Rights and Responsibilities: participant protection as a working system.
This domain is not satisfied by aspirational language. Auditors test whether protections function in real time: through visibility, responsiveness, and oversight.
6 min read
The Rights and Responsibilities domain exists to ensure participant dignity, autonomy, and safety. It is not satisfied by aspirational language. It requires operational evidence.
Auditors assess whether participant protections function in real time. They expect to see accessible rights information, structured complaint mechanisms, and clearly defined incident management pathways. They also examine whether patterns are analysed and whether leadership is informed of emerging risks.
What auditors actually examine.
A consent process that is documented is necessary, but not sufficient. Auditors will sample a participant file and ask: was consent obtained, recorded, and revisited at the right intervals? Is it accessible in a format the participant could understand?
Complaints are similar. The register exists. The question is whether it is live, whether response timeframes are defined, whether categories are tracked, and whether outcomes are documented, not just recorded.
Beyond logging: the analysis chain.
A mature structure does more than log complaints. It identifies themes, monitors response timeframes, evaluates root causes, and records systemic changes. Incident data should not sit in isolation. It should inform enterprise risk updates and governance discussions.
Participant protection is demonstrated through visibility, responsiveness, and oversight, not through the existence of the policy that describes it.
The 12-month trend diagnostic.
Here is a simple internal test that reveals structural maturity. Ask your team to generate a twelve-month complaint trend report in under thirty minutes, and to describe, in a paragraph, what changed in the organisation as a result of those complaints.
If they cannot produce the report, the issue is not documentation. It is system integration. If they can produce the report but cannot describe what changed, the issue is the loop between feedback and practice. Both are findings waiting to be written.
Where to start.
Pull your last 12 months of complaints. Group them by category. Identify the top three themes. For each theme, ask: did anything change as a result? If the answer is no for any of them, that's your first improvement cycle.