One of the many sessions I attended at the Society of Ethics & Compliance conference last week was about how to perform an assessment of your compliance program. The discussion was great and I took lots of those notes. So today let’s run through those notes on this important task for compliance officers.
We can begin with the elementary question of why assessing your program is important at all. On one level, that’s easy: because the U.S. Sentencing Guidelines and the Justice Department’s guidance on effective corporate compliance programs say so.
The Justice Department’s guidance, for example, directs prosecutors to “consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale.” The U.S. Sentencing Guidelines only specify that a company should “evaluate periodically the effectiveness of [its] compliance and ethics program” but we all grasp the point here. If you want to demonstrate to regulators that you have an effective compliance program, part of the job is to assess the performance of your program from time to time.
The two speakers at the SCCE discussion, however (Rebecca Walker of the law firm Kaplan & Walker and Steven Gyeszly, chief compliance counsel at Marathon Oil), stressed that compliance officers have many other good reasons to assess your compliance program. For example:
- Assessments establish a shared vision of the compliance program with your senior management team and the board. It’s a chance to tell them, “This is what we’re doing now; this is what we want to improve. Is everyone in agreement on that?”
- Assessments are also a device to commit yourself to improvement. That is, once you see where you come up short compared to some standard compliance framework, you know what you need to do to improve. You can even decide to tackle certain steps before others, but you can’t claim any longer that you don’t know what to do.
- Assessments demonstrate your seriousness of intent for ethics and compliance. That can impress potential business partners or large customers, who perhaps don’t want to do business with a questionable third party any more than you would.
More broadly, program assessments let you see what you might be able to do differently. They can find efficiencies, such as better due diligence or retooled internal reporting procedures. They can also help you fend off cost-cutters in the CFO’s office who might want to pare back your program, since you’d be better able to prove the program’s worth.
Sometimes a program assessment can even help you find a compliance violation. Better that you find those headaches early, rather than someone else find them later.
OK, the benefits of program assessment are many and wonderful. So how do you actually perform one?
Program Assessments in Practice
One challenge is simply deciding where to get started, since compliance programs have so many moving parts. Walker and Gyeszly recommended looking at your program from one of several different angles:
- Specific program elements and how well they work, such as training, program structure, remediation, investigations, monitoring, policy management, and more.
- Specific parts of the enterprise, such as a business function or a geographic unit. You could also assess the compliance program at a specific subsidiary or a newly acquired unit.
- Specific issues confronting your enterprise, such as anti-bribery, conflicts of interest, antitrust, privacy, or sanctions.
You also need to choose a benchmark against which to assess your program. The good news is you have plenty of choices. Some are exhaustively detailed frameworks, such as the NIST or PCI-DSS standards for cybersecurity; others are more general standards such as the COSO framework for internal control or the ISO standards for, well, anything. You could even assess your program against recent enforcement trends, industry benchmarks, or contract requirements.
Then someone needs to do the actual work of assessing. Gyeszly broke that process into four catchy phrases:
- Plan & scope
- Collect and obtain
- Analyze & assess
- Report and response
Another important point: choose the person assessing your compliance program carefully; a bad assessor who doesn’t understand your business or how to assess a compliance program, Walker warned, can lead to disastrous results that sink your compliance program.
The internal audit team (if your company has one) is one obvious choice to assess your compliance program. You can also hire consulting firms to perform the assessment, including law firms, audit firms, and boutique compliance consulting firms. Walker said she’s even seen conglomerates have the compliance teams from different subsidiaries assess each other’s programs.
And should your program assessment be done under attorney-client privilege? Ideally yes, Walker and Gyeszly said, since that can encourage senior executives participating in your assessment to speak more freely, and that’s what you want. On the other hand, remember that if you end up across the table from a regulator reviewing your compliance program, you might need to waive privilege to show the assessment to that regulator. That’s a delicate decision to be made carefully and in consultation with the general counsel.
When Everything Is Done
Every program assessment should result in a report of some kind outlining improvements you’d like to make — although that report doesn’t necessarily need to take the form of a long, written narrative. Walker said she’s seen some perfectly respectable reports that were PowerPoint decks recapping the work done, with a few recommendations appended to the end.
More important, she and Gyeszly said, is that your recommended improvements be feasible. The alternative is that you propose improvements that aren’t feasible, so they never come to pass — and that assessment with its never-implemented recommendations later emerges in discovery during litigation or an enforcement action. That leaves both you and your company in a very unflattering light.
One final bit of wisdom from Walker: the focus of an assessment, she said, “is not on perfection; it’s on continuous improvement… There is no expectation that your program is going to prevent every single legal violation. [Prosecutors] understand that even when you’re working really hard with your program, there are going to be missteps.”
Assessments are just the way to keep stepping forward.