Conducting Program Assessments Using the Department of Justice’s New Evaluation Standards

The modern era of corporate compliance began on November 1, 1991, when the Federal Sentencing Guidelines for Organizations (the “FSGO”) – the first set of general standards for assessing the efficacy of what were then called “program[s] to prevent and detect violations of law” – went in effect. Since then, the Department of Justice (the “DOJ”) and other governmental bodies in the US and elsewhere have built upon the FSGO approach to compliance and ethics (“C&E”) program evaluation criteria.
The latest chapter in this story unfolded on April 30, 2019, when Assistant Attorney General Brian Benczkowski announced the publication of an updated and expanded version of the Evaluation of Corporate Compliance Programs (“the 2019 Guidance”), superseding an evaluation criteria document published in 2017 by the DOJ. The 2019 Guidance – available here – does not revise the DOJ’s particular criteria for evaluating C&E program efficacy in any material way. But overall it is more comprehensive than anything of its kind that has come before.
In this post we provide a brief overview of the 2019 Guidance and initial thoughts on what the document means for program assessment.

    The 2019 Guidance

The 2019 Guidance is structured around three “fundamental questions”:
• “Is the Corporation’s Compliance Program Well Designed?”
• “Is the Corporation’s Compliance Program Being Implemented Effectively?”
• “Does the Corporation’s Compliance Program Work in Practice?”
For each of these fundamental questions, prosecutors are provided with various topics and questions. For the design question, these topics and questions concern C&E risk assessment, policies and procedures, training and communications, confidential reporting structure and investigation process, third-party management and mergers and acquisitions. For the implementation question, they concern commitment by senior and middle management (including conduct at the top), program autonomy and resources, and incentives and disciplinary measures. For the third fundamental question the topics and questions concern continuous improvement, periodic testing and review, investigation of misconduct, and analysis and remediation of any underlying misconduct.
The various topics and questions are – in our view – quite good, and some can be considered state of the art in the C&E field. There are far too many of these to cover in this post, and C&E professionals should of course read the original. But to give a flavor of the document, we note the following from the risk assessment section, which states, among other things: “Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.” This is an important point, as it should provide an extra incentive for conducting robust risk assessments to those companies that have felt that conducting risk assessments is often a feckless exercise given that it is impossible to identify all conceivable risks. This section also charges prosecutors with asking: “What methodology has the company used to identify, analyze, and address the particular risks it faces?” We think this is important because too few companies consider whether their methodologies are in fact “fit for purpose.” Finally, this section also has well-thought-out topics and questions regarding risk-tailored resource allocations and updates and revisions to the program.

Assessments under the 2019 Guidance

Given the considerable thought and effort that the DOJ put into drafting this document, a company (at least one doing business in the US) would be hard-pressed to ignore it in designing, enhancing or assessing a C&E program. Indeed, in a speech given the day the 2019 Guidance was published (available here , Mr. Benczkowski noted that the document was drafted not only for use by prosecutors but also by companies.
Of course, there are other models of program evaluation criteria available, some of which are quite good. But in an investigation, it is the 2019 Guidance that will frame the discussion with DOJ, and this should be considered when deciding on an assessment methodology.

Using behavioral ethics in compliance program assessments

Behavioral economics is a school of social science that teaches that we are not as rational as we think. The application of that learning to the realm of ethics is sometimes called “behavioral ethics,” which is a social science that teaches that we are not as ethical as we think we are. Compliance program assessments can provide a valuable opportunity to introduce the use of behavioral ethics ideas and information into corporate compliance programs. (Note: more information about the behavioral ethics experiments that form the basis for this post can be found in our sister blog – the Conflict of Interest Blog).
Broadly speaking, there are two dimensions to behavioral ethics and compliance: the general and the specific.
By the former we mean using the learning that we are not as ethical as we think to promote the understanding in a company of the need for stronger E&C generally. In our view, this is for many companies potentially the most powerful application of behavioral ethics to the realm of compliance. If properly appreciated, this learning should be valuable in ensuring that boards of directors, senior managers and other key decision makers devote more time, attention and resources to compliance than they otherwise would. Indeed, the lesson that we are not as ethical as we think we are is one that is worth teaching to everyone in a company – as it should help all employees appreciate the need for strong E&C.
The specific application of behavioral ethics to corporate compliance involves using different aspects of this learning to enhance discrete program elements. To take the example of risk assessment, various behaviorist experiments suggest that the following be taken into account when assessing risk:
• Time pressure
• “Slippery slopes”
• “Conformity bias”
• Good intentions
• “Distant victims”
• Being in a job that involves a significant amount of dealing with money.
Or, to take the example of training, one could use the results of certain behavioral ethics experiments to deploy a just-in-time/point-of-risk communication strategy. And to help encourage employees with the often-difficult decision of whether to report a suspected act of wrongdoing, behavioral ethics suggests appealing to a sense of “larger loyalty.”
We should emphasize that many (although by no means all) of the insights of behavioral ethics have long been known anecdotally to E&C professionals. But what behavioral ethics brings to the table is data to prove these things – an increasingly valued commodity in the business world. A behavioral ethics approach can help organizations more efficiently and more effectively deploy scare E&C resources, which is an important reason to include a behavioral ethics dimension in an E&C program assessment.

Culture assessment – the why and the how

Research conducted over the past twenty years has provided an evidentiary basis for what has – for just as long – been accepted wisdom in the E&C community: that an ethical organizational culture is even more effective than a strong E&C program at preventing and detecting misconduct. 1/ Research has also shown that a strong E&C program is correlated to a strong culture, and that leadership support – the tone at the top – is one of the most important drivers of an ethical corporate culture. 2/ Thus, when seeking to assess the efficacy of an organization’s E&C program, one should also seek to assess the organization’s ethical culture, which includes understanding the tone at the top.
The Sentencing Guidelines indeed recognize the importance of an ethical culture by providing, in relevant part, that “to have an effective compliance and ethics program…an organization shall…promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Similarly, the FCPA Resource Guide states, in relevant part:
…compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company. Managers and employees take their cues from these corporate leaders. Thus, DOJ and SEC consider the commitment of corporate leaders to a ‘culture of compliance’ and look to see if this high-level commitment is also reinforced and implemented by middle managers and all employees at all levels of a business. …
A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards. Compliant managers, in turn, will encourage employees to strive to attain those standards throughout the organizational structure.
In short, “tone at the top” plays a crucial role in establishing and maintaining an organization’s culture.
Finally, one cannot meaningfully assess a company’s compliance program without understanding broader cultural issues the company faces – some of which can pose particular challenges to promoting E&C and others of which can provide tailwinds for such an effort. This is another reason that – at least as a general matter – program assessments should generally include a cultural component.

Turning from the why to the how, the notion of ethical culture is quite broad, and there is no one right way for assessments of this sort to be conducted. But hopefully the following will be helpful to companies seeking to undertake a cultural assessment.

First, with respect to tone at the top, one might explore the following;
– what senior managers say to underscore their expectation that employees will act lawfully and ethically;
– the related but distinct question about what senior managers do to underscore the expectation that employees will follow all dictates of the organization’s C&E program, such as those concerning taking training or conducting vendor due diligence;
– whether senior managers’ own conduct undermines their C&E messaging; and
– similar questions regarding various levels of management besides those at the very top, such as functional or business unit leadership or those further down the organizational ladder. (One best practice to consider: having those at or near the top engaged in a visible way in reminding delinquents of the need to take mandatory C&E training.)
Beyond tone at the top, another essential area for assessment concerns an organization’s “speak-up” culture. It is important in this sort of inquiry not only to assess the environment regarding true C&E matters but also the speak-up culture as it relates to other types of workplace concerns and questions, as reticence to speak up in one area may affect (or reflect) reticence in others. Relevant to a company’s speak-up culture is its degree of “organizational justice,” and the extent to which wrongdoing is responded to in a fair and sufficiently rigorous way.
A third and somewhat less obvious aspect of culture assessment concerns rule following, and the extent to which it is genuinely expected in an organization. Here too it may be helpful to think beyond core compliance program rules to those concerning other aspects of a company’s business, such as some of the various other rules covered by a delegation of authority policy. Note that for the ethics component of an assessment, a strong rule-following culture may be less than ideal. But from a pure compliance perspective, it is hard to beat a deep embrace of rules.
A fourth and also less obvious area for assessment concerns industry culture. While not true of all or even most companies, in some industries, the industry culture may be more of a source of risk than the organizational culture. This is particularly true of industries with a significant degree of inter-company mobility.
Fifth, as is obvious from many cases over the years of non-compliance – most recently the high-profile Wells Fargo scandal – a key aspect of culture is the extent to which pressure/incentives make it difficult for employees to do their jobs in an ethical and law-abiding way. Indeed, this may be the most important cultural attribute of all – and should be explored fully in any assessment, with aspects of this inquiry including both economic “carrots” and “sticks,” as well as non-economic incentives.
Finally, we should reiterate that this piece is not intended to be a comprehensive overview of all areas to cover in culture assessments, which is a complex and hugely important topic. Indeed, we anticipate publishing more on this topic – including posts by guest bloggers. But hopefully it will be helpful to some of those designing assessments.
1 See, e.g., Linda Trevino, “Managing Ethics and Legal Compliance: What Works and What Hurts,” California Management Review, January 1, 1999; Ethics Resource Center, National Business Ethics Survey, 2011; Corporate Executive Board, “Ethical Leadership: The Important Links Between Culture, Risk Management, and Business Performance,” (September 13, 2011).
2 David M. Mayer, Karl Aquino, Rebecca L. Greenbaum and Maribeth Kuenzi, Who Displays Ethical Leadership, and Why Does It Matter? An Examination of Antecedents and Consequences of Ethical Leadership, Academy of Management Journal, Vol. 55, No. 1 (July 9, 2013).

Legal Guidance related to Program Assessment

Legal guidance in the area of C&E program assessments accords with professional wisdom in this area, emphasizing the importance of periodic assessments to an effective program. In this post, we review a few of the relevant legal standards from U.S. authorities. In later posts, we will take a look at assessment guidance from other countries and non-governmental organizations.
Sentencing Guidelines
The Sentencing Guidelines for Organizations, which contain the most influential set of standards for effective compliance and ethics programs, provide that an organization should periodically evaluate the effectiveness of its program. The Guidelines also provide that, after criminal conduct is detected, an organization should take reasonable steps to prevent further similar criminal conduct, including through assessing and making necessary modifications to the program.
Department of Justice
In February of 2017,the Fraud Section of the Department of Justice published a document on its web site titled “Evaluation of Corporate Compliance Programs,” which lists a number of questions that the Fraud Section “may ask” in determining the effectiveness of a compliance program. That document discusses the importance of review and audit of an organization’s compliance program, including “testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties.” (Available at
The Department of Justice and Securities and Exchange Commission, in their Resource Guide to the Foreign Corrupt Practices Act (published in November 2012), issued detailed guidance on the importance of program assessment. In the Resource Guide, the DOJ and SEC instruct that compliance programs “should constantly evolve” and that those programs that do not just exist on paper but are followed in practice inevitably uncover weaknesses and require enhancements. It is therefore important to the DOJ and SEC that companies “regularly review and improve their compliance programs and not allow them to become stale.” (Available at
The Resource Guide goes on to provide that organizations should take the time to review and test controls and to think critically about potential weaknesses, and also provides some instruction on how to go about doing so. “For example, some companies have undertaken employee surveys to measure their compliance culture and strength of internal controls,” and other companies “periodically test their internal controls with targeted audits.” Regardless of the form of review, DOJ and SEC have promised to “give meaningful credit to thoughtful efforts to create a sustainable compliance program.” They have also stated that “proactive evaluations” can lower the fine that an organization might otherwise be subject to if a violation occurs.
Other Guidance
Other U.S. government agency standards similarly emphasize the importance of program assessment. For example, the Securities and Exchange Commission’s final rules requiring investment companies and investment advisors to implement compliance programs require such entities to review the adequacy of the compliance policies and procedures and the effectiveness of their implementation on at least an annual basis. (17 CFR 270.38a-1(a)(3).) Similarly, the Office of Inspector General of the Department of Health and Human Services, in its compliance program guidance for various healthcare organizations, typically includes the requirement of regular (typically at least annual) review of a compliance program. (See The importance of program assessment has also been highlighted in Federal Energy Regulatory Commission compliance program guidance, which provides that, in determining program effectiveness, regulators should consider the frequency with which an organization reviews and modifies its compliance program. (

Assessments and Confidentiality

A threshold issue which often arises in conducting C&E program assessments is to what extent the process and report should be treated as confidential. There are two components to this question, the first of which concerns the use of the company’s attorney-client privilege and the second providing assurance to interviewees that – absent exigent circumstances – their comments will not be shared even with others within the company, a form of protection that goes beyond that offered by the privilege.

As to the first question, there is clearly a benefit to conducting a privileged assessment, given the litigation/enforcement risks posed by the type of self-critical information that an assessment often generates. When employees fear that comments made in assessment interviews might be used by their companies’ adversaries, they are presumably less likely to be candid in providing important information about the C&E program. That, in turn, can lead to a less meaningful assessment.

However, the mere involvement of attorneys in an assessment will not, by itself establish the privilege. Rather to have a privileged assessment, the process must in fact involve a lawyer providing legal advice to the client company. In that connection, one should document from the outset that the purpose of the assessment is to review the extent to which the company’s program a) meets pertinent legal expectations and b) otherwise helps reduce legal risks (the way a best practices program can.) Of course, advice along these lines must actually be provided in connection with the assessment.

Additionally, to maintain the privilege one must a) instruct employees to keep the contents of their assessment interviews confidential; and b) after the assessment is complete, keep the assessment report confidential (although the specifics of this – e.g., how much internal disclosure is permissible without risking waiver – will be a function of applicable state law, at least in the U.S.)

Thus, a company may be limited in the extent to which it can share a favorable review of its program. Any assessment conducted with an eye toward publicizing the results of the effort should presumably not be conducted under the privilege.

We have also seen substantial benefits in providing assurances to interviewees that – absent exigent circumstances (which would likely include a government investigation) – their comments will not be shared even with others at the company. Particularly when seeking information about sensitive matters – e.g., whether the CEO and other senior leaders really “walk the talk,” discipline is sufficient for violations, and the company does a good job assessing and responding to risks – assurances of this sort may be essential to obtaining accurate information.

Finally, documentation of the assessment should anticipate disclosure – whether inadvertent or through a waiver of privilege (for instance, in a government investigation). Thus, one should attempt to be highly confident of factual findings and recommendations before finalizing a report – including, at least in most situations, reviewing these in draft with key client personnel to assure accuracy of not only the reported facts but also the underlying assumptions in the report.

Certification as a form of program evaluation

By Joe Murphy, CCEP

A newly evolving approach to program evaluation is certification, particularly to meet an ISO standard. Mostly notably, ISO 37001 provides for certification of anti-corruption compliance programs. There is a great deal of controversy about this certification. Here I will touch on some of the questions that arise.

First there is the question of what standard is being used. ISO 37001 sets out one global standard for anti-bribery compliance programs, and this is the one that is subject to certification. It may also incorporate other relevant standards (e.g., if specific compliance program elements are required by applicable law, they would also have to be met to obtain ISO certification), but that would have to be determined in the certification process.

A second question is how an evaluation would be done. Does the review just look at the program’s design, or does it look at whether it is fully implemented? Most difficult is to determine how well it is actually operating – does the program actually have an effect? A company considering certification would have to look at this carefully, considering the language of ISO 37001, and what is supposed to be the scope of the review. There is also a question of what parts of larger companies are actually covered in a review and certification. The fact that a global company claims that is has ISO 37001 certification does not necessarily indicate which parts of the company were subject to this certification and which parts have not yet been reviewed.

A third question is who conducts the review. This could be a murky area. ISO has a process for designating what entities are qualified to conduct a review, but this is determined by ISO bodies in a broad list of countries; will all those qualified in these different countries operate at the same level of diligence? Moreover, there remains a question whether a company claiming it meets the ISO 37001 standards was actually reviewed by an entity that met the ISO qualification requirements. Could any entity conduct a verification review, even if not officially qualified? Again, companies will need to be careful in this area.

What happens after certification? Are companies now free to focus elsewhere, being done with their work on the compliance program? Will certification discourage innovation and further work? According to ISO’s rules, certification is good for 3 years, and each year there must be ongoing review. Companies can lose their certification if they aren’t walking the walk, and the ISO standard mandates continuous improvement and documented evidence of program needs evaluation to keep certification. But once a company has its certification, will it then nevertheless be difficult to convince management to do anything new or innovative? After all, once you pass the exam why keep studying and learning?

Given the uncertainties, why would a company pursue certification? There may be an element of prestige in this, being able to claim that one’s program is certified. There may be a hope that regulators and enforcement personnel will view certification as a positive step, indicating that the company’s management really does want to do the right thing. ISO makes no claim that certification renders a company bullet proof, but there remains the potential that certification will be considered by enforcers and courts.

But the most likely push will come from the marketplace. At least in the anti-corruption area, dealings with third parties create the highest compliance risks. It is typically necessary to conduct due diligence on third parties to ensure they are legitimate. How much better would it be if there were a system that made at least part of this determination for companies? Again, ISO does not claim that certification of one’s compliance program ensures compliance. But for a major company trying to ensure its supply chain does not get it into trouble, requiring ISO certification by its agents and other third parties may be a strong plus.

Thus the most likely impetus will be the marketplace. Companies will have an incentive to require certification of their agents and suppliers. Governments, too, may add this as a requirement for their procurement processes.

Will this work? Will it help fight bribery, or will it instead discourage innovation? Will it make dealing with third parties easier for companies, or will it mislead them? Will the certification process result in genuine program assessments, or will it be just a surface step?

This is a development well worth watching. But in any case, certification or not, companies need to keep evaluating their own programs and ensuring they meet the applicable standards. Most importantly, companies need to keep evaluating whether their compliance and ethics programs actually work.

For 40 years, Joe Murphy, CCEP, has been a tireless champion of compliance and ethics in organizations and has done compliance work on six continents. Joe has published over 100 articles and given over 200 presentations in 19 countries. Joe is author of 501 Ideas for Your Compliance & Ethics Program and A Compliance & Ethics Program on a Dollar a Day. He is a Certified Compliance & Ethics Professional and editor of the SCCE magazine, Compliance & Ethics Professional. Joe was named one of The National Law Journal’s 50 Governance, Risk and Compliance Trailblazers and Pioneers 2014 and was a recipient of the SCCE Compliance and Ethics Award. He can be reached at .

PLI One-Hour Briefing on Compliance & Ethics Program Assessment

On September 28 at 1:00 Eastern Rebecca and Jeff will be leading a One-Hour Briefing for the Practising Law Institute on C&E program assessment. The program will cover:

Official requirements for conducting C&E program assessments and business-related reasons to do so
The various tools used in conducting assessments: interviews, document review, surveys, focus groups, benchmarking, maturity models, etc.
When and how to conduct an assessment under the attorney-client privilege and related matters of confidentiality
The size, scope and frequency of assessments
What to know and to look out for in formulating findings and recommendations, and in drafting and disseminating an assessment report
The role of the board of directors and of senior management
For each of the major elements and sub-elements of a C&E program – risk assessment, program management and oversight, policies, training, auditing, helplines, incentives, etc. – what to look for both in terms of efficacy and opportunities for improvement
Assessing the characteristics of an effective C&E program, such as independence, clout, reach and sufficiency of resources
“Deep dives” into areas of high risk – such as anti-corruption and antitrust compliance
The hallmarks of an ethical organizational culture
Use of “behavioral ethics” ideas and information in C&E program assessments

More information about the program can be found here

Assessing compliance incentives

There are two types of incentives that typically should be reviewed in a C&E program assessment.
The first concerns the extent to which a company’s general incentive structure has the effect (presumably unintentional) of promoting non-compliance. The second concerns incentive measures directly aimed at promoting compliance.
The two overlap to some degree but are conceptually and operationally distinct, and they warrant separate discussions in an assessment report. Indeed, the consideration of general incentives is often part of the risk-assessment component of a report (at least for engagements that have such a component), rather than appearing in the incentives section.
Regardless of where the discussion of incentives is located in a report, properly framing the nature of the inquiry concerning general incentives is key. The question here is not – we believe – whether an incentive structure creates a risk of wrongdoing. That would be said of virtually any results-based compensation structure. Rather, the inquiry should be whether an incentive structure creates an undue risk of wrongdoing.
Note that this is largely a subjective determination, and there is no universally accepted definition of “undue” to be applied in this context. Indeed, assessing whether compensation creates undue risks in any given setting turns on a variety of factors beyond the specifics of the compensation itself – particularly culture-related ones. But, in our experience, the undue risk formulation works well enough in assessment interviews, with the discussion typically turning on whether a) the performance targets upon which compensation decisions are partly based are realistic or can be met by some employees only through illegitimate means and b) the consequences of failing to meet the targets are overly harsh.
It is also important to consider the extent to which senior leaders, HR and others consider the risks created by compensation when setting goals. Is there an effort to understand the level of pressure created by various employee objectives and goals, and the extent to which performance goals create compliance risks?
Also relevant to assessing this sort of risk are incentives vis a vis third parties. While this aspect of risk assessment is becoming routine with respect to FCPA risks (e.g., ensuring that a distributor’s margins are reasonable), companies should also consider incentives and risks for other areas of legal exposure involving third parties (such as antitrust and fraud).
The second type of incentive to be assessed is – as noted above – incentive measures directly aimed at promoting compliance. These, in turn, consist of both tangible and intangible incentives.
The most commonly used tangible C&E incentive is inclusion of C&E criteria on performance evaluations. Some of the indicia of efficacy here are:
– Having examples in evaluation materials of different levels of C&E-related behavior generally (e.g., outstanding, strong, needs improvement).
– Having these examples tailored for different levels in the corporate hierarchy (e.g., what is outstanding for a leader, manager, other).
– Reinforcing the importance of the C&E component of personnel evaluations through appropriate discussion of this topic in the code of conduct, training and other communications.
Note that the other side of the tangible incentives coin is penalizing behavior that is undesirable but doesn’t rise to the level of being an appropriate subject of discipline. An example is denying bonuses or other forms of compensation to those who fail to take mandatory C&E training. In assessing this sort of incentive, one might make sure that the company actually does what it says it will do (e.g., withhold bonuses) in these instances.
Intangible incentives are, for the most part, recognition programs. What makes them successful is:
– In cases of awards, using the process of selecting nominees to educate employees about the C&E program. Companies should create a real campaign around the effort, including having as much senior management involvement as is reasonably possible.
– For more everyday forms of recognition, train managers to identify and (where appropriate) laud others in the work group employees for ethically exemplary behavior.
Finally, one should be alert to unintended consequences for compliance-directed incentive measures. For instance, providing bonuses for having no workplace accidents could have the unintended consequence of suppressing reporting of accidents.

Assessing the E&C Investigations Process

Investigations are one of the more difficult and riskier activities of an E&C program. Poorly-conducted investigations can create serious legal risks for an organization. In addition, the mishandling of investigations can damage the way in which employees perceive E&C programs, in particular where the report was initially made to the E&C department, through a hotline or otherwise. The mishandling of E&C investigations can corrode the sense of organizational justice and the culture of ethics and compliance at an organization. In short, E&C-related investigations are a serious business, and assessing them is therefore an important component of assessing an E&C program.
Assessing an investigations process is often complicated by the fact that investigations at many organizations are conducted by a number of functions, and privilege concerns can further complicate any review. In addition, there are a large number of facets of the investigations process that must be reviewed in order comprehensively to assess that process, which further increases the level of complexity. When reviewing investigations procedures, some of the more helpful areas of inquiry include the following:
• Guidelines: Are there written guidelines governing how investigations will be assigned? Are they logical and appropriate? Are they followed in practice?
• Is there a written investigations protocol, and does it include those elements that are necessary to facilitate robust investigations? Some of the elements that are typically included in investigations manuals include:
o Professionalism standards that govern the investigations process, such as a discussion of the importance of impartiality, competency, confidentiality, and non-retaliation.
o Step-by-step guides for each aspect of investigations, including intake procedures, preliminary analysis of the allegation, assigning investigations, opening a case file, creating an investigative plan, reviewing documents, whom to interview and how to do so, preparing interview notes, assessing and determining findings, preparing a final report, responding to the complainant and subject, and closing out the case.
o Samples and outlines of investigation documents, such as reports of interviews, reports of investigation, and sample communications with interviewees, complainants, supervisors, and subjects of investigations.
• Are there protocols that govern how evidence can be collected (e.g., required approvals before electronic data is accessed) and when and how litigation or investigation holds will be issued?
• Are there clear guidelines governing when to get the Legal Department involved and the steps to be taken when conducting an inquiry under the attorney-client privilege?
• Is there adequate oversight of the process? And does E&C have the ability to oversee investigations conducted by other functions, where appropriate?
• What are the protocols and practices for documenting investigations? What type of case management system is used? Is the case management system adequate to permit the E&C team appropriately to document investigations?
• Is the case management system adequate to permit aggregation and assessment of metrics related to reports received and investigations conducted? Are metrics in fact collected and considered? Are metrics reported to executive leadership and the audit committee? Are they reported out to employees?
• Are investigators appropriately qualified and adequately trained? Is ongoing training provided?
• Are investigators asked to consider supervisory fault when investigating allegations of E&C violations?
• Are investigators asked to consider appropriate remedial measures? Are there opportunities to escalate critical remedial measures on a timely basis? (For example, if an investigation reveals a serious gap in a control, can the investigator seek remediation for that quickly?)
• Where an organization has locations outside the United States, do investigations procedures consider local legal requirements and prohibitions governing internal investigations?
• Does the organization track the amount of time required to complete investigations? Are there undue delays in the time period required to complete investigations?
• Is the audit committee able to oversee the most serious investigations when it is appropriate for them to do so? Is there a written escalation protocol that governs when the audit committee should be informed about the most serious allegations/investigations?
The questions above should be asked not only regarding written protocols and processes (e.g., is there a written protocol governing how investigations are assigned?) but also regarding how an organization’s investigations process is implemented in practice (e.g., are investigations in fact assigned in a timely and reasonable manner?). This can require discussions of sensitive information, and the assessor must be cautious regarding privilege issues.
Ultimately, an effective assessment of an investigations process seeks determine whether the process possesses three critical attributes:
1) Independence: Are investigations conducted independently, objectively and impartially?
2) Access and authority: Are investigators permitted access to those people and documents that are necessary in order to conduct the investigation? To travel to those sites necessary? In other words, are there any obstacles or impediments to conducting a thorough investigation?
3) Expertise and professionalism: Is the investigator qualified to conduct the type of investigation? Does he or she have the relevant level and areas of expertise?
While perhaps obvious, we note that the above is merely a sampling of both areas to cover when assessing E&C investigations and questions that can be asked in each of those areas. E&C investigations can be complicated, risky and critically important to an organization’s E&C program, and the assessment process is therefore both challenging and significant.

Assessing compliance training

Training is not just another part of every C&E program; it is generally the part that touches the work lives of more of a company’s employees than do other elements. It should therefore be a significant focus of any program assessment.
The possible avenues of inquiry here are broad, as one would imagine, and each assessment will have its own areas of particular focus. But a partial list of core training assessment questions might include the following.
Plan. Is there a written plan for providing training on an annual or other periodic basis?
Risk-based. Are the training curriculum and content based – whether formally or not – on an assessment of risk? Is the risk assessment designed to be helpful in this regard?
Role of the Board. What training does the Board receive regarding its oversight of the program? What training does the Board receive regarding its own compliance risks?
Role of senior management. Are senior managers trained on the C&E risks and responsibilities applicable to their role at the company? Does this include their duty to support an ethical culture?
Supervisors. Is there C&E training for supervisors regarding their obligations to support the program and how to do so?
Other roles. Is other training appropriately role based? (E.g., is anti-corruption training adapted to different roles – such as internal audit, finance, sales and marketing, government relations and logistics?)
Participation. Is training that is supposed to be mandatory in fact treated that way? What is done to encourage stragglers to take required training? For in-person training, is a sufficient record kept of attendance?
Media. Does the company have a good blend of in-person and computer-based training?
Content. Is the information in the training accurate, comprehensive and clear?
Quality. Is the training engaging? Is it memorable? Too long or too short? (Note that one way to make training memorable is to use – as appropriate – “case studies” based on actual events at the company.)
Repetition. Is the same training program shown to employees more than once? (While some degree of repetition is acceptable and maybe even be desirable, too much of the same thing can send the wrong message to employees.)
Short programs. Does the company use short training programs to refresh employee awareness of key C&E topics?
Translations. Have they been done for all of the company’s principal languages? Is the training “US centric”?
Feedback. Does the company seek comments and suggestions from employees on the training?
Integration plan. Does the company have a plan for rolling out training to newly acquired entities? Is there a sufficient C&E component to the new hire onboarding process?
Third party training. Does it reach the right (i.e., high risk) third parties?
We should emphasize that – like all posts on this blog – the above does not aim to be comprehensive. However, we do hope it is helpful.