CSLG - Compliance Systems Legal Group. CSLG provides corporate compliance and practical business ethics services and products to a wide variety of organizations.
"[T]he Department recognizes that no compliance program can ever prevent all criminal activity .…The fundamental questions any prosecutor should ask are: 'Is the corporation's compliance program well designed?' and 'Does the corporation's compliance program work?'"
- U.S. Department of Justice, Federal Prosecution of Corporations (1999)
ABOUT OUR FIRM
Evaluating your compliance program: FAQ's
Companies around the world are asking whether their compliance and ethics programs are working, and whether they meet the government's standards. CSLG has had extensive experience in this area. In addition to our lawyers' years of in-house work, we have examined programs in a broad range of companies, ranging from one-location reviews to global deep dives. We have also conducted reviews on behalf of the government. Here are some pointers to consider in having your program evaluated.
1. Why do I need to have my program evaluated?
Any time a company spends resources you can expect someone to ask whether they are getting results for the effort. Now the Sentencing Guidelines have built this into the legal standards for programs. Under item 5, organizations "shall take reasonable steps - (B) to evaluate periodically the effectiveness of the... compliance and ethics program..." In adding this in 2004 the Sentencing Commission recognized that evaluation had become the expected practice for these programs. Boards have also been charged with oversight responsibility under the Guidelines, and should expect management to assess the program's effectiveness. An evaluation is not only a core requirement of the Guidelines, but conducting such reviews will help your company avoid legal violations that can occur when a program is deficient. More and more, governments are making these programs mandatory, as is evident from Sarbanes-Oxley, as well as state and foreign legislation. An evaluation may also be the only way to avoid being unpleasantly surprised in a government review. And, on the plus side, a review by an experienced team can provide you with new ideas to invigorate your program.
2. Do we need this if we are not a publicly traded company?
Unlike Sarbanes-Oxley which applies only to listed companies, the need for program evaluations applies to all organizations under the Sentencing Guidelines.
3. What if our program is still in the starting or build-up stages - is a review premature?
Any element of a program, at any stage, can benefit from an outside set of eyes. An evaluation can be especially valuable for new programs to be sure you are going in right direction. And a review at this stage can also be simpler and done more quickly.
4. What if our company has a long-term, leading program? Do we really need a review?
Yes, several companies with long-term program histories have asked us to conduct a review. In fact, it may be the most important type of review. Sustaining an ethics and compliance program at a high level over an extended period of time is difficult. A program evaluation can often identify places where complacency or inattention has created "gaps" or other deficiencies. A program review can often create the impetus to make mid-course corrections that might not otherwise occur. Moreover, the field of compliance and ethics has become very dynamic and there are many new, exciting ideas developing in the field. An experienced review team that is keeping up with global developments in this field can give you effective ways to re-energize your program.
5. Can we just do this ourselves?
Yes, program self-assessments are a good idea; compliance people should challenge their own programs. But self-assessments are not the same as evaluations. An evaluation should provide: a) fresh approaches, seeing things through different eyes; and b) the credibility of an independent outsider. An outside firm that has assessed other companies' programs will also be able to provide meaningful guidance on what is expected under the Guidelines "industry practice" standard. Moreover, in today's post-Enron world it will not be acceptable to have any function exclusively responsible for measuring its own results. You can, however, quite effectively combine the benefits of both internal and external reviews by having the outside reviewer attest to the validity of your own internal reviews.
6. What should be reviewed in an evaluation?
The easiest answer to this question, is "anything the government would want to see." Of course, you want to review the overall program to see if it meets the Sentencing Guidelines and other standards. Another important element, but one that is sometimes overlooked, is your coverage of the specific risk areas (risk areas, such as antitrust, FCPA, privacy, will often have their own variations on the standards for compliance steps). You also need to cover all the business operations that can get you in trouble - your headquarters groups, plus all of your business entities around the world. Of course, you have to be realistic about the scope and for large organizations not expect to conduct a wall-to-wall review. An experienced review team can select, based on the assessment of your risks, a defensible sample of locations and parts of the business to include in the review. The evaluation will include the selected sites, and an appropriate list of people and records.7. How is this different from an audit?
Audits are an essential element of a program, but they are not the full answer; the Sentencing Guidelines, item 5, specifically require both. Audits check specific elements; an evaluation goes deeper to examine the overall program including all its elements. Depending on the type of evaluation being done, an evaluation may determine how things are working. It is broader, looking at all aspects of the program. It will include audit tools, but is not limited to traditional audit methods. For example, an evaluation that goes beyond a design review will typically include some use of focus groups. A full review of the program is really a deep dive, not a checklist exercise. See Murphy, "The Measurement Challenge (Part I): Introducing the Deep Dive," 17 ethikos 7 (May/June 2004); "The Measurement Challenge (Part II): Implementing the 'Deep Dive,'" 18 ethikos 11 (July/Aug 2004); "The Measurement Challenge (Part III): Results from the 'Deep Dive,'" 18 ethikos 11 (Sept/Oct 2004).
8. Should the review be privileged?
It is important to have this option in case you are exposed to litigation or government investigations. Each company should make this determination on a case-by-case basis; having lawyers conduct the review gives you that option. Even if you ultimately expect to waive privilege, it is better to be the ones who make that decision, rather than having it made for you because you did not lay the groundwork initially.
9. Is there just one type of program evaluation?
No. You can work with the review team to customize what you want. There are basically three types of reviews: a) a desk or design review, in which the team interviews a limited number of personnel (those most directly responsible for the program) and conducts reviews of records to see if the program, as designed, addresses the USSG's elements; b) an implementation review, in which the team looks see if you are doing all the things spelled out in the design; and c) an effectiveness review, to see if the program is actually working. You can mix and match these elements to suit your needs. For example, you might want to determine if the helpline is actually working and trusted by employees, but only seek a design review on your risk assessment process. A second key choice is the standard you wish to apply. These fall into three general categories: a) Meeting the legal minimum; b) industry practice - being at least as good as others; and c) best practice - being a leader in your compliance and ethics program. You can take as active a role as you want in determining the type of review, or simply follow the recommendation of the review team based on their analysis of your program and compliance risks.
10. How long does an evaluation take?
You control this, as well as the expense, by the type of review you request. A simple desk audit looking to meet the legal minimum standards can be done very quickly. But a global deep dive for a large multinational seeking a best practice level of achievement will be an extensive undertaking. You can select anything in that range.
11. What is the product we should expect from an evaluation?
The type of report is up to you; you determine this with the reviewer. It can be simple and oral, or extensively detailed including specific phases for implementing the recommendations. As a threshold matter, you determine much of this by the type of review you request. You should expect very specific findings and practical advice, including ways to improve your program that are steps you can actually afford to do. An experienced review team can provide you the needed tools and materials as part of the report.
12. Will this matter to the government?
We have done reviews of programs for the government, and we can tell you the fact that you have done this shows a serious, good faith commitment. The government is intent on assuring that companies are not just "checking the boxes" and claiming that a "paper program" is an effective program. Periodic reviews can help demonstrate commitment to assuring program effectiveness. Even more important, the enhancements that will come from the review will enable you to make a convincing presentation to the government if that day ever comes. In most companies, managers do not like surprises (especially those coming from the government). If you ask the important questions about your program before the government does, both the government and your own management will see the difference, and it will matter.
Compliance Analyst provides brief summaries and suggestions for further consideration. For questions or assistance, please contact any of our lawyers.
Maggie Bavuso (718) 894-3728 mbavuso@cslg.com
Bill Prachar (310) 459-3988 bprachar@cslg.com
Joe Murphy (856) 429-5355 jemurphy@cslg.com
Win Swenson (301) 270-3555 wswenson@cslg.com
Click on links below to download PDF versions of newsletters.
CSLG's Compliance Analyst. Issue 4. November 2005. PDF (148K)
CSLG's Compliance Analyst. Issue 3. February 2005. PDF (136K)