SEARCH

Assessments and Confidentiality

A threshold issue which often arises in conducting C&E program assessments is to what extent the process and report should be treated as confidential. There are two components to this question, the first of which concerns the use of the company’s attorney-client privilege and the second providing assurance to interviewees that – absent exigent circumstances – their comments will not be shared even with others within the company, a form of protection that goes beyond that offered by the privilege.

As to the first question, there is clearly a benefit to conducting a privileged assessment, given the litigation/enforcement risks posed by the type of self-critical information that an assessment often generates. When employees fear that comments made in assessment interviews might be used by their companies’ adversaries, they are presumably less likely to be candid in providing important information about the C&E program. That, in turn, can lead to a less meaningful assessment.

However, the mere involvement of attorneys in an assessment will not, by itself establish the privilege. Rather to have a privileged assessment, the process must in fact involve a lawyer providing legal advice to the client company. In that connection, one should document from the outset that the purpose of the assessment is to review the extent to which the company’s program a) meets pertinent legal expectations and b) otherwise helps reduce legal risks (the way a best practices program can.) Of course, advice along these lines must actually be provided in connection with the assessment.

Additionally, to maintain the privilege one must a) instruct employees to keep the contents of their assessment interviews confidential; and b) after the assessment is complete, keep the assessment report confidential (although the specifics of this – e.g., how much internal disclosure is permissible without risking waiver – will be a function of applicable state law, at least in the U.S.)

Thus, a company may be limited in the extent to which it can share a favorable review of its program. Any assessment conducted with an eye toward publicizing the results of the effort should presumably not be conducted under the privilege.

We have also seen substantial benefits in providing assurances to interviewees that – absent exigent circumstances (which would likely include a government investigation) – their comments will not be shared even with others at the company. Particularly when seeking information about sensitive matters – e.g., whether the CEO and other senior leaders really “walk the talk,” discipline is sufficient for violations, and the company does a good job assessing and responding to risks – assurances of this sort may be essential to obtaining accurate information.

Finally, documentation of the assessment should anticipate disclosure – whether inadvertent or through a waiver of privilege (for instance, in a government investigation). Thus, one should attempt to be highly confident of factual findings and recommendations before finalizing a report – including, at least in most situations, reviewing these in draft with key client personnel to assure accuracy of not only the reported facts but also the underlying assumptions in the report.

Posted in Methodologies

Certification as a form of program evaluation

By Joe Murphy, CCEP

A newly evolving approach to program evaluation is certification, particularly to meet an ISO standard. Mostly notably, ISO 37001 provides for certification of anti-corruption compliance programs. There is a great deal of controversy about this certification. Here I will touch on some of the questions that arise.

First there is the question of what standard is being used. ISO 37001 sets out one global standard for anti-bribery compliance programs, and this is the one that is subject to certification. It may also incorporate other relevant standards (e.g., if specific compliance program elements are required by applicable law, they would also have to be met to obtain ISO certification), but that would have to be determined in the certification process.

A second question is how an evaluation would be done. Does the review just look at the program’s design, or does it look at whether it is fully implemented? Most difficult is to determine how well it is actually operating – does the program actually have an effect? A company considering certification would have to look at this carefully, considering the language of ISO 37001, and what is supposed to be the scope of the review. There is also a question of what parts of larger companies are actually covered in a review and certification. The fact that a global company claims that is has ISO 37001 certification does not necessarily indicate which parts of the company were subject to this certification and which parts have not yet been reviewed.

A third question is who conducts the review. This could be a murky area. ISO has a process for designating what entities are qualified to conduct a review, but this is determined by ISO bodies in a broad list of countries; will all those qualified in these different countries operate at the same level of diligence? Moreover, there remains a question whether a company claiming it meets the ISO 37001 standards was actually reviewed by an entity that met the ISO qualification requirements. Could any entity conduct a verification review, even if not officially qualified? Again, companies will need to be careful in this area.

What happens after certification? Are companies now free to focus elsewhere, being done with their work on the compliance program? Will certification discourage innovation and further work? According to ISO’s rules, certification is good for 3 years, and each year there must be ongoing review. Companies can lose their certification if they aren’t walking the walk, and the ISO standard mandates continuous improvement and documented evidence of program needs evaluation to keep certification. But once a company has its certification, will it then nevertheless be difficult to convince management to do anything new or innovative? After all, once you pass the exam why keep studying and learning?

Given the uncertainties, why would a company pursue certification? There may be an element of prestige in this, being able to claim that one’s program is certified. There may be a hope that regulators and enforcement personnel will view certification as a positive step, indicating that the company’s management really does want to do the right thing. ISO makes no claim that certification renders a company bullet proof, but there remains the potential that certification will be considered by enforcers and courts.

But the most likely push will come from the marketplace. At least in the anti-corruption area, dealings with third parties create the highest compliance risks. It is typically necessary to conduct due diligence on third parties to ensure they are legitimate. How much better would it be if there were a system that made at least part of this determination for companies? Again, ISO does not claim that certification of one’s compliance program ensures compliance. But for a major company trying to ensure its supply chain does not get it into trouble, requiring ISO certification by its agents and other third parties may be a strong plus.

Thus the most likely impetus will be the marketplace. Companies will have an incentive to require certification of their agents and suppliers. Governments, too, may add this as a requirement for their procurement processes.

Will this work? Will it help fight bribery, or will it instead discourage innovation? Will it make dealing with third parties easier for companies, or will it mislead them? Will the certification process result in genuine program assessments, or will it be just a surface step?

This is a development well worth watching. But in any case, certification or not, companies need to keep evaluating their own programs and ensuring they meet the applicable standards. Most importantly, companies need to keep evaluating whether their compliance and ethics programs actually work.

—–
For 40 years, Joe Murphy, CCEP, has been a tireless champion of compliance and ethics in organizations and has done compliance work on six continents. Joe has published over 100 articles and given over 200 presentations in 19 countries. Joe is author of 501 Ideas for Your Compliance & Ethics Program and A Compliance & Ethics Program on a Dollar a Day. He is a Certified Compliance & Ethics Professional and editor of the SCCE magazine, Compliance & Ethics Professional. Joe was named one of The National Law Journal’s 50 Governance, Risk and Compliance Trailblazers and Pioneers 2014 and was a recipient of the SCCE Compliance and Ethics Award. He can be reached at jemurphy5730@gmail.com .
.

Posted in Assessment mandates and benefits, Guest Posts

PLI One-Hour Briefing on Compliance & Ethics Program Assessment

On September 28 at 1:00 Eastern Rebecca and Jeff will be leading a One-Hour Briefing for the Practising Law Institute on C&E program assessment. The program will cover:

Official requirements for conducting C&E program assessments and business-related reasons to do so
The various tools used in conducting assessments: interviews, document review, surveys, focus groups, benchmarking, maturity models, etc.
When and how to conduct an assessment under the attorney-client privilege and related matters of confidentiality
The size, scope and frequency of assessments
What to know and to look out for in formulating findings and recommendations, and in drafting and disseminating an assessment report
The role of the board of directors and of senior management
For each of the major elements and sub-elements of a C&E program – risk assessment, program management and oversight, policies, training, auditing, helplines, incentives, etc. – what to look for both in terms of efficacy and opportunities for improvement
Assessing the characteristics of an effective C&E program, such as independence, clout, reach and sufficiency of resources
“Deep dives” into areas of high risk – such as anti-corruption and antitrust compliance
The hallmarks of an ethical organizational culture
Use of “behavioral ethics” ideas and information in C&E program assessments

More information about the program can be found here

Posted in Uncategorized

Assessing compliance incentives

There are two types of incentives that typically should be reviewed in a C&E program assessment.
The first concerns the extent to which a company’s general incentive structure has the effect (presumably unintentional) of promoting non-compliance. The second concerns incentive measures directly aimed at promoting compliance.
The two overlap to some degree but are conceptually and operationally distinct, and they warrant separate discussions in an assessment report. Indeed, the consideration of general incentives is often part of the risk-assessment component of a report (at least for engagements that have such a component), rather than appearing in the incentives section.
Regardless of where the discussion of incentives is located in a report, properly framing the nature of the inquiry concerning general incentives is key. The question here is not – we believe – whether an incentive structure creates a risk of wrongdoing. That would be said of virtually any results-based compensation structure. Rather, the inquiry should be whether an incentive structure creates an undue risk of wrongdoing.
Note that this is largely a subjective determination, and there is no universally accepted definition of “undue” to be applied in this context. Indeed, assessing whether compensation creates undue risks in any given setting turns on a variety of factors beyond the specifics of the compensation itself – particularly culture-related ones. But, in our experience, the undue risk formulation works well enough in assessment interviews, with the discussion typically turning on whether a) the performance targets upon which compensation decisions are partly based are realistic or can be met by some employees only through illegitimate means and b) the consequences of failing to meet the targets are overly harsh.
It is also important to consider the extent to which senior leaders, HR and others consider the risks created by compensation when setting goals. Is there an effort to understand the level of pressure created by various employee objectives and goals, and the extent to which performance goals create compliance risks?
Also relevant to assessing this sort of risk are incentives vis a vis third parties. While this aspect of risk assessment is becoming routine with respect to FCPA risks (e.g., ensuring that a distributor’s margins are reasonable), companies should also consider incentives and risks for other areas of legal exposure involving third parties (such as antitrust and fraud).
The second type of incentive to be assessed is – as noted above – incentive measures directly aimed at promoting compliance. These, in turn, consist of both tangible and intangible incentives.
The most commonly used tangible C&E incentive is inclusion of C&E criteria on performance evaluations. Some of the indicia of efficacy here are:
– Having examples in evaluation materials of different levels of C&E-related behavior generally (e.g., outstanding, strong, needs improvement).
– Having these examples tailored for different levels in the corporate hierarchy (e.g., what is outstanding for a leader, manager, other).
– Reinforcing the importance of the C&E component of personnel evaluations through appropriate discussion of this topic in the code of conduct, training and other communications.
Note that the other side of the tangible incentives coin is penalizing behavior that is undesirable but doesn’t rise to the level of being an appropriate subject of discipline. An example is denying bonuses or other forms of compensation to those who fail to take mandatory C&E training. In assessing this sort of incentive, one might make sure that the company actually does what it says it will do (e.g., withhold bonuses) in these instances.
Intangible incentives are, for the most part, recognition programs. What makes them successful is:
– In cases of awards, using the process of selecting nominees to educate employees about the C&E program. Companies should create a real campaign around the effort, including having as much senior management involvement as is reasonably possible.
– For more everyday forms of recognition, train managers to identify and (where appropriate) laud others in the work group employees for ethically exemplary behavior.
Finally, one should be alert to unintended consequences for compliance-directed incentive measures. For instance, providing bonuses for having no workplace accidents could have the unintended consequence of suppressing reporting of accidents.

Posted in Personnel measures

Assessing the E&C Investigations Process

Investigations are one of the more difficult and riskier activities of an E&C program. Poorly-conducted investigations can create serious legal risks for an organization. In addition, the mishandling of investigations can damage the way in which employees perceive E&C programs, in particular where the report was initially made to the E&C department, through a hotline or otherwise. The mishandling of E&C investigations can corrode the sense of organizational justice and the culture of ethics and compliance at an organization. In short, E&C-related investigations are a serious business, and assessing them is therefore an important component of assessing an E&C program.
Assessing an investigations process is often complicated by the fact that investigations at many organizations are conducted by a number of functions, and privilege concerns can further complicate any review. In addition, there are a large number of facets of the investigations process that must be reviewed in order comprehensively to assess that process, which further increases the level of complexity. When reviewing investigations procedures, some of the more helpful areas of inquiry include the following:
• Guidelines: Are there written guidelines governing how investigations will be assigned? Are they logical and appropriate? Are they followed in practice?
• Is there a written investigations protocol, and does it include those elements that are necessary to facilitate robust investigations? Some of the elements that are typically included in investigations manuals include:
o Professionalism standards that govern the investigations process, such as a discussion of the importance of impartiality, competency, confidentiality, and non-retaliation.
o Step-by-step guides for each aspect of investigations, including intake procedures, preliminary analysis of the allegation, assigning investigations, opening a case file, creating an investigative plan, reviewing documents, whom to interview and how to do so, preparing interview notes, assessing and determining findings, preparing a final report, responding to the complainant and subject, and closing out the case.
o Samples and outlines of investigation documents, such as reports of interviews, reports of investigation, and sample communications with interviewees, complainants, supervisors, and subjects of investigations.
• Are there protocols that govern how evidence can be collected (e.g., required approvals before electronic data is accessed) and when and how litigation or investigation holds will be issued?
• Are there clear guidelines governing when to get the Legal Department involved and the steps to be taken when conducting an inquiry under the attorney-client privilege?
• Is there adequate oversight of the process? And does E&C have the ability to oversee investigations conducted by other functions, where appropriate?
• What are the protocols and practices for documenting investigations? What type of case management system is used? Is the case management system adequate to permit the E&C team appropriately to document investigations?
• Is the case management system adequate to permit aggregation and assessment of metrics related to reports received and investigations conducted? Are metrics in fact collected and considered? Are metrics reported to executive leadership and the audit committee? Are they reported out to employees?
• Are investigators appropriately qualified and adequately trained? Is ongoing training provided?
• Are investigators asked to consider supervisory fault when investigating allegations of E&C violations?
• Are investigators asked to consider appropriate remedial measures? Are there opportunities to escalate critical remedial measures on a timely basis? (For example, if an investigation reveals a serious gap in a control, can the investigator seek remediation for that quickly?)
• Where an organization has locations outside the United States, do investigations procedures consider local legal requirements and prohibitions governing internal investigations?
• Does the organization track the amount of time required to complete investigations? Are there undue delays in the time period required to complete investigations?
• Is the audit committee able to oversee the most serious investigations when it is appropriate for them to do so? Is there a written escalation protocol that governs when the audit committee should be informed about the most serious allegations/investigations?
The questions above should be asked not only regarding written protocols and processes (e.g., is there a written protocol governing how investigations are assigned?) but also regarding how an organization’s investigations process is implemented in practice (e.g., are investigations in fact assigned in a timely and reasonable manner?). This can require discussions of sensitive information, and the assessor must be cautious regarding privilege issues.
Ultimately, an effective assessment of an investigations process seeks determine whether the process possesses three critical attributes:
1) Independence: Are investigations conducted independently, objectively and impartially?
2) Access and authority: Are investigators permitted access to those people and documents that are necessary in order to conduct the investigation? To travel to those sites necessary? In other words, are there any obstacles or impediments to conducting a thorough investigation?
3) Expertise and professionalism: Is the investigator qualified to conduct the type of investigation? Does he or she have the relevant level and areas of expertise?
While perhaps obvious, we note that the above is merely a sampling of both areas to cover when assessing E&C investigations and questions that can be asked in each of those areas. E&C investigations can be complicated, risky and critically important to an organization’s E&C program, and the assessment process is therefore both challenging and significant.

Posted in Investigations

Assessing compliance training

Training is not just another part of every C&E program; it is generally the part that touches the work lives of more of a company’s employees than do other elements. It should therefore be a significant focus of any program assessment.
The possible avenues of inquiry here are broad, as one would imagine, and each assessment will have its own areas of particular focus. But a partial list of core training assessment questions might include the following.
Plan. Is there a written plan for providing training on an annual or other periodic basis?
Risk-based. Are the training curriculum and content based – whether formally or not – on an assessment of risk? Is the risk assessment designed to be helpful in this regard?
Role of the Board. What training does the Board receive regarding its oversight of the program? What training does the Board receive regarding its own compliance risks?
Role of senior management. Are senior managers trained on the C&E risks and responsibilities applicable to their role at the company? Does this include their duty to support an ethical culture?
Supervisors. Is there C&E training for supervisors regarding their obligations to support the program and how to do so?
Other roles. Is other training appropriately role based? (E.g., is anti-corruption training adapted to different roles – such as internal audit, finance, sales and marketing, government relations and logistics?)
Participation. Is training that is supposed to be mandatory in fact treated that way? What is done to encourage stragglers to take required training? For in-person training, is a sufficient record kept of attendance?
Media. Does the company have a good blend of in-person and computer-based training?
Content. Is the information in the training accurate, comprehensive and clear?
Quality. Is the training engaging? Is it memorable? Too long or too short? (Note that one way to make training memorable is to use – as appropriate – “case studies” based on actual events at the company.)
Repetition. Is the same training program shown to employees more than once? (While some degree of repetition is acceptable and maybe even be desirable, too much of the same thing can send the wrong message to employees.)
Short programs. Does the company use short training programs to refresh employee awareness of key C&E topics?
Translations. Have they been done for all of the company’s principal languages? Is the training “US centric”?
Feedback. Does the company seek comments and suggestions from employees on the training?
Integration plan. Does the company have a plan for rolling out training to newly acquired entities? Is there a sufficient C&E component to the new hire onboarding process?
Third party training. Does it reach the right (i.e., high risk) third parties?
We should emphasize that – like all posts on this blog – the above does not aim to be comprehensive. However, we do hope it is helpful.

Posted in Training and communications

Audit Interviews Regarding Employee C&E Knowledge

An often useful but not always used self-assessment tool is to include in an audit interview questions to determine if employees have sufficient knowledge of C&E program requirements and resources. Knowledge questions – as these might be called – are intended to be asked in addition to, and not in lieu of, questions about actual violations of law and policy.
C&E knowledge questions might include some of the following – tailored, as appropriate, to the interviewee’s job duties:
• Are you aware of company policy regarding
o Offering and receiving gifts and entertainment?
o Providing travel and other things of value to customers and government officials?
o Engaging third parties to represent the company in dealing with governmental entities?
o Making facilitating payments?
o Having contact with competitors?
o Addressing conflicts of interest?
o Taking annual C&E training?
o Reporting possible misconduct?
Yes answers to any of these of these should trigger follow-up questions designed to test the knowledge the interviewee says she has. Some examples:
• What would you do if a customer asked you to refer his or her family member for a job at the company?
• What are the approval requirements before providing a meal to a government employee?
• What topics are forbidden to discuss with competitors?
• What should be done if you have a possible conflict of interest?
• What are the channels for reporting suspected wrongdoing?
• How would you seek advice on an ethical matter?
• Where can you find copies of company C&E policies?
As noted, questions should be tailored to the interviewee’s duties. For instance, managers (but not necessarily other employees) should generally be asked if they would know what to do – and what not do – if an employee reported suspected wrongdoing to them. Or, selected interviewees might be asked if they would know what to do and not do in the event of a “Dawn Raid.”
The benefit of using C&E knowledge questions in audits is not only in the value of what is learned from the answers. The mere asking of such questions can send a message that may travel widely in a company about the importance of C&E generally to management. Of course, deploying such questions also incurs a cost in terms of the time and resources of audit staff and other employees, and the use of such questions can decrease the time available for taking other important audit measures. However, such questions can be a valuable tool in the audit/assessment tool box, and companies should thus consider the costs and benefits of such a practice.

Posted in Auditing, monitoring, and other "checking", Uncategorized

Assessing risk assessment

When the Federal Sentencing Guidelines for Organizations were first issued in 1991, risk assessment was not among the specified elements of an effective C&E program. By the time risk assessment was added to the definition of an effective C&E program in 2004 (as part of a comprehensive revision of this aspect of the Guidelines), many of those working in the C&E field saw risk assessment as indispensable to program efficacy, a view which has indeed strengthened over the years since then.
Risk assessment can come up in two ways in the program assessment setting.
First, the assessor can be asked to conduct a risk assessment alongside the program assessment. In this model a portion of all or most of the assessment interviews is devoted to posing risk assessment questions about the client organization.
One advantage of such an approach is that it can make the rest of the assessment (i.e., the pure program assessment part) more risk sensitive. Another advantage is economic – combining risk and program assessment might entail a more efficient use of interviewee times and assessor resources than would having two totally separate processes. On the other hand, a combined approach may mean insufficient time for each.
The other way in which risk assessment comes up in a program assessment setting – and this is presumably the case in all program assessments – is that how a company conducts risk assessment should itself be assessed. There is, of course, no one-size-fits-all set of criteria for this analysis, but there are certain questions that are particularly helpful and approaches that seem to work well generally – including the following:
– Is the risk assessment designed to identify information regarding all significant elements of the C&E program? Many risk assessments are designed to produce two types of risk-related information: that which helps the board of directors and senior management oversee the program and that which helps the internal audit function audit the program. These are important, of course. However, as a matter of common sense (and for meeting the pertinent Sentencing Guidelines expectations), the design and operation of all other aspects of the program – e.g., policies, procedures, training, communications, monitoring, the helpline, incentives, accountabilities – should be informed by the results of the risk assessment too.
– Does the assessment produce qualitative – as well as quantitative – information? Most risk assessments produce some quantitative data, particularly with respect to the likelihood and impact of a potential violation. But in assessing a risk assessment, one should also consider whether and how well it produces qualitative data.
One type of qualitative data concerns the “why” of risk. For instance, a risk caused by ignorance or lack of appreciation of applicable C&E standards tends to suggest enhancing relevant training and communications, whereas a risk caused by lack of attention by key personnel may suggest the need for stronger accountability measures.
A second type of qualitative data that risk assessments should generate is based on the “where” and “how” of risk. For instance, it is less helpful to merely identify competition law as a risk than it is to identify particularly risky markets (by geography and/or product/service line) and types of violations (e.g., division of markets) more likely to occur than others.
Finally, in assessing a company’s C&E risk assessment process, one should consider what might be called the risk assessment of every day work. That is, while presumably all companies should have a formal risk assessment process, the particulars of that process may depend in part on how well the company already knows its risks from other aspects of the program, such as monitoring, and indeed from having law or compliance personnel being deeply involved in business planning and operations – and whether the knowledge obtained this way is put to use to help mitigate C&E risk in an effective manner.

Posted in Risk assessment, Uncategorized

Welcome to the Compliance Program Assessment Blog

Rebecca Walker and Jeff Kaplan of Kaplan & Walker LLP are pleased to announce the launch of the Compliance Program Assessment Blog (www.complianceprogramassessmentblog.com).

“We have each been conducting compliance and ethics [“C&E”] program assessments since the 1990s and are very happy to have this opportunity to share publicly assessment-related best practices and other practical ideas and information,” Kaplan said. “Although program assessments have long been recognized by both enforcement officials and C&E professionals as essential to promoting and maintaining program efficacy, many companies are just now taking their first steps in this area. We hope that the Blog will be of assistance to them in this rewarding but challenging facet of ensuring good corporate citizenship,” Walker added.

The Blog will address, among other topics:

  1. Assessment mandates and benefits. We will survey and analyze the growing body of legal standards and other official expectations for conducting C&E program assessments, as well as business-related reasons to do so.
  2. Assessment methods. The Blog will review the various tools used in conducting assessments – interviews, documents reviews, surveys, focus groups, benchmarking, etc. – and provide guidance on the when, where, who and how of each. We will also address:
    • The issue of when and how to conduct an assessment under the attorney-client privilege and related matters of confidentiality.
    • Questions concerning the size and scope of assessments.
    • What to know and to look out for in formulating findings and recommendations, and in drafting and disseminating an assessment report.
    • How frequently companies should assess their programs.
    • The interplay between program and risk assessments.
    • The role of the board of directors and of senior management in assessments.
    • The use of maturity models and other frameworks in assessments.
  3. Program elements. For each of the major elements and sub-elements of a C&E program – program management and oversight, policies, procedures, training, auditing, helplines, incentives, etc. – we will consider what to look for both in terms of efficacy and opportunities for improvement.
  4. Program attributes. We will explore criteria for use in assessing key characteristics of an effective C&E program that “cut across” individual program elements, such as independence and sufficiency of resources.
  5. Culture. The Blog will discuss the various hallmarks of an ethical organizational culture, and how they can be effectively measured – perhaps the most challenging of all aspects of conducting a program assessment.
  6. Social science research findings and survey data. Increasingly, assessments are expected to have scientific or quantitative dimensions, and the Blog will discuss approaches to meeting those expectations, such as through the use of publicly available survey data and by adapting “behavioral ethics” ideas and information to the compliance program setting.

Our plan is to spend the next few months building the site out with foundational posts. After that, we will encourage other practitioners to submit guest posts (although we will not accept advertising). We may also conduct interviews for the Blog.

We hope that you find the Compliance Program Assessment Blog useful and – in the spirit of its subject matter – that you will let us know how we can continuously improve.

Posted in Welcome

  • Assessment mandates and benefits
  • Methodologies
  • Risk assessment
  • Program structure
  • Standards and procedures
  • Training and communications
  • Auditing, monitoring, and other “checking”
  • Reporting procedures, including helplines
  • Investigations
  • Discipline and other remedial measures
  • Personnel measures
  • Culture
  • Guest Posts
  • Uncategorized

Sign up for our mailing list