Compliance Program Assessment

Although I am passionate about compliance, it can be a frustrating field. Regardless of how effectively a compliance program is designed and implemented, violations will inevitably occur.  As the Department of Justice and Securities and Exchange Commission stated in their Resource Guide to the Foreign Corrupt Practices Act, “Compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements.” In compliance – as in life – there is scant possibility of perfection, but that’s okay so long as we put ourselves on the path of continuous improvement. That’s where program assessment comes in.

Benefits of Performing a Compliance Program Assessment

There are many practical benefits to conducting compliance program assessments. The primary aim of assessment is, of course, to identify opportunities to improve the program. This could mean both identifying practices to be implemented and identifying areas to cut back or redirect. Assessments can also result in documentation of good practices, which can help ensure that the company doesn’t cut back and also result in formalizing those practices. To this extent, assessments can serve as a commitment device, helping a program maintain momentum.

In difficult situations, assessment reports can also serve as a “road map” for getting program credit in an investigation or enforcement action. And they are certainly something that prosecutors and regulators expect.  They are also built into government expectations for compliance programs, such as those found in the Sentencing Guidelines and in the Department of Justice memorandum on Evaluation of Corporate Compliance Programs.

Independent Assessment

Companies with robust compliance programs continuously assess their programs through various means, including risk assessments, root cause analysis of violations, and auditing and monitoring. There is nonetheless unique value in conducting an independent, third-party assessment. Third-party assessments provide greater independence, of course. And, because professionals who conduct assessments typically work with a wide variety of companies, they then have a breadth of knowledge and expertise regarding compliance practices that can make for a more robust assessment.

External assessments that are conducted by attorneys may be more likely to be protected by the attorney-client privilege. In addition, an independent assessment creates the possibility of conducting assessments on a non-attribution basis, which can lead to more candid interviews.  (When we conduct interviews on a non-attribution basis, we agree with the company ahead of time and inform each employee at the beginning of interviews that—absent extraordinary circumstances—we will not attribute comments to any specific employees. In addition to more candid interviews, non-attribution helps protect the integrity of the compliance assessment process.)

Assessment Methodology

The core components of a traditional program assessment are document review, interviews, and some combination of surveys and focus groups. Those interviewed typically include compliance personnel, members of the Legal, HR, Internal Audit, Security and other control functions, and Operations. The assessment also typically includes interviews of senior leaders and relevant members of the board of directors about their role in and perceptions of the program. In addition to gathering information, interviews can serve an important educational purpose for the interviewees.

Assessments may also involve review and analysis of program data, and more in-depth assessments may include testing of compliance controls. The goal of the information gathering process is to obtain a good understanding of how the program is designed, how it is being implemented, and how it is perceived by employees.

Those documents reviewed include descriptions of how the program is designed and implemented, including documents such as program charters, compliance committee charters, job descriptions, org charts, helpline protocols, investigation protocols, risk assessment procedures, disciplinary guidelines, reports to the relevant board oversight committee, training and communications materials, helpline and investigations data, etc.

In order to understand the compliance culture of an organization, it can be helpful to conduct employee surveys, focus groups or both. This can help the assessor answer one of the most important questions in a program assessment – has the program managed to reach employee hearts and minds?

Once sufficient information has been collected, the assessor uses appropriate standards (including good practices), to formulate recommendations. These should be reviewed verbally with the compliance team prior to providing a draft report.

Assessment Results

The assessment process should result in useful, practical recommendations for advancing a compliance program. The report typically includes (1) a description of the assessment methodology; (2) legal standards used; (3) a lengthy description of the program, including positive attributes that were identified during the assessment; and (4) recommendations. Some examples of recent recommendations that have come from assessments include, for example, that the company develop an escalation protocol to specify how compliance concerns and reports should be escalated and how quickly, and that the charter of the audit committee be modified to require meetings in executive session with the chief compliance officer. The number and significance of recommendations will vary, but the core objective remains the same: to facilitate continuous improvement.  In our compliance programs, and in our lives, that is the best place to be.