Compliance program assessments: the basics

Justice Holmes famously said The life of the law has not been logic: it has been experience. But when it comes to compliance and ethics (“C&E”) programs both law and experience matter.

To an extent never previously seen companies are assessing their C&E programs. The main reason is that the government – meaning, in the first instance, the United States government, but increasingly the governments of other countries as well – has issued various policy statements strongly encouraging business organizations to take this step.   But additionally,  experience has taught companies that assessments can be an invaluable way of doing what’s right and avoiding what’s wrong.

This posting will provide a short overview of how to assess your program.

What is a C&E program assessment?

An assessment is a review of policies, procedures and organizational culture regarding C&E.  Note that there are also other forms of C&E checking that can overlap with assessments. For example, program and risk assessment can overlap with auditing.

Program assessments are generally comprised of interviews and document reviews. Sometimes focus groups and/or surveys are part of the assessment process, too.

Ideally, interviews are conducted of both senior company officials and staff (e.g., law, compliance, human resources, finance, audit, controls, logistics, security and others), as well as the chair of the audit committee. Additionally, interviews of rank-and-file employees should be conducted where practical, although this is not always the case. Interviews can also be conducted of third parties, such as a company’s law firm that handles compliance-related matters.

The number of interviewees in an assessment is driven by a variety of factors. However, as a general matter 40 to 50 interviews should be adequate for most assessments.

Interviews should be confidential, meaning interviewees should be instructed that they are not to discuss the assessment with anyone else. A company should also give serious consideration to conducting the assessment under the attorney-client privilege. On the one hand it adds a layer of confidentiality to the process, which should help promote candor on the part of the interviewees. On the other hand, a privileged assessment may be more difficult to share if one also seeks to preserve the attorney-client privilege.

Yet another layer of confidentiality is to instruct interviewees that the company will not disclose the source of comments except where it is facing a true exigency. In my experience this safeguard can be very helpful in promoting candor in interviews.

What to assess.

Among the areas of focus of an assessment is the culture of the organization. To my mind the following should be included

First there are the ethics culture mainstays, which need no introduction.

– Tone at the top.

– Tone in the middle.

– Speak up culture.

– Undue pressure.

– “Organizational justice.”

Second, there is the view of C&E by employees.  Note that the inclusion of this factor stems in part from a finding in the high-profile WorldCom case many years ago after that the denigration of compliance and law department personnel contributed to the massive fraud at issue in that case.

Third is the extent to which employees identify with their company and its mission. Unlike the other cultural attributes this one is a “two-edged sword.”  On the one hand such identification should make employees workforce less risk taking because presumably they would not want to cause harm to an entity that they admire. On the other hand, strong feelings about a company can have the opposite effect of leading employees to commit acts of blind loyalty to bad individuals, entities or causes.

Policies and procedures

In addition to reviewing culture a program assessment should cover all the key policies and procedures in the program. These include program oversight by the board of directors and executives; management of the compliance department; the role of other staff departments in the program; any functions outside the compliance department that play an important role in the program (e.g., ethics liaisons); risk assessment; training and communication; concerns reporting; investigations; discipline; remedial measures; auditing and monitoring; assessment and incentives.

In my experience, the areas most likely to provide “low hanging fruit” are monitoring and incentives. But each assessment will be different,

The criteria used for each aspect of the interviews will vary. However, criteria for efficacy generally include C&E program resources, clout, independence and reach.
The Report

In conducting interviews on these topics one should, of course, strive to identify not just positive findings but areas for opportunities for improvement. However, one should generally address recommendations in a non-dramatic tone, because those will be easier for a company to implement.

One should also, where possible, present the assessment to the board or management committee along with a plan for implementing the recommendations.

Moreover, it is also important to distinguish between recommendations to be implemented as soon as reasonably possible versus those which can be implemented “in the long term.” There is no generally accepted period of time for this. But one year would seem to be sufficient for most companies.