by Joe Murphy
Over the years I have heard the Sentencing Guidelines standards erroneously dismissed as using an outdated “command and control” approach. The Guidelines come from an admittedly odd place[1], but they are far from being either legalistic or based on command and control. Anyone who takes the time to read them can see what they are: directions on how to apply management steps to achieve compliance in organizations.
The Guidelines as issued in 1991 were well-done and provided the first broad-based soundly developed guidance on creating compliance programs. But the revised version, issued in 2004, went beyond well-done and reached the level of brilliance.
There were a number of key innovations in 2004, any one of which was an enormous step forward (e.g., adding reference to “culture,” including “ethics,” adding incentives) but here I will pick just one, summed up in one word: “evaluate.”[2] The Guidelines, following the commitment to using practical management steps, made clear that any effective management system needs to include evaluation of whether and how the steps were actually working. Although in hindsight this is obvious, it was not so prior to 2004.
Very strangely this is one of the key elements required in the Sentencing Guidelines standards that academic critics, who often seemed to view the Guidelines with disdain, either simply ignored or dismissed without commentary.
Even more mysterious is why those who deal with another key compliance area – prevention of sexual harassment – have completely ignored this element. The first prominent example is the state of California, which dictated how much harassment training was needed and how often (two hours, every two years). If anything would cry out for evaluation of efficacy, this is it. Yet nowhere in the California law is this required. Even with the #metoo movement, which would seem to have served as proof that the old ways did not work sufficiently, no one in government bothered to address this terrible absence. Instead, the failed model of California was adopted in places like New York state and New York City. Training and policies were mandated, perhaps on the theory that if something was not working you just do more of it. Was there even one word about evaluation? No, not one. Were these governmental bodies serious about preventing harassment? I remain deeply skeptical. If they would not go so far as to add a simple sentence, such as requiring that all anti-harassment steps be evaluated for effectiveness, then I cannot be convinced that this was anything more than legal theatre, meant to look good while changing nothing.
I had a personal experience in how easy this is to include in a legal standard. At one time I represented the SCCE as a consultative partner to the OECD’s Working Group on Bribery, when it was developing its first Good Practice Guidance relating to compliance and controls. An early version of this Guidance did not include evaluation. I simply suggested this, drawing from the Sentencing Guidelines model, and the importance of this point was so obvious that it quickly became item 12 of that version of the standards. (It is still in the newer, renumbered standards.).
How does an organization evaluate whether something works or is effective? This is what management is about. You do not waste resources. You make sure what you are doing gets a return. There are numerous tools that can be and are applied to this task. But if the law or the standards for compliance programs do not even suggest this, then it becomes much less likely to happen.
The addition of “evaluate” was not the only reason the 2004 revised Guidelines were brilliant. (Simply adding “incentives” would have merited much fanfare and celebration). But it sets a model for all those who deal in this field. If you are a good manager and a good compliance professional then you always need to be evaluating whether what you are doing is actually working. It is good for you professionally, good for your client, and necessary to meet any well-drafted compliance program standards.
Next year the 2004 revisions will have their 20th anniversary. I believe our field is better for the quiet, well-developed work that the Sentencing Commission did then. Like many great ideas, bringing evaluation into the picture seems blindingly obvious today. It is a step that should be on all our to-do lists.
[1] The US Sentencing Commission’s staff, an administrative agency within the Federal Judiciary.
[2] “(5) The organization shall take reasonable steps— . . .
(B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program;”
Search the site
While some organizations bar conflicts of interest in all cases, many opt for allowing COIs to exist where appropriate. But how should appropriate be defined for these purposes?
Attending SCCE conferences is always a source of insights and new information. In these conferences I have seen quite a bit of focus on data analytics, and deservedly so.
The first time I saw Kristy Grant-Hart she put on a show about magic compliance dust and then brought the audience to reality by breaking the news that there is
In our years of assessing compliance and ethics (C&E) programs, my partner Jeff Kaplan and I have pinpointed several key attributes that we consider essential to an effective program, including