Skip to Content
Welcome to the Novantra documentation.
GuidesGovernanceModulesViolations

Violations

The Violations module governs declared compliance violations: events where your organization has breached an obligation, a policy, a regulation, or a contractual commitment. Each violation has a declaration, an investigation, a remediation, and (sometimes) a reportability decision to a regulator or counterparty.

This module is distinct from Incidents (operational events) and Findings (gaps to fix). A violation is a confirmed breach with formal recognition. It typically intersects with incidents and findings, but its identity is the breach itself.

When you would reach for this

You set up violations when:

  • A confirmed compliance breach needs a formal declared record distinct from the underlying incident or finding.
  • A regulator notification is required upon breach declaration.
  • A contractual breach with a customer or counterparty needs governed handling.
  • A policy breach (employee, contractor, vendor) needs a documented investigation and outcome.
  • A pattern of breaches needs to be tracked over time for risk and trend reporting.

You don’t reach for this for an operational incident that may or may not turn out to be a violation. The incident is in Incidents; if it is found to have caused a breach, a violation is then declared and linked.

What lives in the module

Multiple record types:

  • Declared violation is the central record: scope, classification (regulatory, contractual, policy, ethical), severity, declaration time, owner.
  • Investigation record captures the structured investigation: scope, methodology, evidence, conclusions.
  • Remediation record captures the remediation actions, owners, and verification.
  • Reportability decision captures the formal decision on whether and how to report the violation (regulator, counterparty, board, customers).
  • External notification record captures any notification actually sent to a regulator or counterparty.

A worked example: a consumer-goods company governs a product-compliance breach

A consumer-goods company manufactures cosmetics sold globally. Each market has its own product-ingredient compliance regime. A routine internal audit discovers that a batch of a popular product shipped to several markets contained a substance restricted in two of those markets due to a supplier substitution that wasn’t flagged through the change process. This is a compliance breach. The compliance director, Esra, sets up a violation like this.

Step 1: declare the violation. Esra creates a declared violation:

  • Classification: regulatory (product ingredient compliance).
  • Severity: high (multiple markets affected, regulatory thresholds breached).
  • Scope: the product batch and the markets affected.
  • Owner: herself, with co-owners for legal, regulatory, and the affected market organizations.
  • Declaration time: the audit’s detection time.

Step 2: investigate. The investigation record captures:

  • Scope: which batches, which markets, how the substitution occurred.
  • Methodology: supplier records review, batch traceability, ingredient lab analysis.
  • Evidence: supplier change documentation, internal change records, lab results, distribution records.
  • Conclusions: root cause (supplier change not flagged), contributing factors (change-management gap, supplier qualification gap), affected scope (specific batches in specific markets).

Step 3: reportability decisions. For each affected market, the legal and regulatory team makes a reportability decision:

  • Market A: regulator notification required within a defined window (the regime mandates immediate reporting).
  • Market B: regulator notification required within a longer window (the regime allows a planned response window).
  • Markets C and D: not affected (regulatory threshold not breached in those markets despite shipment).

Each decision is captured with rationale.

Step 4: external notifications. The team prepares notifications for Markets A and B through Submissions, with the violation as the trigger. Each submission is governed through its standard flow.

Step 5: remediation. Remediation records capture the actions taken:

  • Product recall in the affected markets.
  • Process correction (change-management gap closed, supplier qualification process tightened).
  • Customer communication.
  • Verification of remediation completion.

Remediation creates findings for the change-management and supplier-qualification gaps.

Step 6: closure. The violation is closed when investigation is complete, reportability decisions are documented, notifications are delivered, remediation is verified.

After resolution:

  • The violation record is the durable single source of truth on the breach.
  • All linked records (incident, findings, submissions, remediation) reference it.
  • Trend reporting can examine violations by classification, market, root cause over time.

What you’ll see in the product

Violations lives under Governance → Violations in the workspace.

Multiple tabs: Active Violations, Recent Closed, By Classification, Reportability Queue.

Inside a violation: investigation record, reportability decisions, external notification records, remediation records, linked incidents, findings, and submissions.

Every change is captured in the workspace Audit Log.

Common workflows

Declaring a violation

  1. Violations → Declare. Classification, severity, scope, owner.
  2. Open an investigation record.
  3. Walk the investigation through scope, methodology, evidence, conclusions.

Reportability

  1. From the violation, create a reportability decision per affected regulator or counterparty.
  2. Decide and document.
  3. For decisions to notify, create a submission package linked to the violation.

Remediation

  1. Create remediation records for each action.
  2. Track owner, due date, verification.
  3. Underlying gaps that need program-level fix become findings.

Closure

  1. Verify investigation conclusions are accepted.
  2. Verify reportability decisions are executed.
  3. Verify remediation is complete and verified.
  4. Close the violation.
  • Incidents - incidents may surface violations.
  • Findings - remediation actions tied to violations become findings.
  • Submissions - regulator notifications are submissions.
  • Obligations - violations are typically breaches of obligations.
  • Risks - patterns of violations can become risks.
Last updated on
IncidentsOverview