Assessing an Ethics and Compliance Program
The Department of Justice on Feb. 8 released guidance entitled, “Evaluation of Corporate Compliance Programs,” which provides insight into how it evaluates the effectiveness of corporate compliance programs as the result of an investigation.
Although the department is reluctant to be precise about how it conducts evaluations, the recent guidance does provide a list of common topics and questions to expect if programs ever come under that level of scrutiny.
Without repeating all the points made in the guidance, there is one notable passage worth examining: “Continuous improvement, periodic testing and review: A company should be ready to discuss how it reviews and assesses the compliance program on an ongoing basis, including what, if any, internal audits or reports were conducted, how those were reported to management and what is the company’s process to continually monitor the compliance program.”
Whether a company’s ethics-and-compliance program has recently been formalized or the company has a mature system, an independent, third-party review is a good way to get an expert perspective about developments in the industry and insight into best practices. It also becomes a good test, external and independent, about the company’s culture of compliance.
There is always room for improvement in a compliance system and it is challenging to keep these programs fresh. One way to get objective feedback and input is by engaging an ethics-and-compliance expert to perform a benchmarking review of the company’s current system.
Completing a benchmarking exercise should also reinvigorate the company’s risk assessment process. It is important to consider the ethics-and-compliance risks specific to the company as the design and structure of the overall program are reviewed. For Jacobs, it was productive to use the benchmarking firm to conduct interviews of a diverse selection of functional and operational leaders to probe their views on the ethics and compliance risks in their part of the organization. Surveys can also be used to collect data from a larger population of managers.
One of the biggest challenges for a benchmarking review is finding the right expert to perform the work, as there is a plethora of firms available, but ultimately cost is the biggest consideration related to scope and expert selection. Jacobs interviewed four law firms with excellent credentials and ultimately selected a firm previously used by the company in the past — one that had a good understanding of the company’s organizational structure and culture.
The selected benchmarking firm should also identify the standards against which they will evaluate the ethics-and-compliance program. The obvious choice for companies based in the U.S. with domestic operations is the U.S. Sentencing Commission Federal Sentencing Guidelines for Organizations, and if the company has international operations, the guidelines from the U.K. Bribery Act and/or the Organization for Economic Co-operation and Development should be included.
When initiating the work, also think about the importance of the attorney-client privilege. The need for the privilege is to ensure that the chief ethics and compliance officer and the general counsel are able to get enough information, good and bad, to use from the evaluation. The review will become the roadmap to improve the program, and if necessary, identify any deficiencies. If taken out of context, or if a deficiency doesn’t get remedied immediately, the report could be used against a company in the event of a regulatory investigation or litigation.
It is important to have executive support — including those at the board level — in order to initiate this type of review. Management should expect that gaps will be identified and that resources will be needed to address these gaps once the findings are received. There is plenty of literature on the development of corporate compliance programs — and most executives and board members are reading and discussing the topic in the context of corporate governance. At Jacobs, management sees the evolution of the program as a positive outcome of ongoing discussion of the company’s values and the importance to its clients, suppliers, partners and board.
The hardest part of designing the benchmarking review is defining the scope and deciding the best plan to collect data. Understanding the top risks to the company’s business strategy, through a risk assessment, will provide guidance on where to focus. The ethics-and-compliance team will be essential in collecting documents such as codes of conduct, relevant policies, hotline incidents and investigation reports as well as coordinating the list of executives and employees to be interviewed and/or surveyed. For a global enterprise, this can be a daunting task.
The firm that conducts the review will synthesize all the data into a detailed report with findings representative of what the company is doing well, and the identification of specific issues that require attention.
A company should be able to categorize and prioritize the findings into five major work streams: global policies and the code of conduct; tone at the top and in the middle; training; communications; and metrics.
Those findings were then used to prepare a project plan that described the tasks and timeline, allowing the company to design a dashboard to track progress and results, which was important for stakeholder reporting and for continuous improvement.
Undertaking a benchmark review will yield great value. Undoubtedly, areas for improvement will be identified, and the review will also validate that the company has many best practices in-place. Often, the ethics and compliance function engages with management when there is a report of a potential violation. This type of exercise is an opportunity to engage with management in a positive conversation with an eye toward continuous improvement.
Jim Durree is vice president of risk, ethics and compliance at Jacobs, a provider of technical professional and construction services based in Dallas, Texas.