One of the major criticisms of many contemporary corporate compliance programs is the lack of consistent, objective evidence that such programs actually work in practice. Far too often, meaningless statistics are reported quarterly or annually to an organization’s governing board that lack any context whatsoever. These include, but are not limited to, the number of hotline reports received, typically categorized in an ad hoc fashion, supplemented by barebones information involving substantiated reports that shed little—if any—light on the effectiveness of an organization’s deterrence and detection efforts.
True measurement of compliance program effectiveness is the product of
- Periodic audits to assess the alignment of employee conduct with the organization’s policies, procedures and practices in high-risk areas;
- Testing of the internal controls designed to detect and/or deter legal and regulatory violations; and
- Remediation, where necessary, of an organization’s program when deficiencies or gaps are identified. Each of these elements is mentioned in the context of the DOJ’s now famous “[Guidelines for the] Evaluation of Corporate Compliance Programs” (“DOJ Guidelines”), which have become the Bible of general compliance practice and are referred to throughout this blog post as to the cipher to unlocking the mystery of what true compliance program effectiveness resembles.
The Challenges of Measuring Compliance Program Effectiveness
Measuring compliance program effectiveness can be a challenge for even the most experienced compliance professionals. This is largely attributable to the imprecision of most compliance reports in comparison to other valuable information about a company’s performance that can be accurately forecasted or reduced to pure mathematics for the convenience of key decision-makers. Complicating matters further is that there is no single metric by which a compliance program can be deemed truly effective—and a lack of consensus in the compliance community itself about what constitutes success for an organization’s compliance function. Like a balance sheet, even a single audit of an organization’s highest compliance risks—along with testing of internal controls—offers only a brief snapshot into the organization’s overall compliance posture. As a consequence, true compliance program effectiveness is demonstrated over time, measured by the ability of the program to adapt as circumstances evolve and regulations change. Under this framework, a compliance program is effective to the extent that:
- The organization is proactively engaged in risk assessment activities;
- Periodic audits are performed internally—and validated externally;
- Internal controls designed to mitigate the potential for violations of the law are regularly and consistently tested; and
- The organization responds to compliance failures with appropriate gap/root cause analyses and serious remediation efforts. A program that lacks any one of these four critical attributes is candidly ineffective and insufficient to meet regulator expectations.
Overcoming Obstacles to Measuring Compliance Program Effectiveness
As the comprehensive framework delineated above demonstrates, measuring compliance program effectiveness begins with a commitment on the part of the organization to engage in the risk assessment process on a continuous basis. Risk assessments are not a static activity but rather dynamic processes that constantly seek to identify, prioritize and re-prioritize an organization’s major risk factors. Risk assessments are roadmaps that provide an organization with valuable insight into an organization’s major activities and the risks posed by those activities from a legal and regulatory perspective. An outdated risk assessment can lead to the misallocation of an organization’s scarce resources—and valuable time and attention—to risks that may be immaterial to the organization. It is crucial, therefore, that organizations periodically ‘refresh’ their risk assessments at least annually or more frequently when major changes impacting the business overall occur. These changes include, but are not limited to, merger and acquisition activity; expansion into new markets and territories; and changes to an organization’s overall risk tolerance. In each of these circumstances, organizations are strongly advised to revisit the risk assessment process with a view towards determining whether the previous assessment remains relevant or if novel risk factors previously unaccounted for must now be ranked and addressed.
Second, the organization must commit itself to conducting periodic compliance audits—both internally and externally—that assess whether an organization’s risk mitigation procedures are:
- Widely and intimately known; and
- Faithfully followed.
Frequently, the internal audit function of larger organizations may be responsible for this task. In smaller organizations, however, such routine audit activities can be conducted by anyone with keen insight into the organization’s activities and knowledge of the regulatory environment in which it operates. Truly credible audits generate actionable results. If a company operating in the defense sector concludes, for example, that its marking procedures for export-controlled material are too complicated or inconsistently followed, then action must be taken in conjunction with senior leadership to simplify those procedures. The mere generation of an audit report—without diligent follow-up—is foolhardy and likely to lead to an infraction of the law for which no leniency will be afforded by the organization’s regulators.
In conjunction with periodic compliance audits of an organization’s key policies and procedures respecting major risk factors, testing of an organization’s internal controls is likely to reveal valuable information about the effectiveness of its compliance program. This is especially true when an organization uncovers potential misconduct by its employees. For instance, if an organization discovers during a routine audit that suspicious payments may have been made to intermediaries in foreign countries known to pose a high corruption risk without sufficient justification, the organization should evaluate whether its current anti-bribery controls—including segregation of duties, tiered financial thresholds for payment approvals, the maintenance of accurate books and records, and a ban on cash payments—generally operate according to their intended purposes. If analysis of control testing reveals a deficiency in any one of these key areas, then the organization must work with senior leadership to devise more effective controls that will mitigate—although never fully eliminate—the possibility that such conduct will occur again in the future.
Finally, the organization should engage in serious remediation efforts where either a gap analysis as a result of a risk assessment or root cause analysis as a result of a violation reveal weaknesses in its compliance program. Remediation efforts should be targeted to the problem identified and meticulously documented to ensure that, should regulatory scrutiny follow, the organization is well prepared to provide the authorities with ample evidence that it takes its compliance obligations seriously. As the DOJ Guidelines emphasize, a key determinant in assessing whether an organization that does violate the law qualifies for some form of leniency in prosecution is dependent on its commitment to “review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks.” Appropriate discipline in response to misconduct is also a significant feature of the remediation prong. Organizations must—without exception—apply internal policies governing appropriate discipline of employees implicated in intentional misconduct across the board. Here, it is important to remember that senior leadership is neither exempt nor immune from the imposition of such discipline. Disparate treatment of an organization’s directors/senior leaders and rank-and-file employees is evidence of a toxic culture that values adherence to the law under some circumstances but excuses flagrant violations of the same law in others. In short, neither title nor stature matter when it comes to imposing discipline for flagrant violations of an organization’s external legal obligations or internal ethical standards.
The Key Takeaway
As increasingly required by both case law and regulation, an organization’s compliance function is required to present frequently to the governing board on the effectiveness of its corporate compliance program holistically. The bottom line is that the mere presentation of statistics—without additional context—is an obfuscation of a compliance officer’s responsibility to present the board with actionable intelligence. As discussed thoroughly in the preceding column, this includes the ability to present the board with details involving critical updates to an organization’s risk assessment; the results of any audits and internal control testing (and associated gap and root cause analyses); and the status of remediation efforts, if any, in response to misconduct detected by the organization. In an age where the compliance function of an organization is increasingly competing with other operational units for board time and attention, it is critical to emphasize—and re-emphasize as necessary—that board oversight is part and parcel of its overall fiduciary duty to ensure that corporate information and reporting systems both exist and function according to their intended purposes. As increasingly recognized by courts nationwide, board neglect of its compliance program responsibilities can lead to derivative litigation, regulatory action, and even individual liability of board members for improper oversight.