Search within CPAB

Program Structure

In the posts collected here we will discuss assessment-related issues concerning a) various types of C&E program roles and reporting relationships, including those involving the board of directors; senior management; C&E department management; other staff, such as members of the law, human resources, audit and finance functions; b) the use of C&E committees and liaisons; and c) program structure issues relating to affiliated entities, such as subsidiaries and joint ventures. Among other things, these posts will include discussion of assessing C&E officer independence.

Assessing Codes of Conduct

Codes of conduct are often described as the most important document in a compliance program. Codes help set the right tone for compliance and ethics (“C&E”) programs.  They are educational tools that should serve to raise awareness and understanding of important company policies and legal requirements. They are also used at many organizations as the basis for periodic compliance training, and they should serve as a useful resource for employees. In addition, codes are used to promote reporting and to conduct investigations. When assessing a code, it’s important to do so in light of the code’s several purposes: awareness of the program and important policies; training and education; promotion of reporting and use in investigations; and promotion of an ethical culture.


In order for a code to be a successful vehicle for increasing employee awareness of relevant laws and policies, it must be accessible to employees. Government standards have emphasized the importance of code accessibility. For example, in the Resource Guide to the US Foreign Corrupt Practices Act¸ the Department of Justice and Securities and Exchange Commission note that “the most effective codes are clear, concise, and accessible to all employees.” When reviewing accessibility of codes, C&E professionals should consider accessibility both of the language of the code (including that the language is reasonably easy to understand and that translations are provided, as appropriate) and the more prosaic question of the ability of employees to “get their hands on” on the code so that it can serve as a resource where needed.

It is also important to consider the extent to which organizations measure both employees’ understanding of the concepts articulated in the code (is the code understandable to employees?) and their ability physically to access the code. As the Department of Justice noted in its recent revisions to the Evaluation of Corporate Compliance Programs Guidance Document, two important questions to ask when assessing a program are whether the code (and other policies and procedures) have been published in a searchable format for easy reference, and whether the company tracks access to various policies and procedures to understand what policies are attracting more attention from relevant employees. In addition, those assessing a code should consider how frequently employees are reminded of the code; are provided with copies of or links to the code; and are asked to certify their understanding and compliance with the code.  All of these communication tools are important to ensuring employee awareness of a code of conduct.

Promoting a Culture of Compliance

Of course, a code of conduct cannot by itself create a culture of compliance and ethics.  However, it can support such a culture, and it can help communicate an organization’s commitment to maintaining such a culture. In assessing a code’s ability to support an ethical corporate culture, one should consider the way in which the organization’s values are highlighted in and weaved into the code; the messaging by senior leadership both within the code and regarding the code; and the extent to which the code encourages employees and others to raise questions and concerns.  The code should also make very clear that it is applicable to all employees (and, where appropriate, to directors and third parties) and that the company requires compliance with applicable law and company policy by all employees.

Discussion of the Most Important Elements of the C&E Program

Given that they are often considered the foundational document of a compliance program, codes should also discuss those aspects of a program that are most relevant to employees.  This typically includes information about program structure; management support of the program; the company’s commitment to building a culture of compliance; the importance of asking questions and raising concerns and how to do so, including options for anonymous reporting; the company’s commitment to non-retaliation and appropriate investigations of concerns reported; and the potential penalties for non-compliance. Codes should typically also contain information regarding the heightened responsibilities of supervisors and managers with respect to the program.

Codes should be reviewed not only for inclusion of the above, but should also seek to ensure that the above information is communicated in strong and comprehensible language appropriate to the gravity of the topics. One should thus seek to understand not only if the above topics are contained in the code (which is, of course, the easy part), but also the extent to which communication of those topics is effective.

Discussion of the Most Important Policies and Laws

Unlike the long, “legal-ese” codes of the 1980s and 1990s, modern codes are expected to be concise – meaning reasonably short.  That requires close attention to which company policies and laws are discussed in the code and how they are discussed.  Here, an assessor should certainly be looking to ensure that the “bread and butter” legal topics are addressed (conflicts of interest, harassment and discrimination, insider trading (for public companies), anti-fraud, antitrust/competition law, etc.), and also should consider the extent to which organizations periodically review their codes in relation to their C&E risk assessment to ensure that higher-risk topics are addressed in an appropriate fashion. This requires assessment of not only the contents of the code, but also the way in which the organization determines the code’s contents and revises the code as the organization’s risks change.

A Training Vehicle

Many organizations utilize their codes of conduct as the basis for annual compliance training.  Assessments should therefore also consider the value of a code as a training tool. This requires review of the training itself and the extent to which the code is the basis of effective training. Assessors should also consider the efficacy of any periodic code certification and disclosure exercise.


While a well-written code can have significant value in raising awareness of the company’s commitment to compliance and ethics and of important legal and compliance policies, codes are also sometimes used in the context of compliance investigations. That is, if there is an allegation that an employee has acted in a manner that is inconsistent with or in violation of the code, the C&E team (or others) may need to investigate potential violations.  That aspect of a code’s purpose highlights the critical importance of a code’s mandates being written clearly, of a code’s being accessible and of the code’s discussion of pertinent topics being complete. If an organization’s policies and prohibitions are not easily understood by and well communicated to employees, it may be unfair to hold those employees accountable for violations.

Important Additional Language

There are a few items that should be included in codes of public companies to ensure compliance with certain laws and regulations.  Indeed, codes of conduct (for certain companies) are one of the few elements of a compliance program that are required by laws and regulations, such as the Sarbanes-Oxley Act and the New York Stock Exchange Corporate Governance Rules.  This includes, for example, language regarding seeking guidance and raising concerns; the availability of confidential and anonymous reporting mechanisms; non-retaliation; and that certain waivers must be made by the board or a board committee and will be disclosed as required by law. Companies may also wish to include language disclaiming the creation by the code of rights in employees and third parties.  Codes should be reviewed to ensure inclusion of required topics. 

Approval by the Board and Senior Leaders

Because a code of conduct is a foundational document of the compliance program, it is important that the code have the imprimatur of both the board of directors and senior leaders of an organization.  Someone tasked with assessing a code should confirm that both bodies have reviewed and approved the code and are asked to review and approve significant revisions to the code.

Periodic Review and Revision

Lastly, a code – and other C&E policies – should never be allowed to get stale. Codes should be reviewed and revised reasonably frequently in light of both the company’s changing risk profile (as addressed above) and changing best practices.  When assessing an organization’s code, one should consider not only whether the code has been reviewed and revised on a periodic basis, but also whether there is a policy governance mechanism that requires and triggers periodic review and revision.

Revisions to DOJ Program Evaluation Guidance

On June 1, 2020, the U.S. Department of Justice (“DOJ”), Criminal Division, updated its guidance on the “Evaluation of Corporate Compliance Programs” (“the  2020 Update”) to provide increased clarity on several of the key questions prosecutors might ask in assessing the adequacy of compliance programs when making charging, plea, sentencing  and settlement determinations.

The DOJ has consistently rejected a one-size-fits-all approach  to evaluating corporate compliance programs. This was emphasized in the DOJ’s compliance guidance that was issued in 2017 (“the 2017 Guidance”),  an amended version of which was issued in 2019 (the “2019 Update”), and continues to hold true with the 2020  Update.  The most recent version of the DOJ Guidance calls for “a reasonable, individualized determination in each case of the effectiveness of a company’s compliance program, including its size, industry, geographic footprint, and regulatory landscape.”

The 2020 Update continues to utilize the “three fundamental questions” that were first articulated by the DOJ (using somewhat different language) in 1999, and then again in the 2019 Update: (1) “Is the corporation’s compliance program well designed?” This question was unchanged from the  2019 Update.  (2) “Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?”  This was modified to include the words “adequately resourced and empowered to function effectively,” which we believe is a significant addition.  (3) “Does the corporation’s compliance program work” in practice?  This was unchanged from the 2019 Update.

Most significantly, the 2020 Update adds to what is already a substantial list of questions and considerations for evaluating compliance programs.

The questions are an excellent tool for organizations to utilize in assessing their own programs.  While not all questions are applicable to all organizations (as noted above, there is no one-size-fits-all), reviewing the questions will undoubtedly be a helpful exercise for most companies – and an opportunity to assess and improve, which, as noted above, the guidance embraces. While we focus here on recent changes to the guidance, we recommend review of the full document, which is available here: Here are what we see as the more significant of the additions to the 2019 Update.

Questions Regarding Whether the Compliance Program is Well Designed

Regarding risk assessment, the 2020 Update:

  • Instructs prosecutors to seek to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s program has evolved over time.
  • Asks if any periodic review of the program is limited to a “snapshot” in time or is based upon continuous access to operational data and information.
  • Seeks to determine if the company has a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry or geography.
  • Asks if the periodic review has led to updates in policies, procedures, and controls.

Policies and procedures – The 2020 Update asks:

  • What is the company’s process for designing and implementing new policies and procedures and updating existing policies and procedures, and has that process changed over time?
  • Have the policies and procedures been published in a searchable format for easy reference?
  • Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?

Training and communications – The 2020 Update:

  • Notes that some companies have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.
  • Asks if there is a process by which employees can ask questions arising out of the trainings.
  • Asks if the company has evaluated the extent to which the training has an impact on employee behavior or operations.

Confidential reporting structure and investigation process – The 2020 Update asks:

  • How is the reporting mechanism publicized to the company’s employees and other third parties? Has it been used? Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it?
  • Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?

Third party management – The 2020 Update asks:

  • Does the company engage in risk management of third parties throughout the lifespan  of the relationship, or primarily during the onboarding process?

M&A – The 2020 Update:

  • Notes that pre-M&A due diligence, where possible, enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target.
  • Notes that a well-designed program should include a process for timely and orderly integration of the acquired entity into existing complance program structures and internal controls.
  • Asks if the company is able to complete pre-acquisition due diligence and, if not, why not.
  • Asks what has been the company’s process for conducting post-acquisition audits at newly-acquired entities.

Questions Regarding Whehter the Corporation’s Compliance Program is Adequately Resourced and Empowered to Function Effectively

Commitment by senior and mid-level management – The 2020 Update:

  • Notes that beyond compliance structures, policies, and procedures, it is important for a company to create and foster a culture of ethics and compliance with the law at all levels of the company. The effectiveness of a compliance program requires a high-level commitment by company leadership to implement a culture of compliance from the middle and the top.  (New language in bold.)

Autonomy and resources – The 2020 Update:

  • Asks the reasons for the structural program choices the company has made.
  • Asks how the company invests in further training and development of the compliance and other control personnel.
  • Regarding data resources and access, asks if compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.  Asks if any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments.

Incentives and disciplinary measures – The 2020 Update:

  • Asks if the compliance function monitors its investigations and resulting discipline to ensure consistency.

Questions Regarding whether the Corporation’s Compliance Program Works in Practice

Continuous improvement, periodic testing, and review – The 2020 Update:  

  • Asks if  the company reviews and adapts its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks.

Much has changed since the Department of Justice first encouraged companies to develop effective compliance programs, and the compliance community decidedly benefits from the detailed guidance now offered in this area. But with the 2020 Update, the risks of giving short shrift to what the government expects have never been higher.

The New Antitrust Compliance Program Evaluation Criteria

For more than a quarter of a century the Antitrust Division of the US Justice Department (the “DOJ”) was an outlier among the components of the DOJ with respect to crediting compliance programs in enforcement matters. That changed on July 11 of this year when, as described in a DOJ press release:  “Assistant Attorney General Makan Delrahim announced the Antitrust Division’s new policy for incentivizing antitrust compliance. For the first time, the Division will consider compliance at the charging stage in criminal antitrust investigations, a change which is reflected in the Justice Manual. The Division also announced revisions to its Manual and published a document to guide prosecutors’ evaluation of corporate compliance programs at the charging and sentencing stage.  ‘The Antitrust Division is committed to rewarding corporate efforts to invest in and instill a culture of compliance’ said Assistant Attorney General Delrahim. ‘The Division’s Leniency Policy has long provided the ultimate credit for effective antitrust compliance programs. Beyond leniency, recently we have credited prospective compliance efforts at sentencing. Crediting compliance at charging is the next step in our continued efforts to deter antitrust violations and reward good corporate citizenship. We also remain dedicated to predictability and transparency. As such, in concert with today’s policy changes, the Division issued a public guidance document that outlines what prosecutors look for when evaluating antitrust compliance programs.’ The Justice Manual previously explained the Antitrust Division’s policy that credit should not be given at the charging stage for a compliance program. That text has been deleted. The Division also updated its Manual. The revisions address evaluating compliance programs at the charging and sentencing stage, and Division processes for recommending indictments, plea agreements, and selecting monitors. For the first time, the Division also published a guidance document that focuses on evaluating compliance programs in the context of criminal violations of the Sherman Act.   It is intended to assist Division prosecutors in their evaluation of compliance programs at both the charging and sentencing stage of investigations, and to provide compliance officers and the public greater transparency of the Division’s compliance analysis. To that end, it contains two sections: the first relates to evaluating antitrust compliance programs at the charging stage, and the second addresses compliance considerations at sentencing.”

The above-mentioned guidance document (“the Guidance”) is indeed of great importance to those working in the compliance and ethics field, as it discusses in some detail government expectations for designing, improving and assessing antitrust programs. As one would expect, it tracks the approach of the compliance guidance document published recently by the DOJ’s Criminal Division.  Under the Guidance, the “fundamental” questions in this evaluation are whether the program “(1) is well designed, (2) is being applied earnestly and in good faith, and (3) works in practical application.  To facilitate this assessment, the Guidance directs prosecutors to consider whether antitrust compliance programs “address and prohibit criminal antitrust violations” and “detect and facilitate prompt reporting of the violation” as well as “to what extent a company’s senior management [was] involved in the violation.”

The Guidance also provides a list of nine factors, and questions and considerations related to each, that prosecutors should consider when determining the effectiveness of an antitrust compliance program: (1) the design and comprehensiveness of the program; (2) the culture of compliance within the company; (3) responsibility for, and resources dedicated to, antitrust compliance; (4) antitrust risk assessment techniques; (5) compliance training and communication to employees; (6) monitoring and auditing techniques, including continued review, evaluation, and revision of the antitrust compliance program; (7) reporting mechanisms; (8) compliance incentives and discipline; and (9) remediation methods.

The Guidance recognizes that one size does not fit all for compliance programs – e.g., the size of a company and the corresponding effect on resources allocated to antitrust compliance are recognized as factors to be considered.

The questions and considerations underlying each of these factors are indeed numerous and – in our view – well thought out.  Some examples include:  

  • Design and Comprehensiveness.  When was the company’s antitrust compliance program first implemented? How often is it updated? Is it periodically reviewed and does it seek feedback from employees? Are compliance materials updated with recent developments and periodically refreshed so they do not become stale?
  • Culture of Compliance.  What is the company’s senior leadership doing to convey the importance of antitrust compliance to company employees? How have senior leaders, through their words and actions, encouraged (or discouraged) antitrust compliance? What concrete actions have they taken to demonstrate leadership in the company’s antitrust compliance or remediation efforts, if relevant?
  • Responsibility for the Compliance Program.  Who has overall responsibility for the antitrust compliance program? Is there a chief compliance officer or executive within the company responsible for antitrust compliance? If so, to whom does the individual report, e.g., the Board of Directors, audit committee, or other governing body? How often does the compliance officer or executive meet with the Board, audit committee, or other governing body? How does the company ensure the independence of its compliance personnel?
  • Risk Assessment.  Is the company’s antitrust compliance program tailored to the company’s various industries/business lines and consistent with industry best practice? Does the compliance program provide specialized antitrust compliance training for human resources personnel and executives responsible for overseeing recruitment and hiring? What efforts has the company made to implement antitrust-related policies and procedures that reflect and address the antitrust risks it faces, including legal and technical changes in the way the company conducts business? For example, as employees utilize new methods of electronic communication, what is the company doing to evaluate and manage the antitrust risk associated with these new forms of communication?
  • Training and Communication.  How has the company communicated its antitrust policies and procedures to all employees? Did the company introduce antitrust policies in a way that promotes and ensures employees’ understanding? In what specific ways are antitrust compliance policies and procedures reinforced through the company’s internal controls?
  • Periodic Review, Monitoring and Auditing.  What monitoring or auditing mechanisms does the company have in place to detect antitrust violations? For example, are there routine or unannounced audits (e.g., a periodic review of documents/communications from specific employees; performance evaluations and employee self-assessments for specific employees; interviews of specific employees)? Does the company use any type of screen, communications monitoring tool, or statistical testing designed to identify potential antitrust violations?
  • Reporting.  Do supervisors or employees who become aware of a potential antitrust violation have a duty to report it to those with responsibility for compliance? What disciplinary measures does the company have for those who fail to report such conduct?
  • Incentives and Discipline.  Has the company considered the implications on antitrust compliance of its incentives, compensation structure, and rewards? Does the company incentivize antitrust compliance? Have there been specific examples of actions taken (e.g., promotions or awards denied, or bonuses clawed back) because of compliance considerations? Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel?
  • Remediation and Role of the Compliance Program in the Discovery of the Violation.  Has the company revised its antitrust compliance program as a result of the antitrust violation and lessons learned? How did the company address, and determine how to address, failures in the compliance program? Was outside counsel or an advisor involved?

We wish to emphasize that this is a sampling of the evaluation criteria – and there are many more questions and considerations in the document itself.

The publication of the Guidance represents an important development in the history of the compliance and ethics field. But whether it is a positive development for any given company will depend on how that company can respond to the thoughtful and demanding questions the document poses.

Conducting Program Assessments Using the Department of Justice’s New Evaluation Standards

The modern era of corporate compliance began on November 1, 1991, when the Federal Sentencing Guidelines for Organizations (the “FSGO”) – the first set of general standards for assessing the efficacy of what were then called “program[s] to prevent and detect violations of law” – went in effect. Since then, the Department of Justice (the “DOJ”) and other governmental bodies in the US and elsewhere have built upon the FSGO approach to compliance and ethics (“C&E”) program evaluation criteria.
The latest chapter in this story unfolded on April 30, 2019, when Assistant Attorney General Brian Benczkowski announced the publication of an updated and expanded version of the Evaluation of Corporate Compliance Programs (“the 2019 Guidance”), superseding an evaluation criteria document published in 2017 by the DOJ. The 2019 Guidance – available here – does not revise the DOJ’s particular criteria for evaluating C&E program efficacy in any material way. But overall it is more comprehensive than anything of its kind that has come before.
In this post we provide a brief overview of the 2019 Guidance and initial thoughts on what the document means for program assessment.

    The 2019 Guidance

The 2019 Guidance is structured around three “fundamental questions”:
• “Is the Corporation’s Compliance Program Well Designed?”
• “Is the Corporation’s Compliance Program Being Implemented Effectively?”
• “Does the Corporation’s Compliance Program Work in Practice?”
For each of these fundamental questions, prosecutors are provided with various topics and questions. For the design question, these topics and questions concern C&E risk assessment, policies and procedures, training and communications, confidential reporting structure and investigation process, third-party management and mergers and acquisitions. For the implementation question, they concern commitment by senior and middle management (including conduct at the top), program autonomy and resources, and incentives and disciplinary measures. For the third fundamental question the topics and questions concern continuous improvement, periodic testing and review, investigation of misconduct, and analysis and remediation of any underlying misconduct.
The various topics and questions are – in our view – quite good, and some can be considered state of the art in the C&E field. There are far too many of these to cover in this post, and C&E professionals should of course read the original. But to give a flavor of the document, we note the following from the risk assessment section, which states, among other things: “Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.” This is an important point, as it should provide an extra incentive for conducting robust risk assessments to those companies that have felt that conducting risk assessments is often a feckless exercise given that it is impossible to identify all conceivable risks. This section also charges prosecutors with asking: “What methodology has the company used to identify, analyze, and address the particular risks it faces?” We think this is important because too few companies consider whether their methodologies are in fact “fit for purpose.” Finally, this section also has well-thought-out topics and questions regarding risk-tailored resource allocations and updates and revisions to the program.

Assessments under the 2019 Guidance

Given the considerable thought and effort that the DOJ put into drafting this document, a company (at least one doing business in the US) would be hard-pressed to ignore it in designing, enhancing or assessing a C&E program. Indeed, in a speech given the day the 2019 Guidance was published (available here , Mr. Benczkowski noted that the document was drafted not only for use by prosecutors but also by companies.
Of course, there are other models of program evaluation criteria available, some of which are quite good. But in an investigation, it is the 2019 Guidance that will frame the discussion with DOJ, and this should be considered when deciding on an assessment methodology.

Using behavioral ethics in compliance program assessments

Behavioral economics is a school of social science that teaches that we are not as rational as we think. The application of that learning to the realm of ethics is sometimes called “behavioral ethics,” which is a social science that teaches that we are not as ethical as we think we are. Compliance program assessments can provide a valuable opportunity to introduce the use of behavioral ethics ideas and information into corporate compliance programs. (Note: more information about the behavioral ethics experiments that form the basis for this post can be found in our sister blog – the Conflict of Interest Blog).
Broadly speaking, there are two dimensions to behavioral ethics and compliance: the general and the specific.
By the former we mean using the learning that we are not as ethical as we think to promote the understanding in a company of the need for stronger E&C generally. In our view, this is for many companies potentially the most powerful application of behavioral ethics to the realm of compliance. If properly appreciated, this learning should be valuable in ensuring that boards of directors, senior managers and other key decision makers devote more time, attention and resources to compliance than they otherwise would. Indeed, the lesson that we are not as ethical as we think we are is one that is worth teaching to everyone in a company – as it should help all employees appreciate the need for strong E&C.
The specific application of behavioral ethics to corporate compliance involves using different aspects of this learning to enhance discrete program elements. To take the example of risk assessment, various behaviorist experiments suggest that the following be taken into account when assessing risk:
• Time pressure
• “Slippery slopes”
• “Conformity bias”
• Good intentions
• “Distant victims”
• Being in a job that involves a significant amount of dealing with money.
Or, to take the example of training, one could use the results of certain behavioral ethics experiments to deploy a just-in-time/point-of-risk communication strategy. And to help encourage employees with the often-difficult decision of whether to report a suspected act of wrongdoing, behavioral ethics suggests appealing to a sense of “larger loyalty.”
We should emphasize that many (although by no means all) of the insights of behavioral ethics have long been known anecdotally to E&C professionals. But what behavioral ethics brings to the table is data to prove these things – an increasingly valued commodity in the business world. A behavioral ethics approach can help organizations more efficiently and more effectively deploy scare E&C resources, which is an important reason to include a behavioral ethics dimension in an E&C program assessment.

Culture assessment – the why and the how

Research conducted over the past twenty years has provided an evidentiary basis for what has – for just as long – been accepted wisdom in the E&C community: that an ethical organizational culture is even more effective than a strong E&C program at preventing and detecting misconduct. 1/ Research has also shown that a strong E&C program is correlated to a strong culture, and that leadership support – the tone at the top – is one of the most important drivers of an ethical corporate culture. 2/ Thus, when seeking to assess the efficacy of an organization’s E&C program, one should also seek to assess the organization’s ethical culture, which includes understanding the tone at the top.
The Sentencing Guidelines indeed recognize the importance of an ethical culture by providing, in relevant part, that “to have an effective compliance and ethics program…an organization shall…promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Similarly, the FCPA Resource Guide states, in relevant part:
…compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company. Managers and employees take their cues from these corporate leaders. Thus, DOJ and SEC consider the commitment of corporate leaders to a ‘culture of compliance’ and look to see if this high-level commitment is also reinforced and implemented by middle managers and all employees at all levels of a business. …
A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards. Compliant managers, in turn, will encourage employees to strive to attain those standards throughout the organizational structure.
In short, “tone at the top” plays a crucial role in establishing and maintaining an organization’s culture.
Finally, one cannot meaningfully assess a company’s compliance program without understanding broader cultural issues the company faces – some of which can pose particular challenges to promoting E&C and others of which can provide tailwinds for such an effort. This is another reason that – at least as a general matter – program assessments should generally include a cultural component.

Turning from the why to the how, the notion of ethical culture is quite broad, and there is no one right way for assessments of this sort to be conducted. But hopefully the following will be helpful to companies seeking to undertake a cultural assessment.

First, with respect to tone at the top, one might explore the following;
– what senior managers say to underscore their expectation that employees will act lawfully and ethically;
– the related but distinct question about what senior managers do to underscore the expectation that employees will follow all dictates of the organization’s C&E program, such as those concerning taking training or conducting vendor due diligence;
– whether senior managers’ own conduct undermines their C&E messaging; and
– similar questions regarding various levels of management besides those at the very top, such as functional or business unit leadership or those further down the organizational ladder. (One best practice to consider: having those at or near the top engaged in a visible way in reminding delinquents of the need to take mandatory C&E training.)
Beyond tone at the top, another essential area for assessment concerns an organization’s “speak-up” culture. It is important in this sort of inquiry not only to assess the environment regarding true C&E matters but also the speak-up culture as it relates to other types of workplace concerns and questions, as reticence to speak up in one area may affect (or reflect) reticence in others. Relevant to a company’s speak-up culture is its degree of “organizational justice,” and the extent to which wrongdoing is responded to in a fair and sufficiently rigorous way.
A third and somewhat less obvious aspect of culture assessment concerns rule following, and the extent to which it is genuinely expected in an organization. Here too it may be helpful to think beyond core compliance program rules to those concerning other aspects of a company’s business, such as some of the various other rules covered by a delegation of authority policy. Note that for the ethics component of an assessment, a strong rule-following culture may be less than ideal. But from a pure compliance perspective, it is hard to beat a deep embrace of rules.
A fourth and also less obvious area for assessment concerns industry culture. While not true of all or even most companies, in some industries, the industry culture may be more of a source of risk than the organizational culture. This is particularly true of industries with a significant degree of inter-company mobility.
Fifth, as is obvious from many cases over the years of non-compliance – most recently the high-profile Wells Fargo scandal – a key aspect of culture is the extent to which pressure/incentives make it difficult for employees to do their jobs in an ethical and law-abiding way. Indeed, this may be the most important cultural attribute of all – and should be explored fully in any assessment, with aspects of this inquiry including both economic “carrots” and “sticks,” as well as non-economic incentives.
Finally, we should reiterate that this piece is not intended to be a comprehensive overview of all areas to cover in culture assessments, which is a complex and hugely important topic. Indeed, we anticipate publishing more on this topic – including posts by guest bloggers. But hopefully it will be helpful to some of those designing assessments.
1 See, e.g., Linda Trevino, “Managing Ethics and Legal Compliance: What Works and What Hurts,” California Management Review, January 1, 1999; Ethics Resource Center, National Business Ethics Survey, 2011; Corporate Executive Board, “Ethical Leadership: The Important Links Between Culture, Risk Management, and Business Performance,” (September 13, 2011).
2 David M. Mayer, Karl Aquino, Rebecca L. Greenbaum and Maribeth Kuenzi, Who Displays Ethical Leadership, and Why Does It Matter? An Examination of Antecedents and Consequences of Ethical Leadership, Academy of Management Journal, Vol. 55, No. 1 (July 9, 2013).

Legal Guidance related to Program Assessment

Legal guidance in the area of C&E program assessments accords with professional wisdom in this area, emphasizing the importance of periodic assessments to an effective program. In this post, we review a few of the relevant legal standards from U.S. authorities. In later posts, we will take a look at assessment guidance from other countries and non-governmental organizations.
Sentencing Guidelines
The Sentencing Guidelines for Organizations, which contain the most influential set of standards for effective compliance and ethics programs, provide that an organization should periodically evaluate the effectiveness of its program. The Guidelines also provide that, after criminal conduct is detected, an organization should take reasonable steps to prevent further similar criminal conduct, including through assessing and making necessary modifications to the program.
Department of Justice
In February of 2017,the Fraud Section of the Department of Justice published a document on its web site titled “Evaluation of Corporate Compliance Programs,” which lists a number of questions that the Fraud Section “may ask” in determining the effectiveness of a compliance program. That document discusses the importance of review and audit of an organization’s compliance program, including “testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties.” (Available at
The Department of Justice and Securities and Exchange Commission, in their Resource Guide to the Foreign Corrupt Practices Act (published in November 2012), issued detailed guidance on the importance of program assessment. In the Resource Guide, the DOJ and SEC instruct that compliance programs “should constantly evolve” and that those programs that do not just exist on paper but are followed in practice inevitably uncover weaknesses and require enhancements. It is therefore important to the DOJ and SEC that companies “regularly review and improve their compliance programs and not allow them to become stale.” (Available at
The Resource Guide goes on to provide that organizations should take the time to review and test controls and to think critically about potential weaknesses, and also provides some instruction on how to go about doing so. “For example, some companies have undertaken employee surveys to measure their compliance culture and strength of internal controls,” and other companies “periodically test their internal controls with targeted audits.” Regardless of the form of review, DOJ and SEC have promised to “give meaningful credit to thoughtful efforts to create a sustainable compliance program.” They have also stated that “proactive evaluations” can lower the fine that an organization might otherwise be subject to if a violation occurs.
Other Guidance
Other U.S. government agency standards similarly emphasize the importance of program assessment. For example, the Securities and Exchange Commission’s final rules requiring investment companies and investment advisors to implement compliance programs require such entities to review the adequacy of the compliance policies and procedures and the effectiveness of their implementation on at least an annual basis. (17 CFR 270.38a-1(a)(3).) Similarly, the Office of Inspector General of the Department of Health and Human Services, in its compliance program guidance for various healthcare organizations, typically includes the requirement of regular (typically at least annual) review of a compliance program. (See The importance of program assessment has also been highlighted in Federal Energy Regulatory Commission compliance program guidance, which provides that, in determining program effectiveness, regulators should consider the frequency with which an organization reviews and modifies its compliance program. (

Assessments and Confidentiality

A threshold issue which often arises in conducting C&E program assessments is to what extent the process and report should be treated as confidential. There are two components to this question, the first of which concerns the use of the company’s attorney-client privilege and the second providing assurance to interviewees that – absent exigent circumstances – their comments will not be shared even with others within the company, a form of protection that goes beyond that offered by the privilege.

As to the first question, there is clearly a benefit to conducting a privileged assessment, given the litigation/enforcement risks posed by the type of self-critical information that an assessment often generates. When employees fear that comments made in assessment interviews might be used by their companies’ adversaries, they are presumably less likely to be candid in providing important information about the C&E program. That, in turn, can lead to a less meaningful assessment.

However, the mere involvement of attorneys in an assessment will not, by itself establish the privilege. Rather to have a privileged assessment, the process must in fact involve a lawyer providing legal advice to the client company. In that connection, one should document from the outset that the purpose of the assessment is to review the extent to which the company’s program a) meets pertinent legal expectations and b) otherwise helps reduce legal risks (the way a best practices program can.) Of course, advice along these lines must actually be provided in connection with the assessment.

Additionally, to maintain the privilege one must a) instruct employees to keep the contents of their assessment interviews confidential; and b) after the assessment is complete, keep the assessment report confidential (although the specifics of this – e.g., how much internal disclosure is permissible without risking waiver – will be a function of applicable state law, at least in the U.S.)

Thus, a company may be limited in the extent to which it can share a favorable review of its program. Any assessment conducted with an eye toward publicizing the results of the effort should presumably not be conducted under the privilege.

We have also seen substantial benefits in providing assurances to interviewees that – absent exigent circumstances (which would likely include a government investigation) – their comments will not be shared even with others at the company. Particularly when seeking information about sensitive matters – e.g., whether the CEO and other senior leaders really “walk the talk,” discipline is sufficient for violations, and the company does a good job assessing and responding to risks – assurances of this sort may be essential to obtaining accurate information.

Finally, documentation of the assessment should anticipate disclosure – whether inadvertent or through a waiver of privilege (for instance, in a government investigation). Thus, one should attempt to be highly confident of factual findings and recommendations before finalizing a report – including, at least in most situations, reviewing these in draft with key client personnel to assure accuracy of not only the reported facts but also the underlying assumptions in the report.

Certification as a form of program evaluation

By Joe Murphy, CCEP

A newly evolving approach to program evaluation is certification, particularly to meet an ISO standard. Mostly notably, ISO 37001 provides for certification of anti-corruption compliance programs. There is a great deal of controversy about this certification. Here I will touch on some of the questions that arise.

First there is the question of what standard is being used. ISO 37001 sets out one global standard for anti-bribery compliance programs, and this is the one that is subject to certification. It may also incorporate other relevant standards (e.g., if specific compliance program elements are required by applicable law, they would also have to be met to obtain ISO certification), but that would have to be determined in the certification process.

A second question is how an evaluation would be done. Does the review just look at the program’s design, or does it look at whether it is fully implemented? Most difficult is to determine how well it is actually operating – does the program actually have an effect? A company considering certification would have to look at this carefully, considering the language of ISO 37001, and what is supposed to be the scope of the review. There is also a question of what parts of larger companies are actually covered in a review and certification. The fact that a global company claims that is has ISO 37001 certification does not necessarily indicate which parts of the company were subject to this certification and which parts have not yet been reviewed.

A third question is who conducts the review. This could be a murky area. ISO has a process for designating what entities are qualified to conduct a review, but this is determined by ISO bodies in a broad list of countries; will all those qualified in these different countries operate at the same level of diligence? Moreover, there remains a question whether a company claiming it meets the ISO 37001 standards was actually reviewed by an entity that met the ISO qualification requirements. Could any entity conduct a verification review, even if not officially qualified? Again, companies will need to be careful in this area.

What happens after certification? Are companies now free to focus elsewhere, being done with their work on the compliance program? Will certification discourage innovation and further work? According to ISO’s rules, certification is good for 3 years, and each year there must be ongoing review. Companies can lose their certification if they aren’t walking the walk, and the ISO standard mandates continuous improvement and documented evidence of program needs evaluation to keep certification. But once a company has its certification, will it then nevertheless be difficult to convince management to do anything new or innovative? After all, once you pass the exam why keep studying and learning?

Given the uncertainties, why would a company pursue certification? There may be an element of prestige in this, being able to claim that one’s program is certified. There may be a hope that regulators and enforcement personnel will view certification as a positive step, indicating that the company’s management really does want to do the right thing. ISO makes no claim that certification renders a company bullet proof, but there remains the potential that certification will be considered by enforcers and courts.

But the most likely push will come from the marketplace. At least in the anti-corruption area, dealings with third parties create the highest compliance risks. It is typically necessary to conduct due diligence on third parties to ensure they are legitimate. How much better would it be if there were a system that made at least part of this determination for companies? Again, ISO does not claim that certification of one’s compliance program ensures compliance. But for a major company trying to ensure its supply chain does not get it into trouble, requiring ISO certification by its agents and other third parties may be a strong plus.

Thus the most likely impetus will be the marketplace. Companies will have an incentive to require certification of their agents and suppliers. Governments, too, may add this as a requirement for their procurement processes.

Will this work? Will it help fight bribery, or will it instead discourage innovation? Will it make dealing with third parties easier for companies, or will it mislead them? Will the certification process result in genuine program assessments, or will it be just a surface step?

This is a development well worth watching. But in any case, certification or not, companies need to keep evaluating their own programs and ensuring they meet the applicable standards. Most importantly, companies need to keep evaluating whether their compliance and ethics programs actually work.

For 40 years, Joe Murphy, CCEP, has been a tireless champion of compliance and ethics in organizations and has done compliance work on six continents. Joe has published over 100 articles and given over 200 presentations in 19 countries. Joe is author of 501 Ideas for Your Compliance & Ethics Program and A Compliance & Ethics Program on a Dollar a Day. He is a Certified Compliance & Ethics Professional and editor of the SCCE magazine, Compliance & Ethics Professional. Joe was named one of The National Law Journal’s 50 Governance, Risk and Compliance Trailblazers and Pioneers 2014 and was a recipient of the SCCE Compliance and Ethics Award. He can be reached at .

  • Assessment mandates and benefits
  • Methodologies
  • Risk assessment
  • Program structure
  • Standards and procedures
  • Training and communications
  • Auditing, monitoring, and other “checking”
  • Reporting procedures, including helplines
  • Investigations
  • Discipline and other remedial measures
  • Personnel measures
  • Culture
  • Guest Posts
  • Uncategorized