The New Antitrust Compliance Program Evaluation Criteria

For more than a quarter of a century the Antitrust Division of the US Justice Department (the “DOJ”) was an outlier among the components of the DOJ with respect to crediting compliance programs in enforcement matters. That changed on July 11 of this year when, as described in a DOJ press release: https://www.justice.gov/opa/pr/antitrust-division-announces-new-policy-incentivize-corporate-compliance  “Assistant Attorney General Makan Delrahim announced the Antitrust Division’s new policy for incentivizing antitrust compliance. For the first time, the Division will consider compliance at the charging stage in criminal antitrust investigations, a change which is reflected in the Justice Manual. The Division also announced revisions to its Manual and published a document to guide prosecutors’ evaluation of corporate compliance programs at the charging and sentencing stage.  ‘The Antitrust Division is committed to rewarding corporate efforts to invest in and instill a culture of compliance’ said Assistant Attorney General Delrahim. ‘The Division’s Leniency Policy has long provided the ultimate credit for effective antitrust compliance programs. Beyond leniency, recently we have credited prospective compliance efforts at sentencing. Crediting compliance at charging is the next step in our continued efforts to deter antitrust violations and reward good corporate citizenship. We also remain dedicated to predictability and transparency. As such, in concert with today’s policy changes, the Division issued a public guidance document that outlines what prosecutors look for when evaluating antitrust compliance programs.’ The Justice Manual previously explained the Antitrust Division’s policy that credit should not be given at the charging stage for a compliance program. That text has been deleted. The Division also updated its Manual. The revisions address evaluating compliance programs at the charging and sentencing stage, and Division processes for recommending indictments, plea agreements, and selecting monitors. For the first time, the Division also published a guidance document that focuses on evaluating compliance programs in the context of criminal violations of the Sherman Act. https://www.justice.gov/atr/page/file/1182001/download   It is intended to assist Division prosecutors in their evaluation of compliance programs at both the charging and sentencing stage of investigations, and to provide compliance officers and the public greater transparency of the Division’s compliance analysis. To that end, it contains two sections: the first relates to evaluating antitrust compliance programs at the charging stage, and the second addresses compliance considerations at sentencing.”

The above-mentioned guidance document (“the Guidance”) is indeed of great importance to those working in the compliance and ethics field, as it discusses in some detail government expectations for designing, improving and assessing antitrust programs. As one would expect, it tracks the approach of the compliance guidance document published recently by the DOJ’s Criminal Division. https://www.justice.gov/criminal-fraud/page/file/937501/download  Under the Guidance, the “fundamental” questions in this evaluation are whether the program “(1) is well designed, (2) is being applied earnestly and in good faith, and (3) works in practical application.  To facilitate this assessment, the Guidance directs prosecutors to consider whether antitrust compliance programs “address and prohibit criminal antitrust violations” and “detect and facilitate prompt reporting of the violation” as well as “to what extent a company’s senior management [was] involved in the violation.”

The Guidance also provides a list of nine factors, and questions and considerations related to each, that prosecutors should consider when determining the effectiveness of an antitrust compliance program: (1) the design and comprehensiveness of the program; (2) the culture of compliance within the company; (3) responsibility for, and resources dedicated to, antitrust compliance; (4) antitrust risk assessment techniques; (5) compliance training and communication to employees; (6) monitoring and auditing techniques, including continued review, evaluation, and revision of the antitrust compliance program; (7) reporting mechanisms; (8) compliance incentives and discipline; and (9) remediation methods.

The Guidance recognizes that one size does not fit all for compliance programs – e.g., the size of a company and the corresponding effect on resources allocated to antitrust compliance are recognized as factors to be considered.

The questions and considerations underlying each of these factors are indeed numerous and – in our view – well thought out.  Some examples include:  

  • Design and Comprehensiveness.  When was the company’s antitrust compliance program first implemented? How often is it updated? Is it periodically reviewed and does it seek feedback from employees? Are compliance materials updated with recent developments and periodically refreshed so they do not become stale?
  • Culture of Compliance.  What is the company’s senior leadership doing to convey the importance of antitrust compliance to company employees? How have senior leaders, through their words and actions, encouraged (or discouraged) antitrust compliance? What concrete actions have they taken to demonstrate leadership in the company’s antitrust compliance or remediation efforts, if relevant?
  • Responsibility for the Compliance Program.  Who has overall responsibility for the antitrust compliance program? Is there a chief compliance officer or executive within the company responsible for antitrust compliance? If so, to whom does the individual report, e.g., the Board of Directors, audit committee, or other governing body? How often does the compliance officer or executive meet with the Board, audit committee, or other governing body? How does the company ensure the independence of its compliance personnel?
  • Risk Assessment.  Is the company’s antitrust compliance program tailored to the company’s various industries/business lines and consistent with industry best practice? Does the compliance program provide specialized antitrust compliance training for human resources personnel and executives responsible for overseeing recruitment and hiring? What efforts has the company made to implement antitrust-related policies and procedures that reflect and address the antitrust risks it faces, including legal and technical changes in the way the company conducts business? For example, as employees utilize new methods of electronic communication, what is the company doing to evaluate and manage the antitrust risk associated with these new forms of communication?
  • Training and Communication.  How has the company communicated its antitrust policies and procedures to all employees? Did the company introduce antitrust policies in a way that promotes and ensures employees’ understanding? In what specific ways are antitrust compliance policies and procedures reinforced through the company’s internal controls?
  • Periodic Review, Monitoring and Auditing.  What monitoring or auditing mechanisms does the company have in place to detect antitrust violations? For example, are there routine or unannounced audits (e.g., a periodic review of documents/communications from specific employees; performance evaluations and employee self-assessments for specific employees; interviews of specific employees)? Does the company use any type of screen, communications monitoring tool, or statistical testing designed to identify potential antitrust violations?
  • Reporting.  Do supervisors or employees who become aware of a potential antitrust violation have a duty to report it to those with responsibility for compliance? What disciplinary measures does the company have for those who fail to report such conduct?
  • Incentives and Discipline.  Has the company considered the implications on antitrust compliance of its incentives, compensation structure, and rewards? Does the company incentivize antitrust compliance? Have there been specific examples of actions taken (e.g., promotions or awards denied, or bonuses clawed back) because of compliance considerations? Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel?
  • Remediation and Role of the Compliance Program in the Discovery of the Violation.  Has the company revised its antitrust compliance program as a result of the antitrust violation and lessons learned? How did the company address, and determine how to address, failures in the compliance program? Was outside counsel or an advisor involved?

We wish to emphasize that this is a sampling of the evaluation criteria – and there are many more questions and considerations in the document itself.

The publication of the Guidance represents an important development in the history of the compliance and ethics field. But whether it is a positive development for any given company will depend on how that company can respond to the thoughtful and demanding questions the document poses.

Conducting Program Assessments Using the Department of Justice’s New Evaluation Standards

The modern era of corporate compliance began on November 1, 1991, when the Federal Sentencing Guidelines for Organizations (the “FSGO”) – the first set of general standards for assessing the efficacy of what were then called “program[s] to prevent and detect violations of law” – went in effect. Since then, the Department of Justice (the “DOJ”) and other governmental bodies in the US and elsewhere have built upon the FSGO approach to compliance and ethics (“C&E”) program evaluation criteria.
The latest chapter in this story unfolded on April 30, 2019, when Assistant Attorney General Brian Benczkowski announced the publication of an updated and expanded version of the Evaluation of Corporate Compliance Programs (“the 2019 Guidance”), superseding an evaluation criteria document published in 2017 by the DOJ. The 2019 Guidance – available here https://www.justice.gov/criminal-fraud/page/file/937501/download – does not revise the DOJ’s particular criteria for evaluating C&E program efficacy in any material way. But overall it is more comprehensive than anything of its kind that has come before.
In this post we provide a brief overview of the 2019 Guidance and initial thoughts on what the document means for program assessment.

    The 2019 Guidance

The 2019 Guidance is structured around three “fundamental questions”:
• “Is the Corporation’s Compliance Program Well Designed?”
• “Is the Corporation’s Compliance Program Being Implemented Effectively?”
• “Does the Corporation’s Compliance Program Work in Practice?”
For each of these fundamental questions, prosecutors are provided with various topics and questions. For the design question, these topics and questions concern C&E risk assessment, policies and procedures, training and communications, confidential reporting structure and investigation process, third-party management and mergers and acquisitions. For the implementation question, they concern commitment by senior and middle management (including conduct at the top), program autonomy and resources, and incentives and disciplinary measures. For the third fundamental question the topics and questions concern continuous improvement, periodic testing and review, investigation of misconduct, and analysis and remediation of any underlying misconduct.
The various topics and questions are – in our view – quite good, and some can be considered state of the art in the C&E field. There are far too many of these to cover in this post, and C&E professionals should of course read the original. But to give a flavor of the document, we note the following from the risk assessment section, which states, among other things: “Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.” This is an important point, as it should provide an extra incentive for conducting robust risk assessments to those companies that have felt that conducting risk assessments is often a feckless exercise given that it is impossible to identify all conceivable risks. This section also charges prosecutors with asking: “What methodology has the company used to identify, analyze, and address the particular risks it faces?” We think this is important because too few companies consider whether their methodologies are in fact “fit for purpose.” Finally, this section also has well-thought-out topics and questions regarding risk-tailored resource allocations and updates and revisions to the program.

Assessments under the 2019 Guidance

Given the considerable thought and effort that the DOJ put into drafting this document, a company (at least one doing business in the US) would be hard-pressed to ignore it in designing, enhancing or assessing a C&E program. Indeed, in a speech given the day the 2019 Guidance was published (available here https://www.justice.gov/opa/speech/assistant-attorney-general-brian-benczkowski-delivers-keynote-address-ethics-and) , Mr. Benczkowski noted that the document was drafted not only for use by prosecutors but also by companies.
Of course, there are other models of program evaluation criteria available, some of which are quite good. But in an investigation, it is the 2019 Guidance that will frame the discussion with DOJ, and this should be considered when deciding on an assessment methodology.

Using behavioral ethics in compliance program assessments

Behavioral economics is a school of social science that teaches that we are not as rational as we think. The application of that learning to the realm of ethics is sometimes called “behavioral ethics,” which is a social science that teaches that we are not as ethical as we think we are. Compliance program assessments can provide a valuable opportunity to introduce the use of behavioral ethics ideas and information into corporate compliance programs. (Note: more information about the behavioral ethics experiments that form the basis for this post can be found in our sister blog – the Conflict of Interest Blog).
Broadly speaking, there are two dimensions to behavioral ethics and compliance: the general and the specific.
By the former we mean using the learning that we are not as ethical as we think to promote the understanding in a company of the need for stronger E&C generally. In our view, this is for many companies potentially the most powerful application of behavioral ethics to the realm of compliance. If properly appreciated, this learning should be valuable in ensuring that boards of directors, senior managers and other key decision makers devote more time, attention and resources to compliance than they otherwise would. Indeed, the lesson that we are not as ethical as we think we are is one that is worth teaching to everyone in a company – as it should help all employees appreciate the need for strong E&C.
The specific application of behavioral ethics to corporate compliance involves using different aspects of this learning to enhance discrete program elements. To take the example of risk assessment, various behaviorist experiments suggest that the following be taken into account when assessing risk:
• Time pressure
• “Slippery slopes”
• “Conformity bias”
• Good intentions
• “Distant victims”
• Being in a job that involves a significant amount of dealing with money.
Or, to take the example of training, one could use the results of certain behavioral ethics experiments to deploy a just-in-time/point-of-risk communication strategy. And to help encourage employees with the often-difficult decision of whether to report a suspected act of wrongdoing, behavioral ethics suggests appealing to a sense of “larger loyalty.”
We should emphasize that many (although by no means all) of the insights of behavioral ethics have long been known anecdotally to E&C professionals. But what behavioral ethics brings to the table is data to prove these things – an increasingly valued commodity in the business world. A behavioral ethics approach can help organizations more efficiently and more effectively deploy scare E&C resources, which is an important reason to include a behavioral ethics dimension in an E&C program assessment.

Culture assessment – the why and the how

Research conducted over the past twenty years has provided an evidentiary basis for what has – for just as long – been accepted wisdom in the E&C community: that an ethical organizational culture is even more effective than a strong E&C program at preventing and detecting misconduct. 1/ Research has also shown that a strong E&C program is correlated to a strong culture, and that leadership support – the tone at the top – is one of the most important drivers of an ethical corporate culture. 2/ Thus, when seeking to assess the efficacy of an organization’s E&C program, one should also seek to assess the organization’s ethical culture, which includes understanding the tone at the top.
The Sentencing Guidelines indeed recognize the importance of an ethical culture by providing, in relevant part, that “to have an effective compliance and ethics program…an organization shall…promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Similarly, the FCPA Resource Guide states, in relevant part:
…compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company. Managers and employees take their cues from these corporate leaders. Thus, DOJ and SEC consider the commitment of corporate leaders to a ‘culture of compliance’ and look to see if this high-level commitment is also reinforced and implemented by middle managers and all employees at all levels of a business. …
A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards. Compliant managers, in turn, will encourage employees to strive to attain those standards throughout the organizational structure.
In short, “tone at the top” plays a crucial role in establishing and maintaining an organization’s culture.
Finally, one cannot meaningfully assess a company’s compliance program without understanding broader cultural issues the company faces – some of which can pose particular challenges to promoting E&C and others of which can provide tailwinds for such an effort. This is another reason that – at least as a general matter – program assessments should generally include a cultural component.

Turning from the why to the how, the notion of ethical culture is quite broad, and there is no one right way for assessments of this sort to be conducted. But hopefully the following will be helpful to companies seeking to undertake a cultural assessment.

First, with respect to tone at the top, one might explore the following;
– what senior managers say to underscore their expectation that employees will act lawfully and ethically;
– the related but distinct question about what senior managers do to underscore the expectation that employees will follow all dictates of the organization’s C&E program, such as those concerning taking training or conducting vendor due diligence;
– whether senior managers’ own conduct undermines their C&E messaging; and
– similar questions regarding various levels of management besides those at the very top, such as functional or business unit leadership or those further down the organizational ladder. (One best practice to consider: having those at or near the top engaged in a visible way in reminding delinquents of the need to take mandatory C&E training.)
Beyond tone at the top, another essential area for assessment concerns an organization’s “speak-up” culture. It is important in this sort of inquiry not only to assess the environment regarding true C&E matters but also the speak-up culture as it relates to other types of workplace concerns and questions, as reticence to speak up in one area may affect (or reflect) reticence in others. Relevant to a company’s speak-up culture is its degree of “organizational justice,” and the extent to which wrongdoing is responded to in a fair and sufficiently rigorous way.
A third and somewhat less obvious aspect of culture assessment concerns rule following, and the extent to which it is genuinely expected in an organization. Here too it may be helpful to think beyond core compliance program rules to those concerning other aspects of a company’s business, such as some of the various other rules covered by a delegation of authority policy. Note that for the ethics component of an assessment, a strong rule-following culture may be less than ideal. But from a pure compliance perspective, it is hard to beat a deep embrace of rules.
A fourth and also less obvious area for assessment concerns industry culture. While not true of all or even most companies, in some industries, the industry culture may be more of a source of risk than the organizational culture. This is particularly true of industries with a significant degree of inter-company mobility.
Fifth, as is obvious from many cases over the years of non-compliance – most recently the high-profile Wells Fargo scandal – a key aspect of culture is the extent to which pressure/incentives make it difficult for employees to do their jobs in an ethical and law-abiding way. Indeed, this may be the most important cultural attribute of all – and should be explored fully in any assessment, with aspects of this inquiry including both economic “carrots” and “sticks,” as well as non-economic incentives.
Finally, we should reiterate that this piece is not intended to be a comprehensive overview of all areas to cover in culture assessments, which is a complex and hugely important topic. Indeed, we anticipate publishing more on this topic – including posts by guest bloggers. But hopefully it will be helpful to some of those designing assessments.
__
1 See, e.g., Linda Trevino, “Managing Ethics and Legal Compliance: What Works and What Hurts,” California Management Review, January 1, 1999; Ethics Resource Center, National Business Ethics Survey, 2011; Corporate Executive Board, “Ethical Leadership: The Important Links Between Culture, Risk Management, and Business Performance,” (September 13, 2011).
2 David M. Mayer, Karl Aquino, Rebecca L. Greenbaum and Maribeth Kuenzi, Who Displays Ethical Leadership, and Why Does It Matter? An Examination of Antecedents and Consequences of Ethical Leadership, Academy of Management Journal, Vol. 55, No. 1 (July 9, 2013).

Legal Guidance related to Program Assessment

Legal guidance in the area of C&E program assessments accords with professional wisdom in this area, emphasizing the importance of periodic assessments to an effective program. In this post, we review a few of the relevant legal standards from U.S. authorities. In later posts, we will take a look at assessment guidance from other countries and non-governmental organizations.
Sentencing Guidelines
The Sentencing Guidelines for Organizations, which contain the most influential set of standards for effective compliance and ethics programs, provide that an organization should periodically evaluate the effectiveness of its program. The Guidelines also provide that, after criminal conduct is detected, an organization should take reasonable steps to prevent further similar criminal conduct, including through assessing and making necessary modifications to the program.
Department of Justice
In February of 2017,the Fraud Section of the Department of Justice published a document on its web site titled “Evaluation of Corporate Compliance Programs,” which lists a number of questions that the Fraud Section “may ask” in determining the effectiveness of a compliance program. That document discusses the importance of review and audit of an organization’s compliance program, including “testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties.” (Available at https://www.justice.gov/criminal-fraud/page/file/937501/download.)
The Department of Justice and Securities and Exchange Commission, in their Resource Guide to the Foreign Corrupt Practices Act (published in November 2012), issued detailed guidance on the importance of program assessment. In the Resource Guide, the DOJ and SEC instruct that compliance programs “should constantly evolve” and that those programs that do not just exist on paper but are followed in practice inevitably uncover weaknesses and require enhancements. It is therefore important to the DOJ and SEC that companies “regularly review and improve their compliance programs and not allow them to become stale.” (Available at https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf.)
The Resource Guide goes on to provide that organizations should take the time to review and test controls and to think critically about potential weaknesses, and also provides some instruction on how to go about doing so. “For example, some companies have undertaken employee surveys to measure their compliance culture and strength of internal controls,” and other companies “periodically test their internal controls with targeted audits.” Regardless of the form of review, DOJ and SEC have promised to “give meaningful credit to thoughtful efforts to create a sustainable compliance program.” They have also stated that “proactive evaluations” can lower the fine that an organization might otherwise be subject to if a violation occurs.
Other Guidance
Other U.S. government agency standards similarly emphasize the importance of program assessment. For example, the Securities and Exchange Commission’s final rules requiring investment companies and investment advisors to implement compliance programs require such entities to review the adequacy of the compliance policies and procedures and the effectiveness of their implementation on at least an annual basis. (17 CFR 270.38a-1(a)(3).) Similarly, the Office of Inspector General of the Department of Health and Human Services, in its compliance program guidance for various healthcare organizations, typically includes the requirement of regular (typically at least annual) review of a compliance program. (See https://oig.hhs.gov/compliance/compliance-guidance/index.asp.) The importance of program assessment has also been highlighted in Federal Energy Regulatory Commission compliance program guidance, which provides that, in determining program effectiveness, regulators should consider the frequency with which an organization reviews and modifies its compliance program. (https://www.ferc.gov/whats-new/comm-meet/2008/051508/M-1.pdf.)

Assessments and Confidentiality

A threshold issue which often arises in conducting C&E program assessments is to what extent the process and report should be treated as confidential. There are two components to this question, the first of which concerns the use of the company’s attorney-client privilege and the second providing assurance to interviewees that – absent exigent circumstances – their comments will not be shared even with others within the company, a form of protection that goes beyond that offered by the privilege.

As to the first question, there is clearly a benefit to conducting a privileged assessment, given the litigation/enforcement risks posed by the type of self-critical information that an assessment often generates. When employees fear that comments made in assessment interviews might be used by their companies’ adversaries, they are presumably less likely to be candid in providing important information about the C&E program. That, in turn, can lead to a less meaningful assessment.

However, the mere involvement of attorneys in an assessment will not, by itself establish the privilege. Rather to have a privileged assessment, the process must in fact involve a lawyer providing legal advice to the client company. In that connection, one should document from the outset that the purpose of the assessment is to review the extent to which the company’s program a) meets pertinent legal expectations and b) otherwise helps reduce legal risks (the way a best practices program can.) Of course, advice along these lines must actually be provided in connection with the assessment.

Additionally, to maintain the privilege one must a) instruct employees to keep the contents of their assessment interviews confidential; and b) after the assessment is complete, keep the assessment report confidential (although the specifics of this – e.g., how much internal disclosure is permissible without risking waiver – will be a function of applicable state law, at least in the U.S.)

Thus, a company may be limited in the extent to which it can share a favorable review of its program. Any assessment conducted with an eye toward publicizing the results of the effort should presumably not be conducted under the privilege.

We have also seen substantial benefits in providing assurances to interviewees that – absent exigent circumstances (which would likely include a government investigation) – their comments will not be shared even with others at the company. Particularly when seeking information about sensitive matters – e.g., whether the CEO and other senior leaders really “walk the talk,” discipline is sufficient for violations, and the company does a good job assessing and responding to risks – assurances of this sort may be essential to obtaining accurate information.

Finally, documentation of the assessment should anticipate disclosure – whether inadvertent or through a waiver of privilege (for instance, in a government investigation). Thus, one should attempt to be highly confident of factual findings and recommendations before finalizing a report – including, at least in most situations, reviewing these in draft with key client personnel to assure accuracy of not only the reported facts but also the underlying assumptions in the report.

Certification as a form of program evaluation

By Joe Murphy, CCEP

A newly evolving approach to program evaluation is certification, particularly to meet an ISO standard. Mostly notably, ISO 37001 provides for certification of anti-corruption compliance programs. There is a great deal of controversy about this certification. Here I will touch on some of the questions that arise.

First there is the question of what standard is being used. ISO 37001 sets out one global standard for anti-bribery compliance programs, and this is the one that is subject to certification. It may also incorporate other relevant standards (e.g., if specific compliance program elements are required by applicable law, they would also have to be met to obtain ISO certification), but that would have to be determined in the certification process.

A second question is how an evaluation would be done. Does the review just look at the program’s design, or does it look at whether it is fully implemented? Most difficult is to determine how well it is actually operating – does the program actually have an effect? A company considering certification would have to look at this carefully, considering the language of ISO 37001, and what is supposed to be the scope of the review. There is also a question of what parts of larger companies are actually covered in a review and certification. The fact that a global company claims that is has ISO 37001 certification does not necessarily indicate which parts of the company were subject to this certification and which parts have not yet been reviewed.

A third question is who conducts the review. This could be a murky area. ISO has a process for designating what entities are qualified to conduct a review, but this is determined by ISO bodies in a broad list of countries; will all those qualified in these different countries operate at the same level of diligence? Moreover, there remains a question whether a company claiming it meets the ISO 37001 standards was actually reviewed by an entity that met the ISO qualification requirements. Could any entity conduct a verification review, even if not officially qualified? Again, companies will need to be careful in this area.

What happens after certification? Are companies now free to focus elsewhere, being done with their work on the compliance program? Will certification discourage innovation and further work? According to ISO’s rules, certification is good for 3 years, and each year there must be ongoing review. Companies can lose their certification if they aren’t walking the walk, and the ISO standard mandates continuous improvement and documented evidence of program needs evaluation to keep certification. But once a company has its certification, will it then nevertheless be difficult to convince management to do anything new or innovative? After all, once you pass the exam why keep studying and learning?

Given the uncertainties, why would a company pursue certification? There may be an element of prestige in this, being able to claim that one’s program is certified. There may be a hope that regulators and enforcement personnel will view certification as a positive step, indicating that the company’s management really does want to do the right thing. ISO makes no claim that certification renders a company bullet proof, but there remains the potential that certification will be considered by enforcers and courts.

But the most likely push will come from the marketplace. At least in the anti-corruption area, dealings with third parties create the highest compliance risks. It is typically necessary to conduct due diligence on third parties to ensure they are legitimate. How much better would it be if there were a system that made at least part of this determination for companies? Again, ISO does not claim that certification of one’s compliance program ensures compliance. But for a major company trying to ensure its supply chain does not get it into trouble, requiring ISO certification by its agents and other third parties may be a strong plus.

Thus the most likely impetus will be the marketplace. Companies will have an incentive to require certification of their agents and suppliers. Governments, too, may add this as a requirement for their procurement processes.

Will this work? Will it help fight bribery, or will it instead discourage innovation? Will it make dealing with third parties easier for companies, or will it mislead them? Will the certification process result in genuine program assessments, or will it be just a surface step?

This is a development well worth watching. But in any case, certification or not, companies need to keep evaluating their own programs and ensuring they meet the applicable standards. Most importantly, companies need to keep evaluating whether their compliance and ethics programs actually work.

—–
For 40 years, Joe Murphy, CCEP, has been a tireless champion of compliance and ethics in organizations and has done compliance work on six continents. Joe has published over 100 articles and given over 200 presentations in 19 countries. Joe is author of 501 Ideas for Your Compliance & Ethics Program and A Compliance & Ethics Program on a Dollar a Day. He is a Certified Compliance & Ethics Professional and editor of the SCCE magazine, Compliance & Ethics Professional. Joe was named one of The National Law Journal’s 50 Governance, Risk and Compliance Trailblazers and Pioneers 2014 and was a recipient of the SCCE Compliance and Ethics Award. He can be reached at jemurphy5730@gmail.com .
.

PLI One-Hour Briefing on Compliance & Ethics Program Assessment

On September 28 at 1:00 Eastern Rebecca and Jeff will be leading a One-Hour Briefing for the Practising Law Institute on C&E program assessment. The program will cover:

Official requirements for conducting C&E program assessments and business-related reasons to do so
The various tools used in conducting assessments: interviews, document review, surveys, focus groups, benchmarking, maturity models, etc.
When and how to conduct an assessment under the attorney-client privilege and related matters of confidentiality
The size, scope and frequency of assessments
What to know and to look out for in formulating findings and recommendations, and in drafting and disseminating an assessment report
The role of the board of directors and of senior management
For each of the major elements and sub-elements of a C&E program – risk assessment, program management and oversight, policies, training, auditing, helplines, incentives, etc. – what to look for both in terms of efficacy and opportunities for improvement
Assessing the characteristics of an effective C&E program, such as independence, clout, reach and sufficiency of resources
“Deep dives” into areas of high risk – such as anti-corruption and antitrust compliance
The hallmarks of an ethical organizational culture
Use of “behavioral ethics” ideas and information in C&E program assessments

More information about the program can be found here

Assessing compliance incentives

There are two types of incentives that typically should be reviewed in a C&E program assessment.
The first concerns the extent to which a company’s general incentive structure has the effect (presumably unintentional) of promoting non-compliance. The second concerns incentive measures directly aimed at promoting compliance.
The two overlap to some degree but are conceptually and operationally distinct, and they warrant separate discussions in an assessment report. Indeed, the consideration of general incentives is often part of the risk-assessment component of a report (at least for engagements that have such a component), rather than appearing in the incentives section.
Regardless of where the discussion of incentives is located in a report, properly framing the nature of the inquiry concerning general incentives is key. The question here is not – we believe – whether an incentive structure creates a risk of wrongdoing. That would be said of virtually any results-based compensation structure. Rather, the inquiry should be whether an incentive structure creates an undue risk of wrongdoing.
Note that this is largely a subjective determination, and there is no universally accepted definition of “undue” to be applied in this context. Indeed, assessing whether compensation creates undue risks in any given setting turns on a variety of factors beyond the specifics of the compensation itself – particularly culture-related ones. But, in our experience, the undue risk formulation works well enough in assessment interviews, with the discussion typically turning on whether a) the performance targets upon which compensation decisions are partly based are realistic or can be met by some employees only through illegitimate means and b) the consequences of failing to meet the targets are overly harsh.
It is also important to consider the extent to which senior leaders, HR and others consider the risks created by compensation when setting goals. Is there an effort to understand the level of pressure created by various employee objectives and goals, and the extent to which performance goals create compliance risks?
Also relevant to assessing this sort of risk are incentives vis a vis third parties. While this aspect of risk assessment is becoming routine with respect to FCPA risks (e.g., ensuring that a distributor’s margins are reasonable), companies should also consider incentives and risks for other areas of legal exposure involving third parties (such as antitrust and fraud).
The second type of incentive to be assessed is – as noted above – incentive measures directly aimed at promoting compliance. These, in turn, consist of both tangible and intangible incentives.
The most commonly used tangible C&E incentive is inclusion of C&E criteria on performance evaluations. Some of the indicia of efficacy here are:
– Having examples in evaluation materials of different levels of C&E-related behavior generally (e.g., outstanding, strong, needs improvement).
– Having these examples tailored for different levels in the corporate hierarchy (e.g., what is outstanding for a leader, manager, other).
– Reinforcing the importance of the C&E component of personnel evaluations through appropriate discussion of this topic in the code of conduct, training and other communications.
Note that the other side of the tangible incentives coin is penalizing behavior that is undesirable but doesn’t rise to the level of being an appropriate subject of discipline. An example is denying bonuses or other forms of compensation to those who fail to take mandatory C&E training. In assessing this sort of incentive, one might make sure that the company actually does what it says it will do (e.g., withhold bonuses) in these instances.
Intangible incentives are, for the most part, recognition programs. What makes them successful is:
– In cases of awards, using the process of selecting nominees to educate employees about the C&E program. Companies should create a real campaign around the effort, including having as much senior management involvement as is reasonably possible.
– For more everyday forms of recognition, train managers to identify and (where appropriate) laud others in the work group employees for ethically exemplary behavior.
Finally, one should be alert to unintended consequences for compliance-directed incentive measures. For instance, providing bonuses for having no workplace accidents could have the unintended consequence of suppressing reporting of accidents.

Assessing the E&C Investigations Process

Investigations are one of the more difficult and riskier activities of an E&C program. Poorly-conducted investigations can create serious legal risks for an organization. In addition, the mishandling of investigations can damage the way in which employees perceive E&C programs, in particular where the report was initially made to the E&C department, through a hotline or otherwise. The mishandling of E&C investigations can corrode the sense of organizational justice and the culture of ethics and compliance at an organization. In short, E&C-related investigations are a serious business, and assessing them is therefore an important component of assessing an E&C program.
Assessing an investigations process is often complicated by the fact that investigations at many organizations are conducted by a number of functions, and privilege concerns can further complicate any review. In addition, there are a large number of facets of the investigations process that must be reviewed in order comprehensively to assess that process, which further increases the level of complexity. When reviewing investigations procedures, some of the more helpful areas of inquiry include the following:
• Guidelines: Are there written guidelines governing how investigations will be assigned? Are they logical and appropriate? Are they followed in practice?
• Is there a written investigations protocol, and does it include those elements that are necessary to facilitate robust investigations? Some of the elements that are typically included in investigations manuals include:
o Professionalism standards that govern the investigations process, such as a discussion of the importance of impartiality, competency, confidentiality, and non-retaliation.
o Step-by-step guides for each aspect of investigations, including intake procedures, preliminary analysis of the allegation, assigning investigations, opening a case file, creating an investigative plan, reviewing documents, whom to interview and how to do so, preparing interview notes, assessing and determining findings, preparing a final report, responding to the complainant and subject, and closing out the case.
o Samples and outlines of investigation documents, such as reports of interviews, reports of investigation, and sample communications with interviewees, complainants, supervisors, and subjects of investigations.
• Are there protocols that govern how evidence can be collected (e.g., required approvals before electronic data is accessed) and when and how litigation or investigation holds will be issued?
• Are there clear guidelines governing when to get the Legal Department involved and the steps to be taken when conducting an inquiry under the attorney-client privilege?
• Is there adequate oversight of the process? And does E&C have the ability to oversee investigations conducted by other functions, where appropriate?
• What are the protocols and practices for documenting investigations? What type of case management system is used? Is the case management system adequate to permit the E&C team appropriately to document investigations?
• Is the case management system adequate to permit aggregation and assessment of metrics related to reports received and investigations conducted? Are metrics in fact collected and considered? Are metrics reported to executive leadership and the audit committee? Are they reported out to employees?
• Are investigators appropriately qualified and adequately trained? Is ongoing training provided?
• Are investigators asked to consider supervisory fault when investigating allegations of E&C violations?
• Are investigators asked to consider appropriate remedial measures? Are there opportunities to escalate critical remedial measures on a timely basis? (For example, if an investigation reveals a serious gap in a control, can the investigator seek remediation for that quickly?)
• Where an organization has locations outside the United States, do investigations procedures consider local legal requirements and prohibitions governing internal investigations?
• Does the organization track the amount of time required to complete investigations? Are there undue delays in the time period required to complete investigations?
• Is the audit committee able to oversee the most serious investigations when it is appropriate for them to do so? Is there a written escalation protocol that governs when the audit committee should be informed about the most serious allegations/investigations?
The questions above should be asked not only regarding written protocols and processes (e.g., is there a written protocol governing how investigations are assigned?) but also regarding how an organization’s investigations process is implemented in practice (e.g., are investigations in fact assigned in a timely and reasonable manner?). This can require discussions of sensitive information, and the assessor must be cautious regarding privilege issues.
Ultimately, an effective assessment of an investigations process seeks determine whether the process possesses three critical attributes:
1) Independence: Are investigations conducted independently, objectively and impartially?
2) Access and authority: Are investigators permitted access to those people and documents that are necessary in order to conduct the investigation? To travel to those sites necessary? In other words, are there any obstacles or impediments to conducting a thorough investigation?
3) Expertise and professionalism: Is the investigator qualified to conduct the type of investigation? Does he or she have the relevant level and areas of expertise?
While perhaps obvious, we note that the above is merely a sampling of both areas to cover when assessing E&C investigations and questions that can be asked in each of those areas. E&C investigations can be complicated, risky and critically important to an organization’s E&C program, and the assessment process is therefore both challenging and significant.