. Training improvement recommendations
are discussed further in Chapter 5.
Ongoing training. Ongoing ITS training program components were not available at the
time of observation. They are being identified and the IT Director and the Quality department are
developing a strategy for implementation. All existing employees have completed the ITS online
module. Ongoing EHS training includes a variety of mandated and optional components.
Completion of an online Bloodborne Pathogens training module is required annually, per
regulation, for all employees. Hazardous material employees, those who sign waste manifests on
behalf of the company, are provided training and are assessed per regulation every two years.
Radiation employees, those who work with or handle radioactive materials or waste, receive
annual in-person training and assessment from an outside expert. Non-mandatory EHS training
sessions include annual security, personal safety, first aid, and ergonomic training. Many of these
ongoing training components are carried over from ParentCo practices and remain relevant to
most audiences.
Quantitative data showed that SpinCo managers were only moderately confident in their
declarative and procedural knowledge around appropriate ITS risk responses. The same
managers were confident and highly confident in their declarative and procedural knowledge
around appropriate EHS risk responses. These results could reflect the robustness of existing ITS
and EHS training programs. As SpinCo compliance programs are developed, ongoing ITS and
EHS training programs will continue to evolve to serve the needs of managers who are expected
to appropriately respond to compliance risk. Managers would benefit from compliance training
programs that continue to utilize risk assessments and a variety of media, and that target their
CLOSING THE COMPLIANCE GAP

80
80
need to appropriately respond to context-specific compliance risk. Training improvement
recommendations are discussed further in Chapter 5.
Communication. IT policy requires that employees be periodically exposed to ITS
awareness information. To fulfill that requirement, the IT Director distributes a monthly
information technology security bulletin that covers an organizationally relevant ITS topic. The
monthly bulletin is attached to an email distributed to all organizational employees, including
managers. Additionally, the IT Director sends notification emails when/if ITS issues relevant to
SpinCo arise (e.g., WannaCry). EHS primarily uses peer-based channels for communication. For
example, safety committee meetings bring together representatives from various function groups
to share EHS questions, concerns, and processes. The Safety Specialist talks one-on-one with
employees and managers about compliance risk response. Safety signage is posted through
laboratories describing where not to wear gloves and where to don personal protective equipment
(PPE). PPE reminder signage featuring celebrity Mr. T was created and posted in 2010 and PPE
reminder signage featuring the TV show Breaking Bad was created and posted in 2014.
ITS and EHS utilize different channels to disseminate and market relevant information.
However, the communication channels evidenced above are inefficient when used alone. Email
distribution of awareness information can be inefficient, especially for new managers who may
never receive the information to reference. Email and attachments are at high risk for being
overlooked in an otherwise full email inbox. It is incumbent on a manager to recognize the
importance of the attachment and enact his or her document management strategy. Although
awareness emails target a broad, general audience, they may not help managers with specific risk
response situations requiring more guidance. Although peer-based and one-on-one
communication provide context-specific guidance for manager response questions, the scope is
CLOSING THE COMPLIANCE GAP

81
81
too narrow to be efficient. Existing posters providing personal protective equipment guidance
use pop-culture visuals to increase saliency. However, the signage has been posted in laboratory
areas from 3-7 years, making them very familiar (not salient) for managers who encounter them
regularly. Improvements to compliance response communication are discussed in Chapter 5.
Discipline and Incentives
Researchers recognize compliance discipline and incentive programs are among the most
difficult compliance elements to implement (Andreisova, 2015). Information about formal
organizational discipline and incentive programs for managers responding to ITS or EHS
compliance risk could not be located. ITS and EHS compliance goals do not appear to be
formalized across the organization (outside of compliance program managers). Targeted
incentives, through the provision of personal protective equipment and training, were observed in
the EHS compliance program. For example, Spinco subsidizes prescription safety glasses to
encourage their purchase and use. In both compliance domains, punishment is generally not
supported due to a likelihood that it will discourage self-reporting. Although quantitative data
validated motivation needs only in part, SpinCo manager motivation may benefit from formal
and informal manager recognition for their appropriate response to compliance risks, over
tangible rewards. Opportunities for incentives are discussed in Chapter 5.
Monitoring and Auditing
Implementing a formal monitoring strategy for ongoing identification and rectification of
compliance gaps increases the probability that needed program changes will be made promptly
(Parker & Nielson, 2009). Monitoring and auditing resources at SpinCo are heavily dependent on
the risk tolerance of the organization. For instance, SpinCo’s handling of electronic records is a
high-risk category due to SOX compliance standards. Thus, external risk assessments and audits
CLOSING THE COMPLIANCE GAP

82
82
are generally supported, as needed, for risk areas such as ITS. In general, based on the work
conducted onsite at SpinCo, EHS is considered a low-risk area regarding organizational impact.
Resources for external EHS compliance audits go through the budgeting process and must be
justified to a greater extent than other, higher-risk compliance programs. For example, the EHS
budget includes an annual (per regulation) radiation safety program audit by an external auditor.
EHS relies heavily on internal monitoring efforts to identify compliance gaps and program
efficiency. For example, volunteers from the organizational safety committee conduct periodic
facility inspections to identify areas of noncompliance. Information could not be found regarding
the establishment of formal ITS metrics to measure ITS compliance program effectiveness.
Comprehensive, formal metrics have not been established to measure EHS compliance program
effectiveness.
When justified, periodic external audit resources are available for ITS and EHS
compliance programs. This helps ensure program standards and processes match those defined in
regulations. Internal monitoring serves as an ongoing assessment of compliance program
effectiveness, as long as comprehensive metrics are in place. In addition to outcome and process
measures, Kroll (2012) found incorporating both objective and subjective measures paint the
most complete picture of compliance program effectiveness. To evaluate the effectiveness of ITS
and EHS compliance programs, specifically their value in guiding managers toward
appropriately responding to compliance risks, qualitative and quantitative metrics need to be
developed that include outcome and process measures, collected by both objective and subjective
means, that are meaningful and feasible to SpinCo. Measurement and evaluation of compliance
response improvement programs are discussed in Chapter 5.

CLOSING THE COMPLIANCE GAP

83
83
Summary of Validated Needs
SpinCo manager survey results and environmental observations validated, partially
validated, and invalidated several knowledge, motivation, and organizational needs regarding
appropriate response to ITS and EHS compliance risks. See Table 14 for a complete summary of
validation status based on findings. Fully-validated influences included the need for SpinCo
mangers to know what types of ITS responses are appropriate to address ITS compliance risks
and how to implement ITS risk responses. Additionally, the need to provide SpinCo managers
succinct, consistent, accessible, and relevant compliance response documentation was validated
in full. Many influences were partially validated based on the wide range of responses given in
the survey. Specifically, manager confidence responses of “cannot do at all” demonstrate that
some SpinCo managers require solutions in these areas. Therefore, their needs should not be
ignored as influencers for appropriate compliance risk response, especially when data showed
SpinCo manager confidence is high overall. Some areas could be improved to bring all managers
into alignment, specifically ITS response utility and difficulty. Similarly, although rating highly
overall, some aspects of motivation are worth addressing based on disagreement scores. Results
showed managers value appropriate ITS and EHS risk responses. However, some areas of value
could be targeted to bring all managers into alignment, specifically ITS response difficulty and
overall response utility.
Invalidated influences include the need for declarative EHS knowledge and identification
of EHS response role models. Manager responses indicate varying levels of confidence, but no
“cannot do at all” responses for these invalidated EHS influences. Overall, data showed
confidence is not an issue of concern among SpinCo managers regarding appropriate ITS and
EHS compliance response. Managers median scores showed overall that they are moderately to
CLOSING THE COMPLIANCE GAP

84
84
highly confident when it comes to ITS and EHS compliance risks, responses, implementation,
and reflection. However, at least one manager (and as many as seven) reported lower self-
efficacy (score of ≤ 40) in each knowledge and organizational influence. This data partially
validates the need for interventions related to both low and high manager confidence. Chapter 5
provides solutions, based on data and literature, for closing the compliance response gaps as well
as recommendations for solution implementation and evaluation.
CLOSING THE COMPLIANCE GAP

85
85
Table 14
Summary of Validated KMO Needs
Category Assumed Need Validated
Validated
in Part
Not
Validated
K
Declarative
Managers need to know the ITS and
EHS compliance risks within the
areas they oversee.
ITS EHS
K
Declarative
Managers need to know what types
of responses are appropriate to
address ITS compliance risk.
ITS EHS
K
Procedural
Managers need to know how to
implement the appropriate response
for the identified ITS and EHS risk.
ITS EHS
K
Metacognitive
Managers need to “reflect-on-action”
on how they responded to EHS
compliance risk.
ITS/EHS
M
Expectancy-
value
Managers need to see the value in
responding appropriately to ITS and
EHS compliance risks.
ITS/EHS
M
Self-efficacy
Managers need to feel confident in
their ability to respond appropriately
to ITS and EHS compliance risks.
ITS/EHS
O
Cultural Setting
Managers need role models who
demonstrate how to appropriately
respond to ITS compliance risks.
ITS EHS
O
Cultural Setting
Managers need to prioritize
appropriate ITS and EHS risk
response in their workloads.
ITS/EHS
O
Cultural Setting
Managers need ITS and EHS
documentation that is succinct,
consistent, accessible, and relevant.
ITS/EHS

CLOSING THE COMPLIANCE GAP

86
86
CHAPTER 5: RECOMMENDATIONS
Recommendations for Practice to Address KMO Influences
This study evaluated the perceived knowledge, motivation, and organizational (KMO)
influences among SpinCo managers that impact their appropriate response to compliance risks in
two organizational compliance programs: information technology security (ITS) and
environmental, health, and safety (EHS). Chapter 4 presented the collection and analysis of
quantitative survey data and existing data within the study setting. Fully-validated influences
included the need for increased ITS declarative and procedural knowledge. Additionally, the
need for relevant compliance response documentation was validated in full. Several knowledge,
motivation, and organizational influences were partially validated based on the wide range of
manager responses given in the survey, including in the areas of metacognition, modeling,
workload priority, value, and self-efficacy. Chapter 5 explores how SpinCo can revise their
practices to facilitate appropriate manager response to ITS and EHS compliance risks. A
comprehensive ITS and EHS compliance risk response improvement program is presented along
with an evaluation plan to monitor effective application of recommended interventions, based on
the New World Kirkpatrick Model (Kirkpatrick & Kirkpatrick, 2016). It is anticipated that
application of the recommendations in Chapter 5 will increase critical compliance behaviors
among managers and facilitate desired organizational compliance outcomes.
Knowledge Recommendations
Introduction. Table 15 represents a complete listing of the knowledge influences
presented in Chapter 2 plus their validation status based on data collection and analysis. Each of
the five knowledge influences listed below is divided into one of three knowledge categories, or
types, as described by Krathwohl's (2002) revised taxonomy: (1) declarative, (2) procedural, and
CLOSING THE COMPLIANCE GAP

87
87
(3) metacognitive (Bloom, Engelhart, Furst, Hill, & Krathwohl, 1956; Rueda, 2011).
Knowledge is a critical factor in organizational performance (Clark & Estes, 2008). Validation
and categorization of SpinCo manager knowledge influences facilitates the recommendation of
solutions to close knowledge gaps based on theoretical principles (Rueda, 2011). Table 15
includes recommendations for context-specific knowledge solutions.
CLOSING THE COMPLIANCE GAP

88
88
Table 15
Summary of Knowledge Influences and Recommendations
Knowledge Need Principle and Citation Recommendation
Managers need to know the
ITS and EHS compliance
risks within the areas they
oversee. (Declarative)
Information and job aids
improve performance with
routine tasks or when
important tasks are rarely
encountered (Clark & Estes,
2008).
Provide managers information
via documentation about ITS
compliance risks.

Managers need to know what
types of responses are
appropriate to address ITS
and EHS compliance risks.
(Declarative)
Information and job aids
improve performance with
routine tasks or when
important tasks are rarely
encountered (Clark & Estes,
2008).
Provide managers information
via documentation about
appropriate ITS/EHS
compliance responses.

Managers need to know how
to implement the appropriate
response for
identified/priority ITS and
EHS risks. (Procedural)
Information and job aids
improve performance with
routine tasks or when
important tasks are rarely
encountered (Clark & Estes,
2008).

Provide managers job aids
(decision-tree) connecting
ITS and EHS risk, response,
and implementation.
Facilitating transfer, through
scaffolding, promotes
learning (Mayer, 2011).
Managers need to reflect-
before-action on how they
would respond to a variety of
ITS and EHS compliance risk
scenarios. (Metacognitive)
The use of metacognitive
strategies facilitates learning
(Baker, 2006).
Provide managers prompts for
reflection-before-action
practice where managers are
instructed to consider
hypothetical ITS and EHS
compliance risk scenarios,
then choose an appropriate
response and implementation
plan.
Anticipatory reflection may
increase anticipatory
competence, the ability to
manage uncertainty and
respond appropriately to a
variety of hypothetical
compliance scenarios
(Gardiner & Rieckmann,
2015; Greenwood, 1993; Van
Manen, 1995; Wilson, 2008).

CLOSING THE COMPLIANCE GAP

89
89
Declarative knowledge solutions. Research shows that declarative knowledge among
managers has a significant impact on an achievement and maintenance of compliance across an
organization. The declarative knowledge category includes factual and conceptual knowledge
(Bloom, Engelhart, Furst, Hill, & Krathwohl, 1956; Krathwohl, 2002; Rueda, 2011). The factual
knowledge category includes knowledge of basic compliance elements, such as terminology,
definitions, and mandate components (Krathwohl, 2002). The conceptual category includes
knowledge of the interrelationships among basic elements expressed as categories, principles, and
models (Krathwohl, 2002). Noncompliance is often rooted in the lack of declarative knowledge
(Hawkins & Muir, 2014; Kelly, 2010; Massey & Campbell, 2013; Van Noorden, 2013). The data
shows that SpinCo managers need to know:
1. ITS and EHS compliance risks within the areas they oversee (factual)
2. What types of responses are appropriate to address ITS and EHS compliance risks
(factual)
3. Which responses are appropriate for priority ITS and EHS risks (conceptual)
Managers need to be provided ITS and EHS compliance information since declarative
knowledge, both factual and conceptual, is essential for establishing and maintaining compliance
within SpinCo’s ITS and EHS programs (Clark & Estes, 2008; Markovitz & Jones, 2012).
Information provides the definitions and concepts required for understanding appropriate
compliance response and helps “reduce [manager] uncertainty about how to achieve a
[compliance] performance goal” (Clark & Estes, 2008, p. 58). Compliance risks, such as those
associated with waste disposal (EHS), are routine and include strictly defined standards. Other
compliance risks, such as social engineering and phishing (ITS), and chemical spills (EHS)
happen infrequently and unexpectedly. According to Clark and Estes (2008), the provision of
CLOSING THE COMPLIANCE GAP

90
90
information could improve the identified knowledge gaps in both routine tasks and with tasks
that are rarely encountered. Declarative knowledge can also, directly and indirectly, impact
manager motivation (e.g., value and self-efficacy) (Bulgurcu et al., 2010). SpinCo managers
should be provided factual information via documentation about ITS and EHS compliance risks
and appropriate ITS and EHS compliance risk responses. Managers should also be provided
information connecting ITS and EHS risks with appropriate responses to close conceptual
knowledge gaps.
Procedural knowledge solutions. The ability of managers to apply factual and
conceptual compliance knowledge through procedural knowledge has a significant impact on the
implementation of compliance programs across an organization. The procedural knowledge
category includes knowing how to complete a compliance task and can involve techniques,
skills, process, and knowing when to use a procedure (Krathwohl, 2002). Inappropriate
procedural application of compliance knowledge could result in noncompliance and bring
serious consequences to an organization (Welty, 2010). SpinCo managers need to know when
and how to implement the appropriate response for priority ITS and EHS risks. Managers need to
be provided ITS and EHS procedural information since rapid operationalization of declarative
compliance knowledge helps the organization achieve its compliance goals.
Many SpinCo managers have been working in their domain for over 15 years. This
extensive experience has given them the opportunity to hone the effective application of
procedural compliance knowledge related to their work. Regarding ITS and EHS compliance,
SpinCo managers are being asked to apply their existing expertise in a way that is closely
related, but likely different from, their prior experience at other companies. Job aids are useful
for “experts who are being asked to use a new approach but do not need training” (Clark &
CLOSING THE COMPLIANCE GAP

91
91
Estes, 2008, p. 58). According to Clark and Estes (2008), the provision of job aids could
improve the identified procedural knowledge gap in routine tasks and with tasks that are rarely
encountered. Compliance risks, such as those associated with waste disposal (EHS), are routine
and include strictly-defined standards. Other compliance risks, such as social engineering and
phishing (ITS), and chemical spills (EHS) happen infrequently and unexpectedly. SpinCo
managers should be provided decision-tree job aids that connect ITS and EHS compliance risks,
responses, and implementation techniques. Facilitating procedural transfer, such as through
decision-tree scaffolding, promotes learning in managers (Mayer, 2011). Further, managers who
know when and how to complete tasks compliantly are likely able to scaffold procedural learning
for less tenured employees in the department(s) they oversee, facilitating rapid achievement of
organizational compliance goals.
Metacognitive knowledge solutions. Metacognition refers to one’s awareness and
control of their cognition and how they learn (Mayer, 2011). When managers understand their
thinking, they can identify and monitor their strategies for maximizing acquisition and
application of other knowledge types for achieving organizational goals (Flavell, 1979; Pintrich,
2002). The metacognitive knowledge category includes awareness and control of one's thinking
processes, including how managers plan, evaluate, and revise task strategy based on personal
cognitive tendencies (Baker, 2006; Flavell, 1979; Krathwohl, 2002; Pintrich, 2002). When
managers can observe, check, and alter their existing thinking routines, they are better able to
solve departmental compliance problems (Berardi-Coletta, et al., 1995; Flavell, 1979; Pintrich,
2002).
The use of reflective prompts has been shown as an effective metacognitive learning
strategy (Bannert & Mengelkamp, 2008). Wilson (2008) builds on Schön (1983) to describe
CLOSING THE COMPLIANCE GAP

92
92
three reflective practices where SpinCo managers can use reflective prompts to improve future
performance: (1) reflection-on-action, (2) reflection-in-action, and (3) reflection-before-action.
Reflection-on-action refers to thinking, retrospectively, on past actions and events for new
learning (Schön, 1983). Reflection-in-action refers to active reflection during the event, that is,
thinking about the task underway to modify current action (Nicol & Dosser, 2016; Schön, 1983).
Reflection-before-action, also called anticipatory reflection and preflection, refers to thinking
through possible outcomes before an event occurs (Greenwood, 1993; Van Manen, 1995).
Although this evaluation asked managers about reflection-on-action, Wilson (2008) states that in
dynamic, fast-paced environments, such as those found at SpinCo, it is often most practical to
practice reflection-before action.
Reflection-before-action facilitates deep consideration of a variety of futures (Wilson,
2008). Prompting reflection-before-action may increase anticipatory competence in SpinCo
managers, that is, their ability to manage uncertainty and respond appropriately to a variety of
relevant hypothetical compliance scenarios (Gardiner & Rieckmann, 2015; Greenwood, 1993;
Van Manen, 1995; Wilson, 2008). Therefore, it is recommended that SpinCo managers be
provided with prompts to practice reflection-before-action, or preflection, on compliance risk,
response, and implementation. They could be instructed to consider relevant hypothetical
compliance risk scenarios, choose an appropriate response and implementation plan, and then
reflect on their decision. The use of prompting as a reflective metacognitive strategy would
facilitate manager learning by creating a safe space where managers can practice activating prior
knowledge and gain awareness of ineffective habits, biases, and assumptions regarding
appropriate response to SpinCo-specific compliance risk (Baker, 2006; Brand, Osborne, Carroll,
Carr, & Etherton-Beer, 2016).
CLOSING THE COMPLIANCE GAP

93
93
Motivation Recommendations
Introduction. Table 16 represents a complete listing of the motivation influences
presented in Chapter 2, plus their validation status based on data collection and analysis.
Motivation has a significant influence on the effectiveness of organizational compliance
programs. Knowledge is not enough to complete a task. Managers must want to start a
compliance task, persist at the task, and invest mental effort toward completion of the task (Clark
& Estes, 2008; Rueda, 2011). Table 16 includes recommendations for context-specific
motivation solutions.
CLOSING THE COMPLIANCE GAP

94
94
Table 16
Summary of Motivation Influences and Recommendations
Motivation Need Principle and Citation Recommendation
Managers need to see the
value in responding
appropriately to ITS and EHS
compliance risks.
(Expectancy-value theory)
Learning and motivation are
enhanced if the learner values
the task (Eccles, 2006).
Communicate to managers
realistic benefits of
appropriate ITS and EHS risk
response and consequences of
inappropriate risk response,
being careful to not inflate
either.
Intangible incentives, such as
acknowledgment for good
work, provides information
about
how to be successful (Clark &
Estes, 2008).
Develop recognition for
managers who respond
appropriately to ITS and EHS
compliance risks.
Models who are credible and
similar can foster positive
values (Pajares, 2009).
Recruit ITS and EHS role
models from company
leadership to communicate (to
managers) the value of
appropriate compliance
response.
Managers need to feel
confident in their ability to
respond appropriately to ITS
and EHS compliance risks.
(Self-efficacy)
When employees believe they
can succeed at a specific goal,
they will choose to put effort
toward goal achievement
(Clark & Estes, 2008).
Listen empathetically and
actively to managers when
they describe their ITS and
EHS compliance response
challenges, give corrective
feedback, and project a
genuine expectation that the
manager will
succeed in the future.
Learning and motivation are
enhanced when learners have
positive expectancies for
success (Pajares, 2009).
Overconfidence may result in
suboptimal decision-making
(Carder & Ragan, 2016;
Wang & Rao, 2016).
Leverage scenario-based
reflection-before-action to
uncover manager cognitive
biases regarding ITS and EHS
risk response.

CLOSING THE COMPLIANCE GAP

95
95
Expectancy-value solutions. Expectancy-value theory of motivation includes two
components: (1) value and (2) expectancy (Eccles, 2006). Value is the importance a manager
places on a goal or task and is a strong predictor of a manager’s choice to engage in a task
(Eccles, 2006). The value of a task is determined through a combination of four factors: (1)
attainment value or importance, (2) intrinsic value, (3) utility, and (4) cost. Expectancy is a
manager’s prediction of their success at a goal or task and is a strong predictor of effort once the
choice to engage in a task is made (Eccles, 2006). SpinCo managers need to see value in
responding appropriately to compliance risks. According to Eccles (2006) the value of
responding appropriately to compliance risk is determined by the extent to which an appropriate
response is linked to a manager’s identity (attainment value or importance), enjoyment (intrinsic
value), how well the responding appropriately fulfills other goals (utility), and perceived
consequences for inappropriate response (cost). Managers are more likely to engage in
compliance response if the task is perceived as enjoyable, personally meaningful, moves them
toward a specific outcome, and has a high cost for avoidance.
Although data shows SpinCo managers, overall, see value in appropriate response to ITS
and EHS compliance risks, some managers demonstrate motivational needs in the areas of
expectancy, utility, and cost values. The following three recommendations target these areas of
need and serve to benefit all SpinCo managers. Motivational intervention materials and activities
are most effective when they are relevant and useful to SpinCo managers and based on situations
managers are likely to encounter in their work (Pintrich, 2003). It is recommended that SpinCo
managers be informed of the realistic benefits and consequences of risk response within their
departmental context to increase utility and cost values. Intangible incentives, such as
acknowledgment for good work, provides information about how to be successful in compliance
CLOSING THE COMPLIANCE GAP

96
96
risk response, and may increase expectancy and utility value (Clark & Estes, 2008).
Recognition programs should be developed to provide managers intangible incentives for those
who respond appropriately to compliance risks (e.g., 100% completion of compliance training in
their department). Finally, motivation is enhanced overall if managers value the task (Eccles,
2006). Role models who are credible and similar can help foster expectancy and positive values
in SpinCo managers (Pajares, 2009). Data shows that SpinCo managers, overall, can identify ITS
and EHS role models among company leadership. Therefore, ITS and EHS role models should
be recruited to communicate the value of appropriate compliance risk response and their
confidence in management’s ability to respond appropriately.
Self-efficacy solutions. Self-efficacy reflects confidence in one's ability to accomplish a
task (Bandura, 1997; Pajares, 2009; Wang & Rao, 2016). Self-efficacy beliefs are formed
principally from four sources: (1) mastery experiences, (2) vicarious experience, (3) social
persuasions, and (4) physiological reactions (Bandura, 1997; Pajares, 2009). Confidence in the
ability to appropriately respond to compliance risk is determined by the extent to which
managers have successfully responded in the past (mastery experiences), observation of others
appropriately responding (vicarious experience), verbal messages from others about their ability
to appropriately respond (social persuasions), and the affective states or emotions appropriate
response evokes (physiological reactions). Managers need to feel confident in their ability to
respond appropriately to compliance risks since self-efficacy is one of the more relied-upon
motivational constructs to consistently predict behavioral outcomes (Pajares, 2009). Overall, data
shows confidence is not an issue of concern among SpinCo managers regarding appropriate ITS
and EHS compliance response. Manager’s median self-efficacy scores showed, overall, that they
are moderately to highly confident in ITS and EHS compliance risk knowledge, responses,
CLOSING THE COMPLIANCE GAP

97
97
implementation, and reflection. However, at least one manager (and as many as seven)
reported lower self-efficacy (score of ≤ 40) in each knowledge and organizational influence.
Therefore, interventions related to both low and high confidence are recommended to (1)
increase confidence in managers who reported a need and (2) to protect against negative impacts
of cognitive bias, such as overconfidence and confirmation bias, in managers reporting high
confidence.
When employees believe they can succeed at a specific goal, they will choose to put
effort toward goal achievement (Clark & Estes, 2008). Bulgurcu et al., (2010) suggest that
manager self-efficacy be increased by ensuring managers have the appropriate declarative and
procedural knowledge to comply with compliance standards. For managers reporting under-
confidence, in addition to declarative, procedural, and metacognitive knowledge-related
interventions opportunities should be provided by ITS and EHS leadership to accomplish the
following objectives:
• listen empathetically and actively to managers when they describe their compliance
response challenges
• focus corrective feedback on the faulty response of managers (not on the person) and
provide procedural advice
• project a genuine expectation that the manager will succeed in the future
Learning and motivation are enhanced when learners have positive expectancies for success
(Pajares, 2009). However, high confidence can also expose decision making to cognitive bias,
such as overconfidence and confirmation bias. High confidence turns into overconfidence when
managers perceive compliance risk response as familiar without considering the novel approach
required for SpinCo-specific risk response (Clark & Estes, 2008). If not managed, this can result
CLOSING THE COMPLIANCE GAP

98
98
in inappropriate response to compliance risk (Carder & Ragan, 2016; Wang & Rao, 2016).
SpinCo managers should be made aware of cognitive biases through the metacognitive
intervention, scenario-based reflection-before-action, discussed in the knowledge section. While
considering relevant hypothetical compliance risk scenarios, managers could be instructed to also
evaluate the risks themselves and reasons why the incident happened (Carder & Ragan, 2016).
The use of prompting as a reflective metacognitive strategy would facilitate manager
identification of cognitive bias regarding the appropriate response to SpinCo-specific compliance
risk by testing their approach and validating appropriate responses (Baker, 2006; Brand et al.,
2016; Clark & Estes, 2008).
Organizational Recommendations
Introduction. Table 17 represents a complete listing of the organization influences
presented in Chapter 2, plus their validation status based on data collection and analysis.
Organizational features have a significant influence on the effectiveness of organizational
compliance programs. Knowledge and motivation are not enough to complete a task. Managers
must have the necessary resources available to them for completion of the task (Clark & Estes,
2008; Rueda, 2011). Table 17 includes recommendations for context-specific organization
solutions.
CLOSING THE COMPLIANCE GAP

99
99
Table 17
Summary of Organization Influences and Recommendations
Organizational Need Principle and Citation Recommendation
Managers need role models
who demonstrate how to
appropriately respond to ITS
and EHS compliance risks.
(Cultural setting)
Employees observe
organizational leaders to
determine acceptable and
unacceptable behaviors in the
workplace (Berger, 2014).
Highlight the actions of ITS
role models in
communication to managers.
Managers need to prioritize
appropriate ITS and EHS risk
response in their workloads.
(Cultural setting)
Performance in tasks
perceived as secondary, such
as compliance activities, is
compromised when
employees encounter high
demands to produce (Dai,
Milkman, Hofmann, & Staats,
2015; Sutthiwan & Clinton,
2008).
Develop specific, measurable,
attainable, relevant, and
timebound (SMART)
compliance risk response
goals based on critical
compliance behaviors.
Top-level leadership must be
involved in developing and
communicating compliance
improvement goals (Clark &
Estes, 2008).
Executive leadership
communicates that
compliance risk response
goals and behaviors are
manager priorities.
Managers need ITS and EHS
documentation that is
succinct, consistent,
accessible, and relevant.
(Cultural setting)
Compliance programs must
connect with existing
practices and assumptions to
make a positive impact on
performance (Parker &
Nielson, 2009).
Provide managers with
succinct, consistent,
accessible, and relevant
compliance response
documentation connected
with existing practices.
In organizations as “flat” as
SpinCo, clear and formal
procedures are required to
improve performance (Clark
& Estes, 2008)

Role model solutions. Role models who are credible and similar can help foster
expectancy and positive values in SpinCo managers (Pajares, 2009). Further, research has found
that an employee's perception of their manager's attitudes and beliefs regarding organizational
CLOSING THE COMPLIANCE GAP

100
100
compliance significantly impacts their motivation to act within compliance standards
(Andreisova, 2016; Torp & Grogaard, 2009). SpinCo managers need role models who
demonstrate how to appropriately respond to compliance risks. Role models could be peers,
superiors, compliance leaders, or company executives. When credible role models demonstrate
appropriate ITS and EHS compliance risk response, managers may mirror them, increasing their
likelihood of appropriate compliance risk response.
Data shows that SpinCo managers, overall, can identify ITS and EHS role models among
company leadership. However, some managers are less confident in the identification of
compliance response role models. Therefore, it is recommended that the actions of ITS and EHS
role models be highlighted in communication to managers. This may increase their salience
among managers, and as an added benefit, increase the value and expectancy of appropriate
compliance risk response among managers. This organizational component also contributes to
increased manager motivation to appropriately respond to compliance risks.
Workload solutions. Workload is defined both generally and cognitively. Generally,
workload is defined as a demand on employee resources, including time and effort (Fieldston et
al., 2014). Mental workload, specifically, is the cognitive processing required for an employee to
complete a task (Subramanyam, Muralidhara, & Pooja, 2013). SpinCo managers need to
prioritize appropriate ITS and EHS risk response in their workloads. Otherwise, compliance
behaviors are relegated to the “back-burner” during busy times.
SpinCo managers are held to aggressive timelines and performance excellence. When
faced with heavy work demands, managers shift effort expenditure to tasks perceived as directly
contributing to organizational production. Performance in tasks perceived as secondary, such as
compliance activities, is compromised when employees encounter high demands to produce
CLOSING THE COMPLIANCE GAP

101
101
(Dai, Milkman, Hofmann, & Staats, 2015; Sutthiwan & Clinton, 2008). Reducing manager
workload is beyond the scope of this project. However, compliance activities perceived as
directly contributing to organizational success are more likely to be prioritized when managers
become overwhelmed by their workload. SpinCo top-level leadership must be involved in
developing and communicating compliance improvement goals (Clark & Estes, 2008).
Therefore, it is recommended that specific, measurable, attainable, relevant, and timebound
(SMART) goals be developed, in collaboration with managers, related to ITS and EHS
compliance risk response and critical compliance behaviors. Further, it is recommended that
executive leadership communicate the criticality of compliance risk response goals and
behaviors to keep compliance goals primary for managers. Moving compliance response
behaviors from secondary to primary in the context of manager priorities may deter compromise
in times of overwhelming workloads.
Documentation solutions. Compliance policies, procedures, and processes are irrelevant
if they are inadequate, confusing, or too numerous to be incorporated into the daily work of
employees (Carthey et al., 2011; Clark & Estes, 2008; Deloitte, 2015). Compliance program
documentation must connect with existing practices and assumptions to make a positive impact
on performance (Parker & Nielson, 2009). SpinCo has few levels of management overall. In an
organizational structure as “flat” as SpinCo, clear and formal procedures are required to improve
performance (Clark & Estes, 2008). Managers need compliance documentation that is succinct,
consistent, accessible, and relevant. Without these qualities, compliance documentation becomes
a barrier to appropriate manager response to compliance risk (Clark & Estes, 2008).
To influence compliance behaviors within the organization, policies, procedures, and
processes need to be written and communicated pragmatically—customized to SpinCo and the
CLOSING THE COMPLIANCE GAP

102
102
work employees are engaged in (Deloitte, 2015; Lowry & Moody, 2015). Observational data
collected as part of this study showed that ITS and EHS compliance documentation showed
several “barrier” characteristics, including missing or inaccurate documentation, challenging
verbiage, and difficult to access. Since SpinCo is still building compliance programs, existing
ITS and EHS compliance documentation should be evaluated for barrier characteristics and
going forward managers should be provided with succinct, consistent, accessible, and relevant
compliance response documentation.
Integrated Implementation and Evaluation Plan
Implementation and Evaluation Plan Framework
The integrated implementation and evaluation plan framework is based on Kirkpatrick &
Kirkpatrick's (2016) New World Kirkpatrick Model. According to Kirkpatrick & Kirkpatrick
(2016), there are three reasons to formally evaluate improvement programs: (1) program
improvement, (2) demonstration of value, and (3) to maximize the conversion of learning into
employee behavior changes that facilitate achievement of organizational goals. Regardless of
support or popularity, improvement interventions lack value if they do not align employee
behavior with organizational goals (Kirkpatrick & Kirkpatrick, 2016). The New World
Kirkpatrick Model divides evaluation into four aligned tiers, or levels: (4) results, (3) behavior,
(2) learning, and (1) reactions (see Table 18).
CLOSING THE COMPLIANCE GAP

103
103
Table 18
Four Levels of the New World Kirkpatrick Model
Level Measures Description
4 Results The degree to which targeted organizational outcomes occur as a
result of the performance improvement program
3 Behavior The degree to which SpinCo managers apply learning from the
performance improvement program to their jobs
2 Learning The degree to which SpinCo managers acquire the intended
knowledge, skills, attitudes, confidence, and commitment based on
their participation in the performance improvement program
1 Reaction The degree to which SpinCo managers find the performance
improvement program favorable, engaging, and relevant to their
jobs
Note. Adapted from Kirkpatrick's Four Levels of Training Evaluation (p. 11) by J.D.
Kirkpatrick and W. K. Kirkpatrick, 2016, Alexandria, VA: ATD Publications.
Each level in the New World Kirkpatrick Model includes components discussed in the
following sections (see Figure 12). Level 4 defines results through leading indicators and desired
outcomes (Kirkpatrick & Kirkpatrick, 2016). Level 3 monitors and adjusts behaviors through the
identification of critical behaviors and required behavior drivers (Kirkpatrick & Kirkpatrick,
2016). Level 2 assesses learning through the measurement of knowledge, skills, attitudes,
confidence, and commitment toward behavior change (Kirkpatrick & Kirkpatrick, 2016). Level 1
evaluates engagement, relevance, and learner satisfaction (Kirkpatrick & Kirkpatrick, 2016). In
the sections to follow, an integrated implementation and evaluation plan is presented for
recommended solutions for SpinCo manager needs regarding the appropriate response to
compliance risk.
CLOSING THE COMPLIANCE GAP

104
104

Figure 12. The New World Kirkpatrick Model. Reprinted from Kirkpatrick's Four Levels of
Training Evaluation (p. 11) by J.D. Kirkpatrick and W. K. Kirkpatrick, 2016, Alexandria, VA:
ATD Publications. Copyright 2016 by Kirkpatrick Partners, LLC www.kirkpatrickpartners.com.
Organizational Purpose, Need, and Expectations
SpinCo's mission is to provide therapeutics to improve patients’ lives. As a consequence
of the spin-off, SpinCo no longer has access to ParentCo’s regulatory compliance programs and
is in the process of building comprehensive programs of their own. To thrive, SpinCo must have
effective compliance programs in place as soon as possible to support the product development
pipeline. SpinCo's organizational goal is to implement effective compliance programs across all
risk areas within 18 months of spin-off. To achieve the organizational goal, SpinCo managers
must achieve an intermediate goal of appropriate response to priority compliance risks identified
by an internal auditor by February 28, 2018. The purpose of this project was to study the
knowledge, motivation, and organizational influences among SpinCo managers that impacted
their appropriate response to compliance risks. Specifically, this analysis focused on two risk
CLOSING THE COMPLIANCE GAP

105
105
areas: (1) information technology security and (2) environmental, health, and safety. Data
analysis validated manager needs around appropriate response to ITS and EHS compliance risks.
Intervention recommendations include the provision of documentation, opportunities for
training, feedback, reflection, development of recognition programs, utilization of role models,
and development of compliance response and behavioral goals. Recommended interventions
should increase manager knowledge and motivation enough to produce the desired outcome of
effective compliance programs, reflected by the following: (1) increased employee adherence to
organizational compliance standards and processes, (2) no regulatory noncompliance findings,
and (3) no regulatory noncompliance fines.
Level 4: Results and Leading Indicators
Table 19 shows the proposed Level 4 results and leading indicators in the form of
outcomes, metrics, and methods for both external and internal SpinCo stakeholders. If the
internal outcomes (within the company) are met as expected as a result of the recommended
knowledge, motivation, and organizational interventions, the external outcomes (outside of the
company) should also be realized.
CLOSING THE COMPLIANCE GAP

106
106
Table 19
External and Internal Outcomes, Metrics, and Methods for Evaluation
Outcome Metric(s) Method(s)
External Outcomes
1. No regulatory
noncompliance findings
1. Number of regulatory
noncompliance findings
by regulators
1. Solicit quarterly data from
regulatory agencies
2. No regulatory
noncompliance fines
2. Number and amount of
fines levied against the
organization by regulatory
agencies
2. Solicit quarterly data from
regulatory agencies
Internal Outcomes
3. Increased employee
adherence to
organizational compliance
standards and processes
3a. Instances of reported
noncompliance
3a. Solicit quarterly data from
existing reports, audits, and
observation results
3b. Survey results to key
questions
3b. Evaluate and compare
periodic survey responses
from employees, managers,
and compliance program
leadership

Level 3: Behavior
Critical behaviors. The stakeholders of focus are SpinCo managers. Critical behaviors
are actions that SpinCo managers must demonstrate consistently to facilitate Level 4 targeted
outcomes (Kirkpatrick & Kirkpatrick, 2016). The first critical behavior is that managers must be
able to identify compliance risks with their work areas. The second critical behavior is that
managers must be able to identify the appropriate response to compliance risks identified in their
area. The third critical behavior is that managers must be able to effectively implement
appropriate responses to compliance risks identified in their areas. The specific metrics, methods,
and timing for each of these outcome behaviors appear in Table 20.
CLOSING THE COMPLIANCE GAP

107
107
Table 20
Critical Behaviors, Metrics, Methods, and Timing for Managers
Critical Behavior Metric(s) Method(s) Timing
1. Identify
compliance
risks
Number of context-
specific compliance risks
identified and/or
confidence scores
Knowledge and/or
confidence
assessment
Within first two-
weeks of
employment and
annually thereafter
2. Identify
appropriate
responses to
compliance
risks
Number of context-
specific compliance risk
responses identified
and/or confidence scores
Knowledge and/or
confidence
assessment
Within first two-
weeks of
employment and
annually thereafter
3. Implement
appropriate
responses to
compliance
risks
Number and effectiveness
of implementation of
appropriate responses to
compliance risks and/or
confidence scores
Audits/evaluations
that include
qualitative and
quantitative measures
Annually for three
years post-spin and
biennially
thereafter

Required drivers. Drivers are systems and processes that support demonstration of
Level 3 critical behaviors (Kirkpatrick & Kirkpatrick, 2016). Drivers include reinforcement,
encouragement, rewards, and monitoring. Table 21 shows the recommended drivers to support
critical behaviors of SpinCo managers. Managers require documentation and reminders to
reinforce appropriate compliance response concepts. Anecdotes, feedback, and support from
organizational and compliance leadership serve to encourage managers to apply their knowledge
of appropriate compliance risk response. Rewards should include public acknowledgment of
desired compliance behaviors in formal and informal organizational communications. Progress
toward critical behaviors should be monitored through qualitative and quantitative methods.
CLOSING THE COMPLIANCE GAP

108
108
Table 21
Required Drivers to Support Managers Critical Behaviors
Method(s) Timing
Critical Behavior(s)
Supported
Reinforcing
Documentation about compliance risk,
response, and implementation
Start immediately;
ongoing
1,2,3
Job aids (decision-tree) connecting risk,
response, and implementation
Start immediately;
ongoing
1,2,3
Lunch and Learn training sessions to review
compliance risk, responses, and implementation
Quarterly 1,2,3
Reminders about compliance risk, response,
and implementation through various mediums
such as printed newsletters, email, etc.
Monthly 1,2,3
Encouraging
Feedback and coaching from compliance
program leaders during Lunch and Learns
Quarterly 1,2,3
Leadership role model anecdotes during Lunch
and Learns
Quarterly 1,2,3
Executive support during all-hands meetings Quarterly 1,2,3
Rewarding
Public acknowledgment for desired (non-
critical) behaviors at all-hands meetings
Quarterly 1,2,3
Public acknowledgment for desired (non-
critical) behaviors in compliance domain
newsletter/communications
Monthly 1,2,3
Monitoring
Evaluate and compare periodic survey
responses from employees, managers, and
compliance program leadership
Periodically (based
on compliance
program and
leadership capacity)
1,2,3
Evaluate performance assessment data related
to compliance response goals
Semiannually 1,2,3
Solicit data from existing reports, audits, and
observation results
Quarterly 1,2,3

CLOSING THE COMPLIANCE GAP

109
109
Organizational support. SpinCo can provide managers with succinct, consistent,
accessible, and relevant compliance documentation. Without these qualities, compliance
documentation becomes a barrier to appropriate manager response to compliance risk (Clark &
Estes, 2008). SpinCo can incentivize managers through top-level goal setting and recognition
directly related to manager commitment, and the commitment of their teams, to appropriately
respond to compliance risk. SpinCo leadership can create opportunities for, and encourage
participation in, compliance related training and communication initiatives. SpinCo can ensure
the provision of these key supports with prudent resource allocation, especially dedicated,
competent compliance program managers who are held accountable for reinforcing, encouraging,
rewarding, and monitoring drivers for critical compliance behaviors.
Level 2: Learning
Learning goals . To support the performance of the Level 3 critical behaviors listed in
Table 20, managers require specific knowledge, skills, and attitudes. Following implementation
of compliance program interventions, managers will be able to:
1. Summarize ITS and EHS compliance risks in the areas they oversee. (Declarative)
2. Determine the most appropriate responses to ITS and EHS compliance risks in the
areas they oversee. (Declarative)
3. Implement, or carry out, appropriate responses to ITS and EHS compliance risks in
the areas they oversee. (Procedural)
4. Self-identify knowledge gaps (ineffective habits, biases, assumptions, etc.) regarding
appropriate compliance response. (Metacognitive)
5. Indicate value in responding appropriately to ITS and EHS compliance risks.
(Expectancy-value)
CLOSING THE COMPLIANCE GAP

110
110
6. Indicate confidence in their ability to respond appropriately to ITS and EHS
compliance risks. (Self-efficacy)
Improvement Program. The comprehensive ITS and EHS compliance risk response
improvement program outlined below supports the learning goals listed in the previous section
by deliberately aligning findings (Chapter 4), recommendations (Chapter 5), and drivers
(Chapter 5) within the six key elements of compliance programs outlined in Chapter 2: (1)
documentation, (2) resource allocation, (3) training and communication, (4) discipline and
incentives, (5) monitoring and auditing, and (6) competent program management.
Documentation. SpinCo should provide managers with succinct, consistent, accessible,
and relevant compliance documentation that is connected with existing SpinCo practices, on an
ongoing basis. As SpinCo compliance programs are developed, documentation should include
relevant ITS and EHS compliance risk and response facts as well as job aids (e.g., decision
trees), that connect ITS and EHS risk, response, and response implementation. Due to the youth
of SpinCo compliance programs, documentation should be reviewed annually for accuracy and
relevancy for appropriate manager response.
Resource allocation. For compliance programs to be effective in practice, organizational
resources must be allocated appropriately (Parker & Nielson, 2009). Resources include sufficient
financial and human capital to meet organizational compliance goals (Deloitte, 2015;
Andreisova, 2016). SpinCo should evaluate compliance resource allocation at least annually to
ensure sufficient financial and human capital resources to implement this improvement plan and
maintain effective compliance programs.
Training and communication. Spreading knowledge about compliance programs,
whether through formal training or internal marketing efforts, is essential for program success
CLOSING THE COMPLIANCE GAP

111
111
(Andreisova, 2016). In addition to the expansion of existing ITS and EHS new employee
training, quarterly in-person “Lunch and Learns” and monthly newsletters are recommended.
New employee ITS and EHS training includes asynchronous, online learning modules delivered
through a learning management system. These modules and associated assessments should be
offered annually to managers to evaluate and refresh their declarative knowledge of ITS and
EHS compliance risks and responses.
Lunch and Learn sessions serve to boost both knowledge and motivation in managers.
Sessions should include communication of the benefits of appropriate ITS and EHS risk response
and consequences of inappropriate risk response. They should also include a review of ITS and
EHS compliance risk, responses, and response implementation. Managers should be provided
prompts for reflection-before-action practice. For example, managers can participate in a
classroom games such as a Jeopardy-style assessment to measure declarative knowledge and
bring awareness to overconfidence. Managers can then be instructed to consider hypothetical ITS
and EHS compliance risk scenarios, then choose an appropriate response and implementation
plan. Feedback and coaching from compliance program leaders during reflective practice along
with anecdotes from compliance role models should enhance manager learning and the value of
appropriate response. Lunch and Learn facilitators should also use the sessions as opportunities
to listen empathetically and actively to managers who describe their ITS and EHS compliance
response challenges, give corrective feedback, and project a genuine expectation that the
manager will succeed in the future.
Monthly newsletters should remind managers about the benefits of appropriate ITS and
EHS risk response and consequences of inappropriate risk response. Newsletter content should
be positive and highlight the actions of ITS and EHS compliance role models. Employees should
CLOSING THE COMPLIANCE GAP

112
112
also be publicly recognized in newsletters for desired (non-critical) and critical compliance
behaviors. Newsletters should be varied in medium. For instance, rather than exclusively sent by
email, newsletters should be printed out and placed in common areas.
Discipline and incentives. Expectation and consequences regarding noncompliance must
be effectively communicated throughout all levels of an organization to be effective
(Andreisova, 2015). Therefore, executive leadership has a key role in compliance response
discipline and incentives. Executive leadership should work with managers annually to develop
SMART compliance risk response goals based on critical compliance behaviors. Further, during
quarterly all-hands meetings, executive leadership should communicate that compliance risk
response goals and behaviors are manager priorities. Executives should also take time during
quarterly all-hands meetings to recognize managers who demonstrate desired (non-critical) and
critical compliance behaviors.
Monitoring and auditing. To ensure ongoing documentation efforts are successful,
SpinCo should immediately audit existing ITS and EHS compliance risk, response, and response
implementation documentation to identify barrier characteristics defined in the literature.
Compliance program efficacy cannot be determined by a single metric or indicator (Kirkpatrick,
2016; Kroll, 2012). Ongoing ITS and EHS program monitoring should be formalized and, in
addition to outcome and process measures, incorporate both objective and subjective measures to
paint the most complete picture of compliance program effectiveness. For instance, periodic
survey responses from employees, managers, and compliance program leadership should be
compared for changes. Semiannual performance assessment data related to compliance response
goals should be monitored. Data from existing reports, audits, and observation results should be
CLOSING THE COMPLIANCE GAP

113
113
gathered quarterly. When combined, qualitative and quantitative measures help quickly
identify ITS and EHS risk response gaps.
Competent program management. Smaller organizations with limited resources can see
positive impacts in critical compliance behavior among managers by dedicating experienced
professionals to manage compliance programs (Andreisova, 2016). At SpinCo, compliance
program management is often one component of a leader's otherwise heavy workload. Therefore,
narrowing formal compliance accountability to the reinforcing, encouraging, rewarding, and
monitoring drivers for critical compliance behaviors is recommended to ensure managers are
supported appropriately.
Components of learning. The Level 2 learning evaluations include several important
components of learning. Managers must demonstrate their declarative knowledge and procedural
skills related to appropriate compliance risk response. Declarative knowledge and procedural
skills were influences evaluated as part of this project and will continue to be evaluated
throughout the performance improvement program implementation. Managers must see value in
appropriately responding to compliance risk. Value was originally also evaluated as part of this
project, and in the New World Kirkpatrick Model, is measured by manager attitude. Managers
must be confident they can apply their declarative knowledge and procedural skills to their jobs.
Confidence, or self-efficacy, was evaluated as part of this project and will continue to be
evaluated throughout the performance improvement program implementation. Managers must
demonstrate a commitment to appropriately responding to compliance risks. Managers can be
asked directly about their commitment to appropriate risk response, or commitment can be
gleaned through measures of self-efficacy, expectancy, and value. Self-efficacy is predictive of
commitment (Chestnut & Burley, 2015; Coladarci, 1992; Mckim & Velez, 2015). Goal
CLOSING THE COMPLIANCE GAP

114
114
commitment is strengthened both by goal expectancy and goal value (Shah & Higgins,
1997). See Table 22 for a summary of learning components, methods, and timing for the
evaluation of the Level 2 learning goals. These Level 2 goals support the performance of Level 3
critical behaviors. The thorough evaluation of learning goals ensures adjustments can be made to
the performance improvement program to facilitate Level 2 learning (Kirkpatrick & Kirkpatrick,
2016).
CLOSING THE COMPLIANCE GAP

115
115
Table 22
Components of Learning for the Program
Method(s) or Activity(ies) Timing
Learning Goal(s)
Supported
Declarative Knowledge “I know it.”
Knowledge checks using multiple choice Annually, as part of the asynchronous
online training modules
1,2
Knowledge checks through assessment games Periodically during Lunch and Learns
and documented via observation notes
1,2,4
Knowledge checks through partner
discussions
Periodically during Lunch and Learns
and documented via observation notes
1,2,4
Procedural Skills “I can do it right now.”
Quality of the feedback from peers during
group sharing
Periodically during Lunch and Learns
and documented via observation notes
3,4
Effective implementation of appropriate risk
responses
Quarterly data from existing reports,
audits, and observations
3
Attitude “I believe this is worthwhile.”
Surveys (online) using scaled items Annually (minimum) and documented
via survey
5
Discussions of the value of appropriate
compliance risk response
Periodically during Lunch and Learns
and documented via observation notes
5
Post Lunch and Learn surveys (online) using
scaled items and/or open-ended questions
Within three days post Lunch and
Learn
5
Confidence “I think I can do it on the job.”
Surveys (online) using scaled items Annually (minimum) and documented
via survey
6
Discussions following practice and feedback Periodically during Lunch and Learns
and documented via observation notes
6
Post Lunch and Learn surveys (online) using
scaled items and/or open-ended questions
Within three days post Lunch and
Learn
6
Commitment “I will do it on the job.”
Surveys (online) using scaled items Annually (minimum) and documented
via survey
5,6
Discussions following practice and feedback Periodically during Lunch and Learns
and documented via observation notes
5,6
Post Lunch and Learn surveys (online) using
scaled items and/or open-ended questions
Within three days post Lunch and
Learn
5,6

CLOSING THE COMPLIANCE GAP

116
116
Level 1: Reaction
Level 1 evaluations measure the degree to which SpinCo managers find the performance
improvement program favorable, engaging, and relevant to their jobs. See Table 23 for the
evaluation methods and timing to determine how the participants react to the performance
improvement program components.
Table 23
Components to Measure Reactions to the Program
Method(s) or Tool(s) Timing
Engagement
Completion of online modules/assessments Periodically reviewed (based on
compliance program and leadership
capacity)
Lunch and Learn attendance During the quarterly Lunch and Learn
Lunch and Learn observation by facilitator During the quarterly Lunch and Learn
Post Lunch and Learn surveys (online) using scaled
items and/or open-ended questions
Day of quarterly Lunch and Learn
Relevance
Brief pulse-check with participants via discussion During the quarterly Lunch and Learn
Post Lunch and Learn surveys (online) using scaled
items and/or open-ended questions
Within three days post quarterly Lunch
and Learn
Learner Satisfaction
Surveys (online) using scaled items and/or open-
ended questions (programmatic-specific survey)
Annually (minimum)
Post Lunch and Learn surveys (online) using scaled
items and/or open-ended questions
Within three days post quarterly Lunch
and Learn

Evaluation Tools
Immediately following the program implementation. Immediate evaluations in the ITS
and EHS compliance risk response improvement program include: (1) asynchronous module
data, (2) Lunch and Learn facilitator observations, and (3) a post Lunch and Learn participant
CLOSING THE COMPLIANCE GAP

117
117
survey. The learning analytics tool in the SpinCo learning management system (LMS) will
measure engagement through the collection of new employee and ongoing annual training
module completion data (Level 1). The LMS will also administer knowledge assessments after
each module to measure declarative and procedural recall (Level 2). Refer to Appendix H for an
example EHS asynchronous knowledge assessment and Appendix I for an example ITS
asynchronous knowledge assessment.
Lunch and Learn facilitator observations sheets will guide facilitators in the collection of
real-time participant data about learning components such knowledge, skills, attitude,
confidence, commitment, engagement, and relevance (Level 1 and 2). The facilitator will note,
and follow-up with, outliers - those who appeared to have a vastly different experience than their
peers. Finally, the facilitator will quantify their observations immediately after the session and
make recommendations, based on their observational data, to implement before the next Lunch
and Learn session. Refer to Appendix J for an example of a Lunch and Learn facilitator
observation form.
Within three days after a Lunch and Learn session, an electronic survey will be
distributed to session participants to measure attitude, confidence, commitment, engagement, and
relevance (Level 1 and 2). Refer to Appendix K for an example post Lunch and Learn participant
survey. The post Lunch and Learn survey will also collect information about potential barriers
for behavioral drivers, and predictive feedback from participants about anticipated compliance
response behavior changes in their jobs (Level 3). Compliance program leaders may use the
survey data to refine the Lunch and Learn sessions and/or drivers that support critical behaviors.
Refer to Table 24 for a summary of immediate program evaluation tools and measures.
CLOSING THE COMPLIANCE GAP

118
118
Table 24
Immediate Risk Response Improvement Program Evaluation Tools and Measures
Immediate Evaluations
Asynchronous
module data
(Appendices H and I)
Lunch and
Learn facilitator
observations
(Appendix J)
Post Lunch and
Learn survey
(Appendix K)
External Outcomes (L4)

Internal Outcomes (L4)

Critical Behaviors (predictive L3)

X
Required Drivers (L3)

X
Declarative Knowledge (L2) X X

Procedural Skills (L2) X X

Attitude/Value (L2)

X X
Confidence/Self-Efficacy (L2)

X X
Commitment (L2)

X X
Engagement (L1) X X X
Relevance (L1)

X X
Learner Satisfaction (L1)

X

Delayed for a period after the program implementation. Delayed evaluations in the
ITS and EHS compliance risk response improvement program include: (1) periodic survey data,
(2) performance assessment data, and (3) the compilation of data from existing reports, audits,
and observations. An electronic survey will be distributed to managers and employees at least
annually to measure their self-reported performance of critical compliance response behaviors
and the impact of drivers on their compliance response behavior (Level 3). The survey will also
collect data about knowledge, skills, attitude, confidence, and commitment regarding appropriate
response to compliance risk (Level 1 and 2). Refer to Appendix L for an example of a periodic
ITS and EHS compliance risk response improvement program survey.
CLOSING THE COMPLIANCE GAP

119
119
Semiannual performance data could be collected if top-level leadership and managers
develop and formalize SMART goals related to compliance risk response. This data would be
gathered through the evaluation of achievement or lack of achievement of SMART compliance
response goals in SpinCo’s performance management system. Finally, quarterly data will be
compiled from existing reports, audits, and observations, including the LMS, Lunch and Learn
observations and surveys, periodic all-employee surveys, performance assessments, compliance
program reports, and regulatory agencies. The quarterly data compilation serves as a
comprehensive Blended Evaluation tool.
Kirkpatrick and Kirkpatrick's (2016) Blended Evaluation approach brings together
information from multiple sources to provide a more complete picture of improvement program
effectiveness. Lunch and Learn facilitator observations, Lunch and Learn participant surveys,
and periodic all-employee surveys are technically blended since they evaluate multiple
Kirkpatrick levels within one instrument. However, the quarterly data compilation described
above serves as the most comprehensive Blended Evaluation tool in this program. When
compiled, this data will show manager reactions (Level 1), the effectiveness of improvement
program learning components (Level 2), progress toward implementation of critical behaviors
(Level 3), and internal/external outcomes (Level 4) for an overall picture of improvement
program effectiveness. Refer to Appendix M for the quarterly Blended Evaluation instrument.
Refer to Table 25 for a summary of all delayed program evaluation tools and measures.
CLOSING THE COMPLIANCE GAP

120
120
Table 25
Delayed Risk Response Improvement Program Evaluation Tools and Measures
Delayed Evaluations
Periodic
survey data
(Appendix L)
Semiannual
performance
assessment data
Quarterly
Blended
Evaluation
(Appendix M)
External Outcomes (L4)

X
Internal Outcomes (L4)

X
Critical Behaviors (L3) X X X
Required Drivers (L3) X

X
Declarative Knowledge (L2) X X X
Procedural Skills (L2) X X X
Attitude/Value (L2) X

X
Confidence/Self-Efficacy (L2) X

X
Commitment (L2) X

X
Engagement (L1)

X
Relevance (L1)

X
Learner Satisfaction (L1)

X

Data Analysis and Reporting
Data collection, analysis, and reporting must help compliance program management and
organizational leadership answer the following questions (Kirkpatrick and Kirkpatrick, 2016):
1. Does the compliance risk response improvement program meet expectations?
2. If not, why not?
3. If so, why?
Immediate and delayed evaluation tools presented in the previous sections collect the
information necessary to answer these questions at each Kirkpatrick level. Refer to Tables 24
and 25 for evaluation tools and measures. Several of the aforementioned evaluation tools collect
"why" information connected to manager motivation and organizational resources (drivers). For
CLOSING THE COMPLIANCE GAP

121
121
example, Lunch and Learn participant surveys ask how drivers and other organizational
influences impact confidence in the topics covered. Periodic all-employee surveys ask about the
value of appropriate risk response and the drivers considered assets toward critical behaviors.
These items are intended to serve as a continued analysis and evaluation of the knowledge,
motivation, and organizational barriers and assets impacting appropriate response to compliance
risk presented in earlier chapters of this project.
The effectiveness of the ITS and EHS compliance risk response improvement program
will be reported through a quarterly dashboard. The Blended Evaluation instrument used for
quarterly compilation of data is also used as a quarterly reporting dashboard (see Appendix M)
and includes all Level 4, Level 3, Level 2, and Level 1 components as measured through
program evaluation tools described in Tables 24 and 25. Every quarter, compliance program
leadership will evaluate data generated during the previous three months and update the
dashboard as appropriate. The dashboard indicates measurement thresholds and associated
targets for Level 1-4 component performance. The reporting dashboard also shows readers the
relationships between all levels of program evaluation components (Kirkpatrick & Kirkpatrick,
2016). The status column of the reporting dashboard uses a color-coded status indicator familiar
to SpinCo top-level leadership, making the dashboard easy to scan (Kirkpatrick & Kirkpatrick,
2016). Compliance program management may find it more useful to read the dashboard from the
bottom up, while top-level leadership will likely read from the top down to glean critical
program information. Either way, the reporting dashboard presented in Appendix M tells an
actionable story of improvement program progress (Kirkpatrick & Kirkpatrick, 2016). SpinCo
should utilize the SharePoint intranet site to post updated dashboards and to share ongoing
compliance program statuses with organizational leadership.
CLOSING THE COMPLIANCE GAP

122
122
Summary
This chapter brings together the previous four chapters into a comprehensive plan for
closing ITS and EHS compliance response gaps among SpinCo managers. A comprehensive ITS
and EHS compliance risk response improvement program was presented, incorporating
intervention recommendations within the six key elements of effective compliance programs.
Intervention recommendations include the provision of documentation, opportunities for
training, feedback, reflection, development of recognition programs, utilization of role models,
and development of compliance response and behavioral goals. A comprehensive evaluation plan
was developed, utilizing the New World Kirkpatrick Model (Kirkpatrick & Kirkpatrick, 2016) to
monitor and report the effective application of recommended solutions. Thoughtful application
of the interventions and evaluations recommended in this chapter will produce the desired
outcomes of appropriate manager response to ITS and EHS compliance risk and an overall
increase in employee adherence to organizational compliance standards and processes.
Strengths and Weaknesses of Approach
Combined use of the Clark and Estes (2008) gap analysis model and the Kirkpatrick and
Kirkpatrick (2016) New World Kirkpatrick Model provides a robust, end-to-end performance
improvement framework. Their combined strength lies in their focus on the achievement of
organizational outcomes through the deliberate and thoughtful development and support of
stakeholders. A weakness in the combined use of the models is the complexity of their combined
use. Preserving the benefits of both models within a comprehensive change management plan
requires attention to, and the prevention of, “scope-creep” to ensure inclusion, alignment,
evaluation, and reporting of only the critical portions of the plan.

CLOSING THE COMPLIANCE GAP

123
123
Limitations
The nature of gatekeeper-researcher-participant relationships is the source of significant
ethical debate (Glesne, 2011; Merriam & Tisdale, 2016). The researcher is the instrument
through which data is collected, analyzed, and interpreted, thus inherently biased to some degree
(Maxwell, 2013; Merriam & Tisdale, 2016). The researcher was deeply embedded in the study
context, complicating the gatekeeper-researcher-participant relationship. Although actions were
taken to minimize bias as reasonably as possible while still generating insightful data for this
project, the compliance topics, methodology, access to stakeholders, and access to information
were limited by this relationship.
This study took a realist approach with the research questions. That is, self-reported
feelings among stakeholders about their ITS and EHS knowledge were treated as evidence
(Maxwell, 2013). Stakeholder knowledge influences were measured exclusively through self-
reported stakeholder confidence ratings. An alternative, instrumentalist, approach would have
reframed the research questions as “perceived” influences (Maxwell, 2013). A drawback to the
realist approach includes an increased reliance on researcher inference (Maxwell, 2013).
Additionally, self-reporting has inherent drawbacks that impact validity (Donaldson & Grant-
Vallone, 2002). Self-report bias includes the tendency for respondents to over-report feelings or
behaviors perceived as appropriate and under-report feelings or behaviors perceived as
inappropriate (Donaldson & Grant-Vallone, 2002). This is also called socially desirability.
An improvement would be to utilize the “voice of the stakeholder” for a more in-depth
assessment and triangulation of KMO influences. Stakeholder voices could have been included
via interviews, focus groups, email correspondence, Skype correspondence, or other
environmental observations target to stakeholder words and behavior. Not using the “voice of
CLOSING THE COMPLIANCE GAP

124
124
stakeholder” in qualitative data collection had two consequences (1) qualitative assessment
of stakeholder knowledge and motivation were not captured, and (2) qualitative coding was
limited in depth.
Due to the small size of the organization, an attempt was made to use total population
sampling for the phase one survey. The final survey response rate was 47% (21 of 45 managers)
despite efforts to recruit more participants. Although generalizability outside of the organization
was not the intention of this study, the low response rate brings into question the internal
generalizability of the results.
Future Research
This study evaluated two, lower risk compliance programs within a single organization.
Further research is needed to determine the applicability of a combined-model performance
improvement framework (Clark & Estes, 2008; Kirkpatrick & Kirkpatrick, 2016) within other
contexts and other risk areas. Eighteen areas of compliance risk were identified in Chapter 1 of
this report, each impacting overlapping internal stakeholder groups. Successful application to a
wider scope, including increased stakeholders, risk areas, and contexts, would add
generalizability to the combined-model performance improvement framework.
Although a complete analysis involves various stakeholder groups, for practical purposes,
SpinCo managers were the focus of this evaluation. Management’s authority in the dissemination
of knowledge, motivation, and organizational resources made them the ideal stakeholder group
for analyzing KMO impacts on organizational goals. However, future research should include an
employee (non-management) stakeholder group. Although employees have little decision-
making authority to close knowledge, motivation, or organizational gaps, they exert a significant
impact on the daily execution of compliance tasks. Employees encounter a variety of compliance
CLOSING THE COMPLIANCE GAP

125
125
response challenges in their daily work. Evaluating and addressing employee KMO
compliance risk response influences would enhance the robustness of a risk response
improvement program.
Conclusion
Small pharmaceutical companies don’t put a high priority on building and maintaining
effective compliance programs (Sheridan, 2014). The purpose of this study was to use the Clark
and Estes (2008) gap analysis framework to evaluate the knowledge, motivation, and
organizational influences among SpinCo managers that impacted their appropriate response to
compliance risks in two organizational compliance programs: (1) information technology
security (ITS) and (2) environmental, health, and safety (EHS). A literature review set the stage
for gap analysis, verifying necessary elements of compliance programs and measurement of their
effectiveness. Assumed knowledge, motivation, and organizational influences impacting
appropriate manager response to ITS and EHS compliance risks were highlighted and verified
against theories and related literature. Gap analysis continued through quantitative and
qualitative data collection and analysis to validate the assumed influences. Fully-validated
influences included the need for increased ITS declarative and procedural knowledge.
Additionally, the need for relevant compliance response documentation was validated in full.
Several knowledge, motivation, and organizational influences were partially validated based on
the wide range of manager responses given in the survey, including in the areas of
metacognition, modeling, workload priority, value, and self-efficacy.
In addition to SpinCo manager needs, this study explored how the organization could
revise practices to facilitate appropriate manager response to ITS and EHS compliance risks.
Through the application of the New World Kirkpatrick Model (Kirkpatrick & Kirkpatrick, 2016),
CLOSING THE COMPLIANCE GAP

126
126
a comprehensive ITS and EHS compliance risk response improvement program was
presented along with an evaluation plan to monitor effective application of recommended
interventions. It is anticipated that deliberate and thoughtful application of the recommendations
will increase critical compliance behaviors among managers and facilitate desired organizational
compliance outcomes.
CLOSING THE COMPLIANCE GAP

127
127
References
Accenture. (2013). Accenture 2013 global risk management study. New York: Culp. Retrieved
from www.accenture.com/globalriskmanagementresearch2013
Anderman, E., & Anderman, L. (2006). Attributions. Retrieved from http://www.education.com/
reference/article/attribution-theory/
Andrade, E.L., Bento, A.F., Cavalli, J., Oliveira, S.K., Schwanke, R.C., Siqueira, J.M., Freitas,
C.S., Marcon, R., & Calixto, J.B. (2016). Non-clinical studies in the process of new drug
development - Part II: Good laboratory practice, metabolism, pharmacokinetics, safety
and dose translation to clinical studies. Brazilian Journal of Medical and Biological
Research, 49(12), e5646. Epub December 12, 2016.https://dx.doi.org/10.1590/1414-
431x20165646
Andreisova, L. (2016). Building and maintaining an effective compliance program. International
Journal of Organizational Leadership, 5(1), 24-39.
Aon. (2012). 2012 life sciences industry report. United States. Retrieved from http://ars-
us.aon.com/Global/National/Thought%20Leadership/Industry%20Overviews/PDFs/2012
-US-Life-Sciences-Industry-Report.pdf
Aon. (2015). Providing end-to-end solutions for life sciences companies. United States.
Retrieved from http://www.aon.com/attachments/risk-services/Life-Sciences-
Brochure_2015.pdf
Avance. (2009). Success rates in biotech: Going the wrong way. Retrieved from
http://www.avance.ch/newsletter/docs/avance_biotech_success_rates.pdf
Babajide, E. O., & Akintayo, I. (2011). Occupational stress, psychological well being and
workers' behavior in manufacturing industries in south-west Nigeria. International
CLOSING THE COMPLIANCE GAP

128
128
Journal of Management and Innovation, 3(1), 32-42. Retrieved from
http://libproxy.usc.edu/login?url=http://search.proquest.com.libproxy2.usc.edu/docview/8
86579333?accountid=14749
Baker, L. (2006). Metacognition. Retrieved from http://www.education.com/ reference/article/
metacognition/.
Baker & McKenzie. (2011). Compliance program key elements [blog]. Retrieved from
http://www.bakermckenzie.com/FCGermanyComplianceProgramKeyElements/
Baker & McKenzie. (2012). 5 essential elements of corporate compliance. Retrieved from
http://www.bakermckenzie.com/files/Uploads/Documents/North%20America/DoingBusi
nessGuide/NewYork/br_elementscorporatecompliance.pdf
Bandura, A. (1997). Self-efficacy: The exercise of control. New York: W.H. Freeman.
Bandura, A. (2000). Exercise of human agency through collective efficacy. Current Directions in
Psychological Science, 9(3), 75–78.
Bandura, A. (2006). Guide for constructing self-efficacy scales. In T. Urdan & F. Pajares (Eds.),
Self-efficacy beliefs of adolescents (pp. 307-337). United States: Information Age
Publishing.
Bannert, M., & Mengelkamp, C. (2008). Assessment of metacognitive skills by means of
instruction to think aloud and reflect when prompted. does the verbalisation method
affect learning? Metacognition and Learning, 3(1), 39-58.
doi:http://dx.doi.org.libproxy2.usc.edu/10.1007/s11409-007-9009-6

CLOSING THE COMPLIANCE GAP

129
129
Barnes, C. (2007). Why compliance programs fail: Economics, ethics and the role of
leadership. HEC Forum, 19(2), 109-23.
doi:http://dx.doi.org.libproxy2.usc.edu/10.1007/s10730-007-9034-5
Beams, J. D., Brown, R. M., & Killough, L. N. (2003). An experiment testing the determinants
of non-compliance with insider trading laws. Journal of Business Ethics, 45(4), 309-323.
Retrieved from
http://libproxy.usc.edu/login?url=http://search.proquest.com.libproxy2.usc.edu/docview/1
98060065?accountid=14749
Berardi-Coletta, B., Buyer, L. S., Dominowski, R. L., & Rellinger, E. R. (1995). Metacognition
and problem solving: A process-oriented approach. Journal of Experimental Psychology:
Learning, Memory, and Cognition, 21(1), 205-223. doi:
http://dx.doi.org.libproxy2.usc.edu/10.1037/0278-7393.21.1.205
Berger, B. (2014). Read my lips: Leaders, supervisors, and culture are the foundations of
strategic employee communications. Research Journal of the Institute for Public
Relations, 1(1), retrieved from http://www.instituteforpr.org/wp-
content/uploads/BergerFinalWES.pdf
Bloom, B.S. (Ed.). Engelhart, M.D., Furst, E.J., Hill, W.H., Krathwohl, D.R. (1956). Taxonomy
of educational objectives, handbook I: The cognitive domain. New York: David McKay
Co. Inc.
Brand, G., Osborne, A., Carroll, M., Carr, S. E., & Etherton-Beer, C. (2016). Do photographs,
older adults narratives and collaborative dialogue foster anticipatory reflection
("preflection") in medical students?
CLOSING THE COMPLIANCE GAP

130
130
BMC Medical Education, 16 doi:http://dx.doi.org.libproxy2.usc.edu/10.1186/s12909-016-
0802-2
Bruggen, A. (2015). An empirical investigation of the relationship between workload and
performance. Management Decision, 53(10), 2377-2389.
doi:http://dx.doi.org.libproxy1.usc.edu/10.1108/MD-02-2015-0063
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy compliance: An
empirical study of rationality-based beliefs and information security awareness. MIS
Quarterly, 34(3), 523-548. Retrieved from
http://www.jstor.org.libproxy2.usc.edu/stable/25750690
Carthey, J., Walker, S., Deelchand, V., Vincent, C., & Griffiths, W. H. (2011). Breaking the
rules: Understanding non-compliance with policies and guidelines. BMJ: British Medical
Journal, 343. doi:http://dx.doi.org.libproxy2.usc.edu/10.1136/bmj.d5283
Cantone, L. (1999). Corporate compliance: Critical to organizational success. Nursing
Economics, 17(1), 15-9, 52.
Cantor, D. E., & Terle, M. (2010). Applying a voluntary compliance model to a proposed
transportation safety regulation. International Journal of Physical Distribution &
Logistics Management, 40(10), 822-846.
doi:http://dx.doi.org.libproxy2.usc.edu/10.1108/09600031011093223
Carder, B., & Ragan, P. (2016). Decision making: How system 1 & system 2 processing affect
safety. Professional Safety, 61(3), 57-60. Retrieved from
http://libproxy.usc.edu/login?url=http://search.proquest.com.libproxy2.usc.edu/docview/1
771604703?accountid=14749
CLOSING THE COMPLIANCE GAP

131
131
Chestnut, S.R., & Burley, H. (2015). Self-efficacy as a predictor of commitment to the
teaching profession: A meta-analysis. Educational Research Review volume 15, 1-16
Chia-An, C., & Chandra, A. (2012). Impact of owner's knowledge of information technology
(IT) on strategic alignment and IT adoption in US small firms. Journal of Small Business
and Enterprise Development, 19(1), 114-131.
doi:http://dx.doi.org.libproxy2.usc.edu/10.1108/14626001211196433
Cho, Y. S., & Jung, J. Y. (2014). The relationship between metacognition, entrepreneurial
orientation, and firm performance: An empirical investigation. Academy of
Entrepreneurship Journal, 20(2), 71-86. Retrieved from
http://libproxy.usc.edu/login?url=http://search.proquest.com.libproxy2.usc.edu/docview/1
645727115?accountid=14749
Clark, R., & Estes, F. (2008). Turning research into results: A guide to selecting the right
performance solutions. Atlanta, GA: CEP Press.
Coladarci, T. (1992). Self-efficacy is predictive of commitment. Teachers' sense of efficacy and
commitment to teaching. Journal of Experimental Education, 60(4), 323-337. Retrieved
from http://www.jstor.org/stable/20152340
Compliance. (n.d.). In YourDictionary. Retrieved from
http://www.yourdictionary.com/compliance
Compliance360. (2010). White paper: The seven elements of an effective compliance and ethics
program. Retrieved from
http://compliance360.com/downloads/case/Seven_Elements_of_Effective_Compliance_P
rograms.pdf
CLOSING THE COMPLIANCE GAP

132
132
Creswell, J.W. (2014). Research Design: Qualitative, Quantitative, and Mixed Methods
Approaches. Thousand Oaks, CA: Sage Publications.
Cybersecurity. (n.d.). In Merriam Webster Online, Retrieved January 19, 2017, from
http://www.merriam-webster.com/dictionary/citation.
Dai, H., Milkman, K. L., Hofmann, D. A., & Staats, B. R. (2015). The impact of time at work
and time off from work on rule compliance: The case of hand hygiene in health
care. Journal of Applied Psychology, 100(3), 846-862.
doi:http://dx.doi.org.libproxy2.usc.edu/10.1037/a0038067
Dailey, P. R., & Brookmire, D. A. (2005). Back to our future: Challenging new compliance and
leadership accountabilities for human resources, courtesy of sarbanes-oxley. Human
Resource Planning, 28(3), 38-44. Retrieved from
http://libproxy.usc.edu/login?url=http://search.proquest.com.libproxy2.usc.edu/docview/2
24568148?accountid=14749
Deloitte Touche Tohmatsu Limited. (2006). The risk intelligent life science company. London,
United Kingdom. Retrieved from
https://www2.deloitte.com/content/dam/Deloitte/co/Documents/risk/InteligenciaFrenteal
Riesgo/No.4-Risk_intell_lifesci_180407.pdf
Deloitte Touche Tohmatsu Limited. (2015a). Challenge of compliance in life sciences: Moving
from cost to value. London, United Kingdom. Retrieved from
https://www2.deloitte.com/uk/en/pages/life-sciences-and-healthcare/articles/lshc-
challenge-of-compliance.html
Deloitte Touche Tohmatsu Limited. (2015b). Compliance in motion: A closer look at the
corporate sector. London, United Kingdom. Retrieved from
CLOSING THE COMPLIANCE GAP

133
133
https://www2.deloitte.com/content/dam/Deloitte/nl/Documents/risk/deloitte-nl-risk-
corporate-compliance-benchmark-2015.pdf
Donaldson, S.I., & Grant-Vallone, E.J. (2002). Understanding self-report bias in organizational
behavior research. Journal of Business and Psychology, 17(2), 245-260.
https://doi.org/10.1023/A:1019637632584
Eccles, J. (2006). Expectancy value motivational theory. Retrieved
from http://www.education.com/reference/article/expectancy-value-motivational-theory/
Effective. (n.d.). In Merrian-Webster. Retrieved from http://www.merriam-
webster.com/dictionary/effective
Environment, health, and safety. (n.d.). In Wikipedia. Retrieved from
https://en.wikipedia.org/wiki/Environment,_health_and_safety
Erez, M., & Gati, E. (2004). A dynamic, multi-level model of culture: From the micro level of
the individual to the macro level of a global culture. Applied Psychology: An
International Review, 53(4), 583–598.
Erickson, J. (2012). The high cost of non-compliance (parts 1 & 2) [blog]. Retrieved from
https://www.coolblue.com/blog/industry-insights/the-high-cost-of-non-compliance-part-
1/
Fieldston, E. S., Zaoutis, L. B., Hicks, P. J., Kolb, S., Sladek, E., Geiger, D., . . . Bell, L. M.
(2014). Front-line ordering clinicians: Matching workforce to workload. Journal of
Hospital Medicine, 9(7), 457-62.
doi:http://dx.doi.org.libproxy2.usc.edu/10.1002/jhm.2194
CLOSING THE COMPLIANCE GAP

134
134
Firestone, W., & Shipps, D. (2005). How do leaders interpret conflicting accountabilities to
improve student learning? In W. A. Firestone & C. Riehl (Eds.), A new agenda for
research in educational leadership (pp. 81–91). New York: Teachers College Press.
Flavell, J. H. (1979). Metacognition and cognitive monitoring: A new area of cognitive–
developmental inquiry. American Psychologist, 34(10), 906-911.
doi:http://dx.doi.org.libproxy2.usc.edu/10.1037/0003-066X.34.10.906
Fox, T. (2013). What are the essential elements of a corporate compliance program? [blog].
Retrieved from http://www.lexisnexis.com/legalnewsroom/corporate/b/fcpa-
compliance/archive/2013/05/23/what-are-the-essential-elements-of-a-corporate-
compliance-program.aspx
Gallagher v. Abbott Laboratories, 269 F.3d 806 (Il, 2001).
Gallimore, R., & Goldenberg, C. (2001). Analyzing cultural models and settings to connect
minority achievement and school improvement research. Educational Psychologist,
36(1), 45-56. doi:http://dx.doi.org.libproxy2.usc.edu/10.1207/S15326985EP3601_5
Gardiner, S., & Rieckmann, M. (2015). Pedagogies of preparedness: Use of reflective journals in
the operationalisation and development of anticipatory competence. Sustainability, 7(8),
10554-10575. doi:http://dx.doi.org.libproxy2.usc.edu/10.3390/su70810554
Geller, E. S. (2016). Leadership lessons for OSH professionals. Professional Safety, 61(6), 63-
71. Retrieved from
http://libproxy.usc.edu/login?url=http://search.proquest.com.libproxy2.usc.edu/docview/1
797879727?accountid=14749
Glesne, C. (2011). Becoming qualitative researchers: An introduction (4th ed.). Boston, MA:
Pearson.
CLOSING THE COMPLIANCE GAP

135
135
Green, A. (2015). 1.3 Introduction to Accountability [video]. Retrieved from
https://2sc.rossieronline.usc.edu/mod/page/view.php?id=90674
Greenwood J. (1993). Reflective practice: A critique of the work of Argyris and Schön. J Adv
Nurs., 18(8), 1183–7.
Hagemeier, N. E., & Murawski, M. M. (2014). An instrument to assess subjective task value
beliefs regarding the decision to pursue postgraduate training. American Journal of
Pharmaceutical Education, 78(1), 1-13.
Harding, J. (2013). Using codes to analyze an illustrative issue. In Qualitative data analysis from
start to finish (pp. 81-106). Thousand Oaks, CA: SAGE.
Hawkins, T., & Muir, W. (2014). An exploration of knowledge-based factors affecting
procurement compliance. Journal of Public Procurement, 14(1), 1-32. Retrieved from
http://search.proquest.com.libproxy2.usc.edu/docview/ 1536852251?accountid=14749
Hay, M., Thomas, D. W., Craighead, J. L., Economides, C., & Rosenthal, J. (2014). Clinical
development success rates for investigational drugs. Nature Biotechnology, 32(1), 40-51.
doi:http://dx.doi.org.libproxy2.usc.edu/10.1038/nbt.2786
Heart, T., Parmet, Y., Pliskin, N., Zuker, A., & Pliskin, J. S. (2011). Investigating physicians'
compliance with drug prescription notifications. Journal of the Association for
Information Systems, 12(3), 235-254. Retrieved from
http://libproxy.usc.edu/login?url=http://search.proquest.com.libproxy2.usc.edu/docview/8
61435173?accountid=14749
Hedström, K., Karlsson, F., & Kolkowska, E. (2013). Social action theory for understanding
information security non-compliance in hospitals. Information Management & Computer
CLOSING THE COMPLIANCE GAP

136
136
Security, 21(4), 266-287. doi:http://dx.doi.org.libproxy2.usc.edu/10.1108/IMCS-08-
2012-0043
HG.org. (n.d.). Employment law. https://www.hg.org/employ.html
Ifinedo, P. (2014). Information systems security policy compliance: An empirical study of the
effects of socialisation, influence, and cognition. Information & Management, 51(1), 69-
79. doi:http://dx.doi.org.libproxy1.usc.edu/10.1016/j.im.2013.10.001
Jenkins, A. (1994). The role of managerial self-efficacy in corporate compliance with the law.
Law and Human Behavior, 18(1), 71-88. Retrieved from
http://www.jstor.org.libproxy2.usc.edu/stable/1393917
Jenkins, J., Pratt, M.K., & Sales, F. (2015). Cybersecurity and privacy compliance: The delicate
balance. Retrieved from
http://searchcompliance.techtarget.com/ehandbook/Cybersecurity-and-privacy-
compliance-The-delicate-balance
Johnson, R.B., & Christensen, L.B. (2015). Educational Research: Quantitative, qualitative, and
mixed approaches. (5th ed.). Thousand Oaks: SAGE.
Kamleitner, B., Korunka, C., & Kirchler, E. (2012). Tax compliance of small business owners.
International Journal of Entrepreneurial Behaviour & Research, 18(3), 330-351.
doi:http://dx.doi.org.libproxy2.usc.edu/10.1108/13552551211227710
Keller and Heckman. (n.d.). Health and safety compliance audit. Retrieved from
https://www.khlaw.com/Health-and-Safety-Compliance-Audit
Kelly, E. (2010). Failure to update: An institutional perspective on noncompliance with the
family and medical leave act. Law & Society Review, 44(1), 33-66. Retrieved from
http://search.proquest.com.libproxy2.usc.edu/docview/ 873697002?accountid=14749
CLOSING THE COMPLIANCE GAP

137
137
Kirkpatrick, J.D., & Kirkpatrick, W.K. (2016). The New World Kirkpatrick Model.
Alexandria, VA: ATD Publications.
Kittredge, C. (2005, August 1). The sweet smell of biotech success. The Scientist. Retrieved
from http://www.the-scientist.com/?articles.view/articleNo/16637/title/The-Sweet-Smell-
of-Biotech-Success/
KPMG International. (2009). Risk management in the pharmaceuticals and life sciences
industry. United States. Retrieved from
https://www.eiuperspectives.economist.com/sites/default/files/Risk%20management%20i
n%20the%20pharmaceuticals%20and%20life%20sciences%20industry.pdf
Krathwohl, D. R. (2002). A revision of Bloom’s Taxonomy: An overview. Theory Into Practice,
41(4), 212–218.
Kroll, K. (2012, April 3). Measuring the effectiveness of compliance. Compliance Week, 1-2.
Kusserow, R. (2013). Measuring and benchmarking compliance program effectiveness. Journal
of Health Care Compliance, 15(2), 17-22.
Laerd Dissertation. (2012). Total population sampling. Retrieved from
http://dissertation.laerd.com/total-population-sampling.php
Lowry, P. B., & Moody, G. D. (2015). Proposing the control ‐ reactance compliance model
(CRCM) to explain opposing motivations to comply with organisational information
security policies. Information Systems Journal, 25(5), 433-463.
doi:http://dx.doi.org.libproxy1.usc.edu/10.1111/isj.12043
Lu, H., & Mande, V. (2014). Factors influencing non-compliance with ASU 2010-06 in the
banking industry. Managerial Auditing Journal, 29(6), 548-574. Retrieved from
CLOSING THE COMPLIANCE GAP

138
138
http://libproxy.usc.edu/login?url=https://search-proquest-
com.libproxy2.usc.edu/docview/1660949365?accountid=14749
MacNab, B., & Worthley, R. (2008). Self-efficacy as an intrapersonal predictor for internal
whistleblowing: A US and Canada examination. Journal of Business Ethics, 79(4), 407-
421. Retrieved from http://www.jstor.org.libproxy2.usc.edu/stable/25482126
Markovitz, D., & Jones, D. (2012). Developing a bulletproof GXP training process from the
ground up-A case study. Journal of GXP Compliance, 16(4), 40-53. Retrieved from
http://search.proquest.com.libproxy2.usc.edu/docview/ 1212780765?accountid=14749
Massey, K., & Campbell, N. (2013). Human resources management: Big problem for small
business? The Entrepreneurial Executive, 18, 77-88. Retrieved from http://
search.proquest.com.libproxy2.usc.edu/docview/1368593791?accountid=14749
Maxwell, J. A. (2013). Qualitative research design: An interactive approach (3rd ed.). Thousand
Oaks, CA: SAGE Publications.
Mayer, R. E. (2011). Applying the science of learning. Boston, MA: Pearson Education.
McGovern, P. M., Vesley, D., Kochevar, L., Robyn R.M. Gershon, Rhame, F. S., & Anderson,
E. (2000). Factors affecting universal precautions compliance. Journal of Business and
Psychology, 15(1), 149-161. Retrieved from
http://libproxy.usc.edu/login?url=http://search.proquest.com.libproxy2.usc.edu/docview/1
96866423?accountid=14749
Mckim, A.J. & Velez, J.J. (2015). Exploring the relationship between self-efficacy and career
commitment among early career agriculture teachers. Journal of Agricultural Education.
56(1), 127-140 doi: 10.5032/jae.2015.01127
Merriam, S. B., & Tisdell, E. J. (2016). Qualitative research: A guide to design and
CLOSING THE COMPLIANCE GAP

139
139
implementation (4th ed.). San Francisco, CA: Jossey-Bass.
Miles, M. B., Huberman, A. M., & Saldaña, J. (2014). Qualitative data analysis: A methods
sourcebook (3rd ed.). Thousand Oaks, CA: SAGE Publications.
Nicol, J. S., & Dosser, I. (2016). Understanding reflective practice. Nursing Standard
(2014+), 30(36), 34. doi:http://dx.doi.org.libproxy2.usc.edu/10.7748/ns.30.36.34.s44
Owusu-Ansah, S. (2005). Factors influencing corporate compliance with financial reporting
requirements in New Zealand. International Journal of Commerce and Management,
15(2), 141-157. Retrieved from http://libproxy.usc.edu/login?url=https://search-proquest-
com.libproxy2.usc.edu/docview/212860044?accountid=14749
Paglis, L., & Green, S. (2002). Leadership self-efficacy and managers' motivation for leading
change. Journal of Organizational Behavior, 23(2), 215-235. Retrieved from
http://www.jstor.org.libproxy2.usc.edu/stable/4093732
Pajares, F. (2009). Self-efficacy theory. Retrieved
from http://www.education.com/reference/article/self-efficacy-theory/
Parker, C., & Nielsen, V.L. (2009). Corporate compliance systems: Could they make any
difference? Administration & Society 41(1), 3-37. doi:10.1177/0095399708328869
Pintrich, P. R. (2002). The role of metacognitive knowledge in learning, teaching, and
assessing. Theory into Practice, 41(4), 219. Retrieved from
http://libproxy.usc.edu/login?url=http://search.proquest.com.libproxy2.usc.edu/docview/2
18833025?accountid=14749
Pintrich, P. R. (2003). A motivational science perspective on the role of student motivation in
learning and teaching contexts. Journal of Educational Psychology, 95(4), 667–686.
CLOSING THE COMPLIANCE GAP

140
140
Ponemon Institute LLC. (2011). The true cost of compliance: A benchmark study of
multinational corporations. Retrieved from
http://www.tripwire.com/tripwire/assets/File/ponemon/True_Cost_of_Compliance_Repor
t.pdf
Prajapati, V., & Dureja, H. (2012). Product lifecycle management in pharmaceuticals. Journal of
Medical Marketing, 12(3), 150-158.
doi:http://dx.doi.org.libproxy2.usc.edu/10.1177/1745790412445292
Rubin, H. J., & Rubin, I. S. (2012). Qualitative interviewing: The art of hearing data (3rd ed.).
Thousand Oaks, CA: SAGE Publications.
Rueda, R. (2011). The 3 dimensions of improving student performance. New York: Teachers
College Press.
Sample, J. (2015). Compliance and ethics programmes and the federal sentencing guidelines for
organizations in the united states: Implications for international HRD specialists. Human
Resource Development International, 18(3), 295-307.
doi:http://dx.doi.org.libproxy1.usc.edu/10.1080/13678868.2015.1071991
Schein, E. H. (2004). The concept of organizational culture: Why bother? In E. H. Schein, (Ed.),
Organizational culture and leadership (3rd ed., pp. 3–24). San Francisco, CA: Jossey
Bass.
Sendlhofer, G., Lumenta, D. B., Leitgeb, K., Kober, B., Jantscher, L., Schanbacher, M.,
Berghold, A., Pregartner, G., Brunner, G., Tax, C., & Kamolz, L. P. (2016). The gap
between individual perception and compliance: A qualitative follow-up study of the
surgical safety checklist application. PLoS One, 11(2)
doi:http://dx.doi.org.libproxy2.usc.edu/10.1371/journal.pone.0149212
CLOSING THE COMPLIANCE GAP

141
141
Shah, J., & Higgins, T. (1997). Expectancy × value effects: Regulatory focus as determinant
of magnitude and direction. Journal of Positionality and Social Psychology, (73)3 p 447-
458
Shane, S. (2009). Why encouraging more people to become entrepreneurs is bad public policy.
Small Business Economics 33(2), 141-149. Retrieved from
http://link.springer.com/article/10.1007/s11187-009-9215-5
Sheridan, T. (2014). Study highlights corporate compliance Issues [blog]. Retrieved from
http://www.accountingweb.com/practice/practice-excellence/study-highlights-corporate-
compliance-issues
Schö n. (1983). The reflective practitioner: How professionals think in action. New York: Basic
Books.
Singh, J. (2011). Determinants of the effectiveness of corporate codes of ethics: An empirical
study. Journal of Business Ethics, 101(3), 385-395.
doi:http://dx.doi.org.libproxy2.usc.edu/10.1007/s10551-010-0727-3
Stokols, D., McMahan, S., Chiltheroe, H. C., J., & Wells, M. (2001). Enhancing corporate
compliance with worksite safety and health legislation. Journal of Safety Research, 32(4),
441-463. doi:http://dx.doi.org.libproxy1.usc.edu/10.1016/S0022-4375(01)00063-9
Struthers, C. W., Weiner, B., & Allred, K. (1998). Effects of causal attributions on personnel
decisions: A social motivation perspective. Basic and Applied Social Psychology, 20(2),
155-166. Retrieved from http://libproxy.usc.edu/
login?url=http://search.proquest.com.libproxy2.usc.edu/docview/57787552?accountid=1
4749
CLOSING THE COMPLIANCE GAP

142
142
Subramanyam, M., Muralidhara, P., & Pooja, M. (2013). Mental workload and cognitive
fatigue: A study. IUP Journal of Management Research, 12(2), 29-39. Retrieved from
http://libproxy.usc.edu/login?url=http://search.proquest.com.libproxy2.usc.edu/docview/1
435377382?accountid=14749
Sutthiwan, A., C.P.A., & Clinton, B. D. (2008). The conflicting roles of controllership and
compliance. Strategic Finance, 90(1), 43-46. Retrieved from
http://libproxy.usc.edu/login?url=http://search.proquest.com.libproxy2.usc.edu/docview/2
29784768?accountid=14749
Taxonomy. (n.d.). Merriam-Webster online dictionary. Retrieved from http://www.merriam-
webster.com/dictionary/taxonomy
Thompson Reuters. (2014). Thomson Reuters report highlights rising costs of non-compliance.
Retrieved from http://thomsonreuters.com/en/press-releases/2014/thomson-reuters-
report-highlights-rising-costs-of-non-compliance.html
Torp, S., & Grogaard, J. B. (2009). The influence of individual and contextual work factors on
workers' compliance with health and safety routines. Applied Ergonomics, 40(2), 185-
193. doi:http://dx.doi.org.libproxy2.usc.edu/10.1016/j.apergo.2008.04.002
U. S. Food and Drug Administration. (2004). Challenge and opportunity on the critical path to
new medical products. Washington, DC. Retrieved from
https://www.fda.gov/downloads/scienceresearch/specialtopics/criticalpathinitiative/critica
lpathopportunitiesreports/ucm113411.pdf
U.S. Sentencing Commission. (2010). 2010 federal sentencing guidelines manual. Retrieved
from http://www.ussc.gov/guidelines-manual/2010/2010-8b21
CLOSING THE COMPLIANCE GAP

143
143
University of Maryland University College. (n.d.). Introduction to cybersecurity. Retrieved
from http://www.umuc.edu/academic-programs/cyber-security/about.cfm
Van Manen M. Epistemology of reflective practice. Teach Teach Theory Pract. 1995;1(1):33–50.
Van Noorden, R. (2013). Safety survey reveals lab risks. Nature, 493(7430), 9-10. Retrieved
from http://search.proquest.com.libproxy2.usc.edu/
docview/1285228747?accountid=14749
Wang, J., Li, Y., & Rao, H. R. (2016). Overconfidence in phishing email detection. Journal of
the Association for Information Systems, 17(11), 759-783. Retrieved from
http://libproxy.usc.edu/login?url=https://search-proquest-
com.libproxy2.usc.edu/docview/1851172057?accountid=14749
Webb, D., & Molo, S. (1993). Some practical considerations in developing effective compliance
programs: A framework for meeting the requirements of the sentencing guidelines.
Washington University Law Review, 71(2), 375-396.
Weiner, B. (2010). The development of an attribution-based theory of motivation: A history of
ideas. Educational Psychologist, 45(1), 28. Retrieved from
http://libproxy.usc.edu/login?url=http://search.proquest.com.libproxy2.usc.edu/docview/2
04133699?accountid=14749
Welty, G. (2010). Qualification of employees for GXP compliance. Journal of GXP
Compliance, 14(1), 80-91. Retrieved from http://libproxy.usc.edu/
login?url=http://search.proquest.com.libproxy2.usc.edu/docview/232832835?accountid=
14749
Wilson, J. (2008). Reflecting-on-the-future: A chronological consideration of reflective
practice. Reflective Practice, 9(2), 177-184.
CLOSING THE COMPLIANCE GAP

144
144
Appendix A
Assessment Tools to Evaluate Assumed KMO Influences

Category Assumed Need Assessment Tool
Knowledge influences
Declarative Managers need to know the ITS and EHS
compliance risks within the areas they
oversee.
Survey and
document/artifact analysis
Declarative Managers need to know what types of
responses are appropriate to address ITS
and EHS compliance risk.
Survey and
document/artifact analysis
Procedural Managers need to know how to
implement the appropriate response for
the identified ITS and EHS risk.
Survey and
document/artifact analysis
Meta-
cognitive
Managers need to “reflect-on-action” on
how they responded to ITS and EHS
compliance risk.
Survey
Motivation influences
Expectancy-
Value
Managers need to see the value in
responding appropriately to ITS and EHS
compliance risks.
Survey
Self-Efficacy Managers need to feel confident in their
ability to respond appropriately to ITS and
EHS compliance risks.
Survey
Organizational influences
Cultural
Setting
Managers need role models who
demonstrate how to appropriately respond
to ITS and EHS compliance risks.
Survey
Cultural
Setting
Managers need to prioritize appropriate
ITS and EHS risk response in their
workloads.
Survey
Cultural
Setting
Managers need ITS and EHS
documentation that is succinct, consistent,
accessible, and relevant.
Survey and
document/artifact analysis

CLOSING THE COMPLIANCE GAP

145
145
Appendix B
Survey Instrument

INFORMATION/FACT SHEET SUMMARY FOR THIS PROJECT
(to read/print the full document, click here)
Confidentiality: No identifiable information will be obtained in connection with this study.
Only general demographic data will be collected, including department and tenure with the
organization. Data is collected online via Qualtrics, a secure, encrypted survey program.
Purpose: The purpose of this project is to study how knowledge, motivation, and organizational
influences impact leadership responses to compliance risks.
Participant involvement: Taking part in this study is voluntary. You may choose not to take
part at all. If you decide to take part in this study, you may stop taking part at any time. If you
agree to take part in this study, you will be asked to complete an online survey which is
anticipated to take about 10 minutes. If you don't want to answer a question, simply move to the
next question.
Alternatives to participation: Your alternative is to not participate. Your relationship with the
organization will not be affected whether you participate or not in this study.
Questions: Please contact Amanda Kizer (Principal Investigator) at akizer@usc.edu if you have
questions or concerns about participation in this research study.

Would you like to participate in this survey? Select a choice below.
 YES - I would like to participate in this anonymous survey. I understand that this survey is
voluntary, not required by my employer, and that I may stop participating at any time.
 NO - I do not wish to participate in this survey.

Which department best describes your current position? Select one.
 Research and Development
 Operations
 Legal / Human Resources
 Finance
 Clinical

How long have you worked for the company (cumulative, including past ownership of the site)?
 less than 2 months
 2 mo - 1 yr
 1 yr - 3 yrs
 3 yrs - 6 yrs
 6 yrs - 9 yrs
 over 9 years

CLOSING THE COMPLIANCE GAP

146
146
GENERAL COMPLIANCE
Compliance, in general, includes efforts to ensure that we are abiding by both industry
regulations and government legislation. Our company must comply with a wide variety of
regulations. The question below asks about compliance in general within the area(s) for which
you are responsible.

Please rate how certain you are that you can do the things listed below by entering the appropriat
e number in the space provided. Rate your degree of confidence by recording a number from 0
to 100 using the scale given below:

Within the area(s) for which I am responsible, I can... (0-100)
______ Identify the scope of compliance risks.
______ Identify appropriate responses to compliance risks.
______ Implement appropriate responses to compliance risks.
______ Reflect on how appropriate my responses were to compliance risks.
______ Reflect on how well I implemented responses to compliance risks.
______ Identify company leaders who demonstrate how to appropriately respond, generally,
to compliance risks.
______ Adjust my workload to appropriately respond to the scope of compliance risks.

Rate your level of agreement with the following statements about compliance in general within
the area(s) for which you are responsible.

Strongly
disagree
Somewhat
disagree
Neither
agree nor
disagree
Somewhat
agree
Strongly
agree
Being able to respond appropriately to
compliance risks is important to me.
    
I like being able to appropriately
respond to compliance risks.
    
Appropriately responding to
compliance risks is integral in my goal
achievement.
    
Appropriately responding to
compliance risks is integral in my
company’s goal achievement.
    
Appropriately responding to
compliance risk is difficult.
    
Time spent responding to compliance
risks is better spent doing other
activities.
    
CLOSING THE COMPLIANCE GAP

147
147

INFORMATION TECHNOLOGY SECURITY (ITS) COMPLIANCE
The question below asks about a specific type of compliance within the area(s) you are
responsible for. Information Technology Security (ITS) compliance includes protecting company
computers, networks, programs, and data from unintended or unauthorized access, change, and
destruction.

Please rate how certain you are that you can do the things listed below by entering the
appropriate number in the space provided. Rate your degree of confidence by recording a
number from 0 to 100 using the scale given below:

Within the area(s) for which I am responsible, I can... (0-100)
______ Identify ITS compliance risks.
______ Identify appropriate responses to ITS compliance risks.
______ Implement appropriate responses to ITS compliance risks.
______ Reflect on how appropriate my responses were to ITS compliance risks.
______ Reflect on how well I implemented responses to ITS compliance risks.
______ Identify company leaders who demonstrate how to appropriately respond to ITS
compliance risks.
______ Adjust my workload to appropriately respond to ITS compliance risks.

Rate your level of agreement with the following statements about Information Technology
Security (ITS) compliance (e.g., protecting company computers, networks, programs, and data
from unintended or unauthorized access, change, destruction, etc.)

Strongly
disagree
Somewhat
disagree
Neither
agree nor
disagree
Somewhat
agree
Strongly
agree
Being able to respond appropriately to
ITS compliance risks is important to
me.
    
I like being able to appropriately
respond to ITS compliance risks.
    
Appropriately responding to ITS
compliance risks is integral in my goal
achievement.
    
Appropriately responding to ITS
compliance risks is integral in my
company’s goal achievement.
    
Appropriately responding to ITS
compliance risk is difficult.
    
CLOSING THE COMPLIANCE GAP

148
148
Time spent responding to ITS
compliance risks is better spent doing
other activities.
    

ENVIRONMENTAL, HEALTH, AND SAFETY (EHS) COMPLIANCE
The question below asks about a specific type of compliance within the area(s) for which you are
responsible. Environmental, Health, and Safety (EHS) compliance includes hazard identification
and employee protection, emergency preparation and response, and managing hazardous waste.

Please rate how certain you are that you can do the things listed below by entering the
appropriate number in the space provided. Rate your degree of confidence by recording a
number from 0 to 100 using the scale given below:

Within the area(s) for which I am responsible, I can... (0-100)
______ Identify EHS compliance risks.
______ Identify appropriate responses to EHS compliance risks.
______ Implement appropriate responses to EHS compliance risks.
______ Reflect on how appropriate my responses were to EHS compliance risks.
______ Reflect on how well I implemented responses to EHS compliance risks.
______ Identify company leaders who demonstrate how to appropriately respond to EHS
compliance risks.
______ Adjust my workload to appropriately respond to EHS compliance risks.

Rate your level of agreement with the following statements about Environmental, Health, and
Safety (EHS) compliance (e.g., hazard identification and employee protection, emergency
preparation and response, managing hazardous waste, etc.)

Strongly
disagree
Somewhat
disagree
Neither
agree nor
disagree
Somewhat
agree
Strongly
agree
Being able to respond appropriately to
EHS compliance risks is important to
me.
    
I like being able to appropriately
respond to EHS compliance risks.
    
Appropriately responding to EHS
compliance risks is integral in my goal
achievement.
    
Appropriately responding to EHS
compliance risks is integral in my
company’s goal achievement.
    
CLOSING THE COMPLIANCE GAP

149
149
Appropriately responding to EHS
compliance risk is difficult.
    
Time spent responding to EHS
compliance risks is better spent doing
other activities.
    

CLOSING THE COMPLIANCE GAP

150
150
Appendix C
Survey Items, Measurement Scales, and Influencer Details

Item
No.
Item Scale Influence
1 Identify the scope of compliance risks. Confidence
(0-100)
K/Declarative
2 Identify appropriate responses to compliance
risks.
Confidence
(0-100)
K/Declarative
3 Implement appropriate responses to
compliance risks.
Confidence
(0-100)
K/Procedural
4 Reflect on how appropriate my responses
were to compliance risks.
Confidence
(0-100)
K/Metacognitive
5 Reflect on how well I implemented
responses to compliance risks.
Confidence
(0-100)
K/Metacognitive
6 Identify company leaders who demonstrate
how to appropriately respond, generally, to
compliance risks.
Confidence
(0-100)
O/Role Models
7 Adjust my workload to appropriately
respond to the scope of compliance risks.
Confidence
(0-100)
O/Work Load
8 Being able to respond appropriately to
compliance risks is important to me.
Likert
(SD/1-SA/5)
M/EVT/Attainment
9 I like being able to appropriately respond to
compliance risks.
Likert
(SD/1-SA/5)
M/EVT/Intrinsic
10 Appropriately responding to compliance
risks is integral in my goal achievement.
Likert
(SD/1-SA/5)
M/EVT/Utility
11 Appropriately responding to compliance
risks is integral in my company's goal
achievement.
Likert
(SD/1-SA/5)
M/EVT/Utility
12 Appropriately responding to compliance risk
is difficult.
Likert
(SD/1-SA/5)
M/EVT/Expectancy
13 Time spent responding to compliance risks
is better spent doing other activities.
Likert
(SD/1-SA/5)
M/EVT/Cost
14 Identify ITS compliance risks. Confidence
(0-100)
K/Declarative
15 Identify appropriate responses to ITS
compliance risks.
Confidence
(0-100)
K/Declarative
16 Implement appropriate responses to ITS
compliance risks.
Confidence
(0-100)
K/Procedural
17 Reflect on how appropriate my responses
were to ITS compliance risks.
Confidence
(0-100)
K/Metacognitive
18 Reflect on how well I implemented
responses to ITS compliance risks.
Confidence
(0-100)
K/Metacognitive
CLOSING THE COMPLIANCE GAP

151
151
19 Identify company leaders who demonstrate
how to appropriately respond to ITS
compliance risks.
Confidence
(0-100)
O/Role Models
20 Adjust my workload to appropriately
respond to ITS compliance risks.
Confidence
(0-100)
O/Work Load
21 Being able to respond appropriately to ITS
compliance risks is important to me.
Likert
(SD/1-SA/5)
M/EVT/Attainment
22 I like being able to appropriately respond to
ITS compliance risks.
Likert
(SD/1-SA/5)
M/EVT/Intrinsic
23 Appropriately responding to ITS compliance
risks is integral in my goal achievement.
Likert
(SD/1-SA/5)
M/EVT/Utility
24 Appropriately responding to ITS compliance
risks is integral in my company’s goal
achievement.
Likert
(SD/1-SA/5)
M/EVT/Utility
25 Appropriately responding to ITS compliance
risk is difficult.
Likert
(SD/1-SA/5)
M/EVT/Expectancy
26 Time spent responding to ITS compliance
risks is better spent doing other activities.
Likert
(SD/1-SA/5)
M/EVT/Cost
27 Identify EHS compliance risks. Confidence
(0-100)
K/Declarative
28 Identify appropriate responses to EHS
compliance risks.
Confidence
(0-100)
K/Declarative
29 Implement appropriate responses to EHS
compliance risks.
Confidence
(0-100)
K/Procedural
30 Reflect on how appropriate my responses
were to EHS compliance risks.
Confidence
(0-100)
K/Metacognitive
31 Reflect on how well I implemented
responses to EHS compliance risks.
Confidence
(0-100)
K/Metacognitive
32 Identify company leaders who demonstrate
how to appropriately respond to EHS
compliance risks.
Confidence
(0-100)
O/Role Models
33 Adjust my workload to appropriately
respond to EHS compliance risks.
Confidence
(0-100)
O/Work Load
34 Being able to respond appropriately to EHS
compliance risks is important to me.
Likert
(SD/1-SA/5)
M/EVT/Attainment
35 I like being able to appropriately respond to
EHS compliance risks.
Likert
(SD/1-SA/5)
M/EVT/Intrinsic
36 Appropriately responding to EHS
compliance risks is integral in my goal
achievement.
Likert
(SD/1-SA/5)
M/EVT/Utility
37 Appropriately responding to EHS
compliance risks is integral in my
company’s goal achievement.
Likert
(SD/1-SA/5)
M/EVT/Utility
CLOSING THE COMPLIANCE GAP

152
152
38 Appropriately responding to EHS
compliance risk is difficult.
Likert
(SD/1-SA/5)
M/EVT/Expectancy
39 Time spent responding to EHS compliance
risks is better spent doing other activities.
Likert
(SD/1-SA/5)
M/EVT/Cost

CLOSING THE COMPLIANCE GAP

153
153
Appendix D
Survey Information Sheet

University of Southern California
Rossier School of Education
3470 Trousdale Parkway
Los Angeles, CA 90089

INFORMATION/FACTS SHEET FOR NON-MEDICAL RESEARCH

How knowledge, motivation, and organizational influences impact leadership responses to
compliance risks.
You are invited to participate in a research study. This research study includes only people who
voluntarily choose to take part. This document explains information about this study. You should
ask questions about anything that is unclear to you.
PURPOSE OF THE STUDY
The purpose of this project is to study how knowledge, motivation, and organizational influences
impact leadership responses to compliance risks.
STUDY PROCEDURES
Taking part in this study is voluntary. You may choose not to take part at all. If you decide to
take part in this study, you may stop taking part at any time. If you agree to take part in this
study, you will be asked to complete an online survey which is anticipated to take about 10
minutes. If you don't want to answer a question, simply move to the next question.
POTENTIAL RISKS AND DISCOMFORTS
There are no anticipated risks related to your participation in this study. If you don't want to
answer a question, simply move to the next question. You can choose to stop answering
questions that make you uncomfortable at any time. Survey participation is anonymous.
POTENTIAL BENEFITS TO PARTICIPANTS AND/OR TO SOCIETY
There are no anticipated benefits that apply directly to study participants. Anticipated benefits of
this study include potential improved effectiveness in one or more organizational compliance
programs and advancement of knowledge in this subject area.
PARTICIPATION AND WITHDRAWAL
Your participation is voluntary. Your relationship with the organization will not be affected
whether you participate or not in this study. You may withdraw your consent at any time and
discontinue participation without penalty.
ALTERNATIVES TO PARTICIPATION
Your alternative is to not participate. Your relationship with the organization will not be affected
whether you participate or not in this study.
CONFIDENTIALITY
CLOSING THE COMPLIANCE GAP

154
154
No identifiable information will be obtained in connection with this study. Only general
demographic data will be collected, including department and tenure with the organization. Data
is collected online via Qualtrics, a secure, encrypted survey program. Analytic reports will be
stored for at least three years in a password protected database provided by the University of
Southern California (USC).
The members of the research team and the University of Southern California’s Human Subjects
Protection Program (HSPP) may access the data. The HSPP reviews and monitors research
studies to protect the rights and welfare of research subjects.
INVESTIGATOR’S CONTACT INFORMATION
Principal Investigator
Amanda Kizer
Rossier School of Education
3470 Trousdale Parkway
Los Angeles, CA 90089
Tel: 425-346-7921
Email: akizer@usc.edu
Faculty Advisor
Dr. Anthony B. Maddox
Rossier School of Education
3470 Trousdale Parkway
Los Angeles, CA 90089
Tel: 213-740-2864
Email: amaddox@rossier.usc.edu
RIGHTS OF RESEARCH PARTICIPANT – IRB CONTACT INFORMATION
If you have questions, concerns, or complaints about your rights as a research participant or the
research in general and are unable to contact the research team, or if you want to talk to someone
independent of the research team, please contact:
University Park Institutional Review Board (UPIRB)
3720 South Flower Street #301
Los Angeles, CA 90089-0702
Tel: 213-821-5272
Email: upirb@usc.edu
CLOSING THE COMPLIANCE GAP

155
155
Appendix E
Survey Analysis and Presentation Plan
Compliance
Category
KMO
Category
KMO Influence Survey Items
Type of
data
Analysis
method
Method of
presentation
General Demographic NA
Block 1, Items A-B
Department
Tenure with company
nominal
frequency;
percentage
bar chart or pie
chart
ITS
Knowledge
(declarative)
Managers need to know the ITS
compliance risks within the areas
they oversee.
Block 3, Item 14
Identify ITS compliance risks.
ordinal
range;
median
line chart
ITS
Knowledge
(declarative)
Managers need to know what types
of responses are appropriate to
address ITS compliance risk.
Block 3, Item 15
Identify appropriate responses to
ITS compliance risks.
ordinal
range;
median
line chart
ITS
Knowledge
(procedural)
Manager need to know how to
implement the appropriate
response for the identified ITS risk.
Block 3, Item 16
Implement appropriate responses to
ITS compliance risks.
ordinal
range;
median
line chart
ITS
Knowledge
(metacognitive)
Managers need to “reflect-on-
action” on how they responded to
ITS compliance risk.
Block 3, Items 17-18
Reflect on how appropriate my
responses were to ITS compliance
risks.
Reflect on how well I implemented
responses to ITS compliance risks.
ordinal
range;
median
line chart
ITS Organizational
Managers need role models who
demonstrate how to appropriately
respond to ITS compliance risks.
Block 3, Item 19
Identify company leaders who
demonstrate how to appropriately
respond to ITS compliance risks.
ordinal
range;
median
line chart
ITS Organizational
Managers need to prioritize
appropriate ITS risk response in
their workloads.
Block 3, Item 20
Adjust my workload to
appropriately respond to ITS
compliance risks.
ordinal
range;
median
line chart
ITS
Motivation
(attainment
value)
Managers need to see the value in
responding appropriately to ITS
compliance risks.
Block 3, Item 21
Being able to respond appropriately
to ITS compliance risks is
important to me.
ordinal
frequency;
percentage
bar chart
ITS
Motivation
(intrinsic value)
Block 3, Item 22
I like being able to appropriately
respond to ITS compliance risks.
ordinal
frequency;
percentage
bar chart
CLOSING THE COMPLIANCE GAP

156
156
ITS
Motivation
(utility value)
Block 3, Items 23-24
Appropriately responding to ITS
compliance risks is integral in my
goal achievement.
Appropriately responding to ITS
compliance risks is integral in my
company’s goal achievement.
ordinal
frequency;
percentage
bar chart
ITS
Motivation
(cost)
Block 3, Items 25-26
Appropriately responding to ITS
compliance risk is difficult.
Time spent responding to ITS
compliance risks is better spent
doing other activities.
ordinal
frequency;
percentage
bar chart
EHS
Knowledge
(declarative)
Managers need to know the EHS
compliance risks within the areas
they oversee.
Block 4, Item 27
Identify EHS compliance risks.
ordinal
range;
median
line chart
EHS
Knowledge
(declarative)
Managers need to know what types
of responses are appropriate to
address EHS compliance risk.
Block 4, Item 28
Identify appropriate responses to
EHS compliance risks.
ordinal
range;
median
line chart
EHS
Knowledge
(procedural)
Manager need to know how to
implement the appropriate
response for the identified EHS
risk.
Block 4, Item 29
Implement appropriate responses to
EHS compliance risks.
ordinal
range;
median
line chart
EHS
Knowledge
(metacognitive)
Managers need to “reflect-on-
action” on how they responded to
EHS compliance risk.
Block 4, Items 30-31
Reflect on how appropriate my
responses were to EHS compliance
risks.
Reflect on how well I implemented
responses to EHS compliance risks.
ordinal
range;
median
line chart
EHS Organizational
Managers need role models who
demonstrate how to appropriately
respond to EHS compliance risks.
Block 4, Item 32
Identify company leaders who
demonstrate how to appropriately
respond to EHS compliance risks.
ordinal
range;
median
line chart
EHS Organizational
Managers need to prioritize
appropriate EHS risk response in
their workloads.
Block 4, Item 33
Adjust my workload to
appropriately respond to EHS
compliance risks.
ordinal
range;
median
line chart
CLOSING THE COMPLIANCE GAP

157
157
EHS
Motivation
(attainment
value)
Managers need to see the value in
responding appropriately to EHS
compliance risks.
Block 4, Item 34
Being able to respond appropriately
to EHS compliance risks is
important to me.
ordinal
frequency;
percentage
bar chart
EHS
Motivation
(intrinsic value)
Block 4, Item 35
I like being able to appropriately
respond to EHS compliance risks.
ordinal
frequency;
percentage
bar chart
EHS
Motivation
(utility value)
Block 4, Items 36-37
Appropriately responding to EHS
compliance risks is integral in my
goal achievement.
Appropriately responding to EHS
compliance risks is integral in my
company’s goal achievement.
ordinal
frequency;
percentage
bar chart
EHS
Motivation
(cost)
Block 4, Items 38-39
Appropriately responding to EHS
compliance risk is difficult.
Time spent responding to EHS
compliance risks is better spent
doing other activities.
ordinal
frequency;
percentage
bar chart

CLOSING THE COMPLIANCE GAP

158
158

Appendix F
Qualitative Codes

Type Description Code
Deductive
Existing documentation provides guidance for appropriate
manager response to compliance risk.
DOC +/-
Inductive Availability of existing documentation AVAIL
Inductive Accuracy of existing documentation ACC
Inductive Relevancy of existing documentation REL
Deductive
Existing financial resources allocation supports appropriate
manager response to compliance risk.
FIN +/-
Deductive
Existing human capital allocation supports appropriate manager
response to compliance risk.
HUM +/-
Deductive
Existing training resources supports appropriate manager
response to compliance risk.
TRA +/-
Inductive New employee training NEW
Inductive Ongoing employee training OG
Deductive
Existing communication channels supports appropriate manager
response to compliance risk.
COM +/-
Deductive
Existing incentive resources support appropriate manager
response to compliance risk.
INC +/-
Deductive
Existing discipline resources support appropriate manager
response to compliance risk.
DIS +/-
Deductive
Existing external monitoring resources support appropriate
manager response to compliance risk.
EMON +/-
Deductive
Existing internal audit resources support appropriate manager
response to compliance risk.
IAUD +/-
Deductive
Existing compliance program management supports appropriate
manager response to compliance risk.
MAN +/-

CLOSING THE COMPLIANCE GAP

159
159

Appendix G
Survey Data

Item No. Median Range Minimum Maximum Count
14 70 100 0 100 21
15 50 100 0 100 21
16 50 100 0 100 21
17 70 100 0 100 21
18 70 100 0 100 21
19 90 100 0 100 21
20 80 100 0 100 21
21 5 2 3 5 20
22 5 4 1 5 20
23 4 4 1 5 20
24 4 4 1 5 19
25 3 4 1 5 20
26 3 4 1 5 20
27 80 70 30 100 21
28 80 70 30 100 21
29 90 100 0 100 21
30 80 100 0 100 21
31 80 100 0 100 21
32 90 70 30 100 21
33 80 100 0 100 21
34 5 2 3 5 21
35 5 2 3 5 21
36 4 4 1 5 21
37 4 4 1 5 21
38 2 3 1 4 21
39 2 4 1 5 21

CLOSING THE COMPLIANCE GAP

160
160
Appendix H
Example EHS Asynchronous Knowledge Assessment for Personal Protective Equipment (PPE)
(Online; Immediate Evaluation)

Select the best answer to the following quiz items.
Level Item
L2
Declarative
Knowledge
1. Using defective PPE is always better than wearing no PPE at all.
a. False
b. True
L2
Declarative
Knowledge
2. You notice a tear on the arm of your disposable lab coat. What should you do?
a. Discard it immediately
b. Discard it after you use it
c. Continue to reuse it since the tear is small
d. Put tape over the tear and continue to use it
L2
Procedural
Knowledge/Skill
3. According to the Centers for Disease Control (CDC), the procedure for putting on
PPE should generally follow a sequence. Drag and drop the items below into the
correct order for putting on PPE.
a. Mask or respirator
b. Gown or Lab Coat
c. Goggles or Face Shield
d. Gloves
L2
Declarative
Knowledge
4. You are working with air or water reactive chemicals. Which gloves are most
appropriate for your work?
a. Heavy duty nitrile gloves
b. Terrycloth gloves
c. Cryogen glove
d. Disposable nitrile gloves
L2
Declarative
Knowledge
5. Which of these respirators DOES NOT require fit testing? Select all that apply.
a. Surgical mask
b. PAPR
c. N-95
d. Half Face
e. Full Face

CLOSING THE COMPLIANCE GAP

161
161
Appendix I
Example ITS Asynchronous Knowledge Assessment for Information Technology Security (ITS)
(Online; Immediate Evaluation)

Select the best answer to the following quiz items.
Level Item
L2
Declarative
Knowledge
6. When you sign into a website with something you know (your password) and
something you have (a code sent to your phone), this is called:
a. Two-step verification
b. One-step verification
c. Encryption
d. Single-sign on
L2
Declarative
Knowledge
7. When leaving your device in a car when is the best time to hide it?
a. Before arriving at my destination
b. After arriving at my destination
c. Anytime, as long as it is a good hiding spot
d. It is unacceptable to leave my device in a car
L2
Declarative
Knowledge
8. You are finally changing your password. You write it on a sticky note and bring it
with you so that you don't forget it.
a. This was a bad idea and a security risk
b. This wasn’t a great idea, but better than locking yourself out of your
computer
c. This is a good idea because you will be able to log in to your account
L2
Declarative
Knowledge
9. What is phishing?
a. The attempt to obtain sensitive information by masquerading as a
trustworthy entity in an electronic communication
b. A process in which the credentials provided are compared to those on file
in a database of authorized users' information
c. A piece of code that is capable of copying itself and typically has a
detrimental effect, such as corrupting a system or destroying data
L2
Procedural
Knowledge/Skill
10. You receive an email from your bank asking you to click a link and verify personal
information. What is the most appropriate action to take?
a. Use the contact information on a bank statement to call the bank and
verify legitimacy
b. Click the link and follow instructions; you don’t want your account to be
shut down
c. Use the contact number listed in the email to call the bank and verify
legitimacy
d. Open the attachment on the email to verify legitimacy

CLOSING THE COMPLIANCE GAP

162
162
Appendix J
Lunch and Learn Facilitator Observations (Immediate Evaluation)

Lunch and Learn Topic: _________________________________________________________

Number of attendees/participants: _________ (attach sign-in sheet)

Complete In-Session: Facilitator Observations
Level 2 Items Facilitator Observations
Learning
Goal(s)
Supported
Declarative Knowledge “I know it.”
Knowledge checks through partner
discussions
• Can participants identify compliance
risks? Which risks?
• Can participants identify appropriate
responses to risks? Which responses?

1,2,4
Procedural Skills “I can do it right now.”
Quality of the feedback from peers during
group sharing
• Can participants identify how to
implement compliance risk responses?
Which risks and responses?
• If prompt needed, ask “what would
you do to respond to X risk?”

3,4
Attitude “I believe this is worthwhile.”
Discussions of the value of appropriate
compliance risk response
• Do participants seem to see value in
responding appropriately to
compliance risks?
• If prompt needed, ask “what value is
there in responding appropriately?”

5
Confidence “I think I can do it on the job.”
Discussions following practice and
feedback
• Do participants seem to be confident
about responding appropriately to
compliance risks?
• If prompt needed, ask “are you feeling
more confident about responding?”

6
Commitment “I will do it on the job.”
Discussions following practice and
feedback
• Do participants express commitment
toward responding appropriately to
compliance risk?
• If prompt needed, ask “how
committed are you to responding
appropriately to compliance risk?”

5,6
CLOSING THE COMPLIANCE GAP

163
163

Level 1 Items Facilitator Observations
Engagement
Do participants seem to be engaged in the
session discussion and activities?

Relevance
Do the session topics seem relevant to
participants?
• If prompt needed, ask “how do the
risks discussed relate to your work?”

Complete Post-Session: Overall session effectiveness based on facilitator observations above
(select a level for each item)
Level 1 &2 Items

Poor

Fair

Good
Excellent
Declarative Knowledge - Risks (L2) 1 2 3 4
Declarative Knowledge - Responses (L2) 1 2 3 4
Procedural Skills (L2) 1 2 3 4
Attitude (L2) 1 2 3 4
Confidence (L2) 1 2 3 4
Commitment (L2) 1 2 3 4
Engagement (L1) 1 2 3 4
Relevance (L1) 1 2 3 4

Which areas should be improved before the next Lunch and Learn session based on your
observations?

CLOSING THE COMPLIANCE GAP

164
164
Appendix K
Post “Lunch and Learn” Participant Survey (Immediate Evaluation)

Respond using the scale below:

_____ How would you rate your level of confidence regarding the covered topics before the
session? (L2 Confidence)

_____ How would you rate your level of confidence regarding the covered topics after the
session? (L2 Confidence)

If you answered disagree/strongly disagree to the previous question, why do you not feel
confident? (L3 Drivers)
a) I do not have the necessary knowledge and skills.
b) I do not have a clear picture of what is expected of me.
c) I have other, higher priorities.
d) I do not have the necessary resources to apply what I learned.
e) I do not have the support to apply what I learned.
f) I don’t think what I learned will work.
g) There is not an adequate system of accountability to ensure application of what I
learned.
h) Other (please explain):

Please answer the following questions about this Lunch and Learn session
Level Item
Strongly
Disagree
Disagree
Agree
Strongly
Agree
L2
Attitude/Value
I believe it will be worthwhile for
me to apply what I learned in my
work.
1 2 3 4
L2
Commitment
I am committed to applying what I
learned to my work.
1 2 3 4
L1
Engagement
I was well engaged during the
session.
1 2 3 4
L1
Engagement
It was easy for me to get actively
involved during the session.
1 2 3 4
L1
Relevance
I was given ample opportunity to
get answers to my questions.
1 2 3 4
CLOSING THE COMPLIANCE GAP

165
165
L2
Procedural
Knowledge/Skills
I was given ample opportunity to
practice the skills I am asked to
learn.
1 2 3 4
L1
Relevance
I am clear about what is expected
of me as a result of this session.
1 2 3 4
L1
Satisfaction
I was comfortable with the
duration of the session.
1 2 3 4
L1
Satisfaction
I will recommend attending
compliance Lunch & Learns to my
co-workers.
1 2 3 4

Open ended: From what you learned, what do you plan to apply back at your job? (Predictive L3
behaviors)

CLOSING THE COMPLIANCE GAP

166
166
Appendix L
Periodic Survey (Delayed Evaluation)

Please note that electronic distribution enables branching. Branching customizes the behavior of
the survey based on respondent answers creating a cleaner user interface.

Respond using the scale below:

Rate how confident you are that you can do the things listed below by entering the appropriate
number in the space provided. (L2 Knowledge, Procedural Skills, Confidence)

I can… (0-100)

_____ Identify [specify program] compliance risks within the area(s) I work in.

If you answered less than 75, what factors impact your confidence? Select all that apply. (L3 Drivers)
a) I do not have the necessary knowledge and skills.
b) I do not have a clear picture of what is expected of me.
c) I have other, higher priorities.
d) I do not have the necessary resources for this knowledge/skill.
e) I do not have adequate support for this knowledge/skill.
f) There is not an adequate system of accountability for this knowledge/skill.
g) I am not adequately rewarded for this knowledge/skill.
h) Other (please explain):

I can… (0-100)

_____ Identify appropriate responses to [specify program] compliance risks within the area(s) I
work in.

If you answered less than 75, what factors impact your confidence? Select all that apply. (L3 Drivers)
a) I do not have the necessary knowledge and skills.
b) I do not have a clear picture of what is expected of me.
c) I have other, higher priorities.
d) I do not have the necessary resources for this knowledge/skill.
e) I do not have adequate support for this knowledge/skill.
f) There is not an adequate system of accountability for this knowledge/skill.
g) I am not adequately rewarded for this knowledge/skill.
h) Other (please explain):

I can… (0-100)

_____ Implement appropriate responses to [specify program] compliance risks.

CLOSING THE COMPLIANCE GAP

167
167
If you answered less than 75, what factors impact your confidence? Select all that apply. (L3 Drivers)
a) I do not have the necessary knowledge and skills.
b) I do not have a clear picture of what is expected of me.
c) I have other, higher priorities.
d) I do not have the necessary resources for this knowledge/skill.
e) I do not have adequate support for this knowledge/skill.
f) There is not an adequate system of accountability for this knowledge/skill.
g) I am not adequately rewarded for this knowledge/skill.
h) Other (please explain):

Rate your agreement or disagreement to following statements. (L1 Attitude/Value, Commitment)
Item Strongly
disagree
Disagree Agree Strongly
agree
Being able to respond appropriately to [specify program]
compliance risks is important to me.
1 2 3 4
I like being able to appropriately respond to [specify
program] compliance risks.
1 2 3 4
Appropriately responding to [specify program] compliance
risks is integral in my goal achievement.
1 2 3 4
Appropriately responding to [specify program] compliance
risks is integral in my company’s goal achievement.
1 2 3 4
Appropriately responding to [specify program] compliance
risk is difficult.
1 2 3 4
Appropriately responding to [specify program] compliance
risk is a priority.
1 2 3 4
I am committed to appropriately responding to [specify
program] compliance risk.
1 2 3 4

CLOSING THE COMPLIANCE GAP

168
168
Respond to the following statements using the scale below: (L3 Critical Behaviors, Drivers)
1 – Rarely or never
2 – Sometimes
3 – Regularly
4 – Every day

_____ I apply knowledge about [specific program] compliance risks in my work.

If you selected 3 or 4 for the previous question, rate the contribution of each of the following
factors to your effective performance.
Drivers No
contribution
Low
contribution
Medium
contribution
High
contribution
Documentation 1 2 3 4
Job aids 1 2 3 4
Lunch and Learn training sessions 1 2 3 4
Reminders through various mediums such as
printed newsletters, email, etc
1 2 3 4
Feedback and coaching from compliance program
leaders
1 2 3 4
Leadership role models 1 2 3 4
Public acknowledgment 1 2 3 4

_____ I apply knowledge about the appropriate response to [specify program] compliance risks
in my work.

If you selected 3 or 4 for the previous question, rate the contribution of each of the following
factors to your effective performance.
Drivers No
contribution
Low
contribution
Medium
contribution
High
contribution
Documentation 1 2 3 4
Job aids 1 2 3 4
Lunch and Learn training sessions 1 2 3 4
Reminders through various mediums such as
printed newsletters, email, etc
1 2 3 4
Feedback and coaching from compliance program
leaders
1 2 3 4
Leadership role models 1 2 3 4
Public acknowledgment 1 2 3 4

CLOSING THE COMPLIANCE GAP

169
169
_____ I implement appropriate responses to compliance risks in my work.

If you selected 3 or 4 for the previous question, rate the contribution of each of the following
factors to your effective performance.
Drivers No
contribution
Low
contribution
Medium
contribution
High
contribution
Documentation 1 2 3 4
Job aids 1 2 3 4
Lunch and Learn training sessions 1 2 3 4
Reminders through various mediums such as
printed newsletters, email, etc
1 2 3 4
Feedback and coaching from compliance program
leaders
1 2 3 4
Leadership role models 1 2 3 4
Public acknowledgment 1 2 3 4

CLOSING THE COMPLIANCE GAP

170
170
Appendix M
Blended Evaluation Tool and Quarterly Reporting Dashboard
(Delayed Evaluation)

Items Target Actual Previous
Evaluation
Period
Status
(see key
below)
External Outcomes (L4) – This is an organizational goal
Regulatory noncompliance findings Zero

Regulatory noncompliance fines Zero

Internal Outcomes (L4) – This is an organizational goal
Increased employee adherence to
organizational compliance standards and
processes
Decrease in reports of
noncompliance from
previous evaluation
period

Critical Behaviors (L3) -These support the desired outcomes
Metric key: Median self-efficacy score ≥ 75, all self-efficacy scores ≥ 50
Identify compliance risks 100% pass rate on
asynchronous quizzes;
75/50

Identify appropriate responses to
compliance risks
100% pass rate on
asynchronous quizzes;
75/50

Implement appropriate responses to
compliance risks
Performance
assessment data;
75/50

Required Drivers (L3) – These support critical behaviors
Metric key: Identified as an asset or barrier based on qualitative data, median survey/facilitator rating ≥ 3, survey/facilitator rating range ≤ 2
Documentation Asset;
≥ 3/≤ 2

Job aids Asset;
≥ 3/≤ 2

Lunch and Learn training sessions Asset;
≥ 3/≤ 2

Reminders through various mediums such
as printed newsletters, email, etc.
Asset;
≥ 3/≤ 2

Feedback and coaching from compliance
program leaders
Asset;
≥ 3/≤ 2

Leadership role models Asset;
≥ 3/≤ 2

Public acknowledgment Asset;
≥ 3/≤ 2

CLOSING THE COMPLIANCE GAP

171
171
Learning Components (L2) – These evaluate learning goals, which support critical behaviors
Metric key: Median self-efficacy score ≥ 75, all self-efficacy scores ≥ 50, median survey/facilitator rating ≥ 3, survey/facilitator rating range ≤
2
Declarative knowledge 75/50;
≥ 3/≤ 2

Procedural skills 75/50;
≥ 3/≤ 2

Attitude/Value 75/50;
≥ 3/≤ 2

Confidence/Self-Efficacy 75/50;
≥ 3/≤ 2

Commitment 75/50;
≥ 3/≤ 2

Program Reactions (L1) - These reflect reception of program components
Metric key: Median self-efficacy score ≥ 75, all self-efficacy scores ≥ 50
Engagement ≥ 3/≤ 2

Relevance ≥ 3/≤ 2

Learner Satisfaction ≥ 3/≤ 2

Status Key:

On track, all is well

There is a problem, but we have a plan to improve performance

There is a problem and at this time we do not have a plan to improve performance

Abstract (if available)

Abstract Pharmaceutical companies must have comprehensive compliance programs to support the product development pipeline. The purpose of this study was to use Clark and Estes’ (2008) gap analysis framework to evaluate the knowledge, motivation, and organizational (KMO) influences among pharmaceutical company managers that impact their appropriate response to compliance risks in two organizational compliance programs: information technology security (ITS) and environmental, health, and safety (EHS). Assumed KMO influences, supported by the literature, were investigated through convergent parallel mixed methods design, including quantitative survey data collection and qualitative examination of existing data within the study setting. Assumed KMO influences were validated through descriptive statistical analysis and qualitative analysis. In addition to manager needs, this study explored how to revise current organization practices to facilitate appropriate manager response to ITS and EHS compliance risks. A comprehensive program to improve ITS and EHS compliance risk response is presented along with an evaluation plan to monitor effective application of recommended interventions, based on the New World Kirkpatrick Model (Kirkpatrick & Kirkpatrick, 2016). The resulting recommendations in Chapter 5 are designed to increase critical compliance behaviors among managers and facilitate desired organizational compliance outcomes.

Linked assets

University of Southern California Dissertations and Theses

Conceptually similar

PDF

Compliance and regulatory efficacy and sustainability in specialty academic medicine: a longitudinal evaluation study

PDF

Organizational agility and agile development methods: an evaluation study

PDF

The utilization of data analytics in the entertainment sector

PDF

Creating the conditions for change readiness in higher education: an innovation study

PDF

Closing the Native American employment gap: an evaluation of the influences impacting the Native American employment rate

PDF

Effects of mentoring on public school administrators: an evaluation study

PDF

Knowledge, motivation and organizational influences impacting recruiting practices addressing the gender gap in the technology industry: an evaluation study

PDF

Raising special needs: an evaluation study of respite care for medically fragile children living with autism and other illnesses

PDF

Collective Impact: a framework to advance health promotion in higher education

PDF

A gap analysis of course directors’ effective implementation of technology-enriched course designs: An innovation study

PDF

Factors contributing to student attrition at a healthcare university: a gap analysis

PDF

Establishing a systematic evaluation of positive behavioral interventions and supports to improve implementation and accountability approaches using a gap analysis framework

PDF

The role of middle manager alignment in achieving effective strategy execution: an evaluation study

PDF

A qualitative examination of the methods church leaders use to increase young adult attendance in Christian churches: an evaluation study

PDF

Principals’ impact on the effective enactment of instructional coaching that promotes equity: an evaluation study

PDF

The role of higher education in bridging workforce skills gaps: an evaluation study

PDF

The moderating role of knowledge, motivation, and organizational influences on employee turnover: A gap analysis

PDF

Stop the revolving door: the influence of emotionally intelligent leadership practices on employee retention in non‐profit human service organizations

PDF

Human error risk reduction in aviation: an evaluation study

PDF

Knowledge, motivation, and organizational influences within leadership development: a study of a business unit in a prominent technology company

Asset Metadata

Creator Kizer, Amanda (author)

Core Title Closing the compliance gap: an evaluation of influences impacting appropriate compliance risk response among pharmaceutical company managers

Contributor Electronically uploaded by the author (provenance)

School Rossier School of Education

Degree Doctor of Education

Degree Program Organizational Change and Leadership (On Line)

Publication Date 10/10/2017

Defense Date 09/25/2017

Publisher University of Southern California (original), University of Southern California. Libraries (digital)

Tag Compliance,environmental health and safety,information technology security,KMO,manager,OAI-PMH Harvest,pharmaceutical

Language English

Advisor Maddox, Anthony (committee chair), Ferguson, Holly (committee member), Yates, Kenneth (committee member)

Creator Email akizer@usc.edu,amandakizer1@gmail.com

Permanent Link (DOI) https://doi.org/10.25549/usctheses-c40-444039

Unique identifier UC11264459

Identifier etd-KizerAmand-5836.pdf (filename),usctheses-c40-444039 (legacy record id)

Legacy Identifier etd-KizerAmand-5836.pdf

Dmrecord 444039

Document Type Dissertation

Rights Kizer, Amanda

Type texts

Source University of Southern California (contributing entity), University of Southern California Dissertations and Theses (collection)

Access Conditions The author retains rights to his/her dissertation, thesis or other graduate work according to U.S. copyright law. Electronic access is being provided by the USC Libraries in agreement with the a...

Repository Name University of Southern California Digital Library

Repository Location USC Digital Library, University of Southern California, University Park Campus MC 2810, 3434 South Grand Avenue, 2nd Floor, Los Angeles, California 90089-2810, USA