The document summarizes a webinar on assessing compliance programs. It discusses why organizations conduct periodic assessments of their compliance programs, including regulator expectations, stakeholder expectations, and identifying risks and gaps. It also covers preparing for an assessment, including establishing goals and scope, collecting data through document reviews, surveys, interviews and focus groups. Finally, it discusses analyzing the data, reporting findings and recommendations, and generating an action plan to address recommendations. The overall purpose is to evaluate program effectiveness and identify areas for improvement.
1. How Are We Doing? Why We Assess
Compliance Programs and Strategies for
Assessment
SCCE Webinar
June 13, 2016
Pete Rock, Deputy Chief Compliance Officer
Knights of Columbus
Eric Morehead, Principal Consultant
Morehead Compliance Consulting
Morehead Compliance Consulting
2. 1. Why Turn Over the Rocks? Some Benefits and Some Goals for A
Periodic Compliance Program Assessment
2. Measure Twice and Cut Once: Preparing for a Compliance Program
Assessment
3. Sum of Its Parts: What are Different Tools and Approaches
Organizations Can Take for Assessments?
Morehead Compliance Consulting
3. Morehead Compliance Consulting
SOURCES FOR DATA
> Compliance and Ethics Program Environment Report, SCCE and NYSE
Governance Services (CEPE 2014)
http://m1.corpedia.com/resource_database/CEPEReport.pdf
> 2013 Association of Corporate Counsel / Corpedia Benchmarking Survey
on Compliance Programs and Risk Assessments (ACC 2013)
4. Morehead Compliance Consulting
Why Turn Over the Rocks? Some
Benefits and Some Goals for
Periodic Program Assessment
Morehead Compliance Consulting
5. Why Assesses?
5
• Regulator Expectations
• Federal Sentencing Guidelines §8B2.1(b)(5)(B)
• “[E]valuate periodically the effectiveness of the organization’s compliance and ethics
program”
• Started appearing in NPA’s and DPA’s in the 2000’s
• Encouraged risk-based mapping and review of Program
• Builds off of language in the Organizational Sentencing Guidelines
• Spelled out in the FCPA Guidance in November 2012
• “DOJ and SEC will evaluate whether companies regularly review and improve their
compliance programs and not allow them to become stale.”
6. Why Assess?
Consequences are Large and Unpredictable
6
From: Brandon L. Garrett, Too Big To Jail: How Prosecutors Compromise with
Corporations (Harvard U. Press 2014).
7. Why Assesses?
7
• Stakeholder Expectations
• Shareholders, including Institutional Investors
• Board of Directors
• Prevention and mitigation of risk
• An assessment can identify risks and suggest steps to prevent violations
• Identify gaps in training, policies, procedures, controls
• An assessment can identify gaps that require attention
8. Why Assesses?
8
• Budget prioritization
• An assessment can identify areas to allocate resources
• Affirmative defense for organization & oversight personnel
(Remember board members can be held labile for misconduct under
the In re Caremark case.)
• An assessment can provide an affirmative defense for both the organization
& individual oversight personnel in the event of a violation
9. A Little Benchmarking: Who Assesses?
9
83%
17%
Do You Conduct a “Formal Assessment
of the Overall C&E Function”[CEPE]?
Yes
No
8 out of 10 of
your peers.
10. Goals and Scoping
10
• What End Product Do You Want?
• A detailed report with recommendations and action items?
• To set a baseline for future assessments?
• To provide a verbal update to the Board of Directors?
• To answer specific questions?
• Begin with the End in Mind
• What’s the timeline?
• Who is the audience?
• Will this be repeatable and periodic?
11. Goals and Scoping
11
• Who is in Charge?
• Legal, audit, compliance?
• What resources they will have?
• What the broad expectations are for the result?
• What Operations Will Be Covered?
• Will this review cover subsidiaries, joint ventures, overseas operations,
contractors, etc?
• Will this review cover all aspects of the program (will it be multi-year)?
• How will data be collected?
• Surveys, focus groups, interviews, document and record review
• Scoring and evaluation
• Determine how (and if) there will be scoring and evaluation
• Written report? With recommendations?
12. Goals and Scoping
12
• Should You Work With a Third Party?
• Pros
• Have already developed methodology and tools
• Has resources, expertise and project management experience
• Access to benchmarking and best practice data
• Independence and ability to leverage independence
• Cons
• Costs – it can sometimes be easier to control costs internally
• Possibly steep learning curve on your operations
• Future repeatability dependent on contract with third party (you won’t own methodology)
• Third parties could face barriers in some organizations
13. Who Conducts The Risk Assessment [CEPE]?
13
73%
14%
13%
Internal
Third Party
Other/Combo
14. Measure Twice and Cut Once:
Preparing for a Compliance Program
Assessment
Morehead Compliance Consulting
15. Let’s Get Started!!
15
• Who is on the team?
• Usual suspects (legal, audit, HR)
• Include “boots on the ground” – operational and international
• Make sure team has resources, authority and profile
• Establish the process plan
• Order of data gathering (including document review, surveys, focus groups,
interviews
• Discuss possible scoring or reporting models
• Seven hallmarks of the USSG
• ISO 19600
• Custom
• Build a realistic timeline – be generous but have clear goals and milestones
• Complete assessments, including surveys and benchmarking, can easily take six months or
more. Be cautious about expectations.
16. Let’s Get Started!!
16
• Consider Peer Organizations
• Discuss assessment experiences and processes
• Consider peers for benchmarking
• Including publicly sources such as Code of Conduct and governance information
• Keep up with SCCE and industry groups
• Establish Buy In (and Anticipation) at the Top
• Regularly update the board
• Consider building interest (particularly for survey components) at operational
meetings and other internal marketing opportunities
• Look at Hotline/Helpline and Reporting Trends to Help Establish Scope
• Look at Prior Survey (Culture or HR Survey) Results to Help Establish
Scope
17. Sum of Its Parts: What are Different
Tools and Approaches To an
Assessment?
Morehead Compliance Consulting
18. What Now?
18
Common Compliance Program Elements Included in an Assessment [CEPE]
79%
78%
77%
72%
62%
59%
56%
52%
43%
39%
CODE
TRA INING
POLICIES
REPORTING SYSTEM
INV ESTIGATIONS
COMMUNICATION
CULTURE OF ETHICS
BOD OV ERSIGHT
KA OF RISKS
3RD PARTY
19. What Now?
19
• What Documents Do You Gather?
• Review of documentation that memorializes the program, including the code,
written policies and procedures, any prior reviews or audits, reporting system
information, board minutes, survey data, any program charters, training
materials, communication examples
• Access to resources, such at the intranet, LMS, gift reporting systems, etc
• Collection of data will be from various stakeholders and might be a good
time to conduct interviews or establish questionnaires for stakeholders
to fill out while providing data
• Leave the Door Open – Establish A Process for Follow Up and Additional
Requests
20. Data Evaluation Considerations
20
• Written Standards
• Clear, consistent, concise and available?
• Are rules and applicability addressed?
• Provides guidance and resources?
• Systematic process for generation, update and review?
• Policy portal or policy management system?
• Other Internal Data
• Reporting statistics, investigations and disclosures
• Internal reporting, BOD minutes
• Training and communication examples
• Online training availability and LMS operation
• Live training process
• IA reports – ERM data
21. Data Evaluation Considerations
21
• Some External Data Sources
• Analyst and auditor reports
• Litigation research (DPA’s, NPA’s, filings)
• Media coverage
• Corporate reviews, CSR reviews, public reports from NGO’s and others
• Other external stakeholder views
• Data sources like NBES and risk topic specific data (such as data breach and
social media)
• Institutional investor proxies and statements
• Informal sources like SCCE and local ethics roundtables
22. Looking Outside the Organization
22
• Benchmarking Data Can Be Instrumental To Useful Results
Does Your Organization Benchmark What Data is Collected?
Your Compliance and Ethics Program [ACC] [CEPE]
59%
41% No
Yes
43%
Collect External
Documentation
23. Just One More Question
23
• Culture Surveys Should Cover
• Resources available
• Do you know where to report? Have you read the Code in the last year?
• Perception of organizational justice (e.g. “Do you feel the company takes
allegations seriously? Do you feel all employees are treated the same?)
• Perceptions of misconduct
• Perceptions of manager’s ethics
• Perceptions of peer employee’s ethics
• Pressure to commit misconduct
• Perceptions of misconduct
• Who commits it
• Perceptions around reporting for those who have observed misconduct
• Retaliation fears
24. Other Surveys
24
• Manger Sample Survey
• Awareness of and adherence to specific policies/controls
• Examination of key actual/perceived risks
• Focused, deep-dive on specific targeted issues (e.g. “My organization has an anti-
corruption policy that applies to operations in [country x], true or false?”)
• Broader Employee Sample for a Knowledge Assessment
• Questions should be targeted (i.e. not every participant will receive all questions)
• Questions should be based on baseline risk determinations to identify risk topics
• Topics and questions are often scenario-based (similar to training questions, e.g.
“Which of the following could create a COI or the appearance of a COI?”)
25. Some Considerations for Surveys
25
Demographic
Breakdown
Location/Country
Job Level
Job Function
Business Unit
Tenure
If Internal Survey
Identify team
Identify resources
Third Party Culture Data
for Benchmark
ECI NBES
Preparations for Survey
Early approval of questions
Platform selection
Beta testing
Provision for
Translations
Paper surveys
Survey Communication
Email templates
Reminder schedule
26. Survey Use by Peer Organizations
26
Does Your Organization Conduct Culture Surveys?
[ACC] [CEPE]
51%
Conduct
Culture Surveys
23%
7%
70%
Yes
Part of RA
No
27. Interviews
27
• Will the assessment team be conducting interviews?
• Language issues? Does team have direct facility to speak with foreign
personnel?
• Should be a consistent “script” or plan tailored with data gathered from
the document review or the surveys (e.g. knowledge survey on anti-
corruption showed low scores in certain areas)
• Interview list should include the “usual suspects” (legal, C&E, audit, HR)
but also operational personnel with interview subjects from each
significant operating unit, location and function
• Functional management should be included
• Consider including rank and file (resource issue)
28. Interviews
28
• Phone or virtual? Both have benefits and minuses
• Possibly engage a third party just for interviews?
• Is the team going to use exhibits or documents? Slows process down,
narrows forcus
• Follow-up potential
• Who is present? Is it one-on-one or is manager or HR (or someone else)
present?
29. Focus Groups
29
• Who will run the focus groups from the team?
• How structured will they be -
• Q&A, open-ended, role-play, or mixture?
• Formal vs. informal?
• How long will the sessions be?
• How many participants?
• How many sessions?
• Will rank and file be intermixed with management?
• External facilitator?
• Recorded?
• Topics for Focus Groups
• Culture
• Compliance risk topics (knowledge assessment)
30. Tools Used By Peers [CEPE]
30
62%
Management
Interviews
46%
Employee
Interviews
15%
Employee
Focus
Groups
29%
Management
Focus Groups
31. Analysis and Reporting
31
• Oral Report to Board (or Management)
• The report will often be accompanied by data from the surveys and other
previously generated data such as reporting statistics and training completion
rates (so, no newly generated data or presentations)
• The report will detail findings on the status of the program elements and controls
in place based on the 7 hallmarks of the sentencing guidelines or some other
scoring outline
• The team will also report on benchmarking data gathered informally during the
process for comparison
• The report will not typically include recommendations
32. Analysis and Reporting
32
• Written Formal Reporting
• After completing the document and data review, surveys and individual
interviews the team will often conduct an analysis of the results that will
include benchmarking for certain aspects of the program
• Once the analysis is complete, the team may offer an oral report that
includes primary findings and recommendations
• Once recommendations are discussed, the team will often then draft a
written report that will include
• Program findings based on the agreed methodology (e.g. the 7 hallmarks, best
practices, or some other agreed criteria)
• Recommendations for the program moving forward
• Benchmarking data comparing various aspects of the program
33. Some Considerations for Reporting
33
Reports should be effective and meet audience expectations
Does that mean a straightforward approach with an digestible executive summary?
Does that mean a detailed, data-driven exercise with methodology explained, use of
charts, graphs and heat maps?
Is this meant for internal audiences only?
Privilege to be invoked?
Clear and direct writing with a pleasant and organized layout
Ask third parties for sample reports
Use of recommendations
Are recommendations practical?
Are recommendations well explained and executable?
35. Next Steps
35
• The assessment team provides specific updates to the applicable
operating units effected by the findings (HR, IT, Legal, etc)
• The assessment team works with the exec management to determine
the best cycle for repeating the process
• The assessment team puts together a written follow-up plan
• Based on the recommendation in the report
• Addressing each recommendation directly
• Assigning responsibility for any follow-up plan
• Establishing a timeline
36. Is a Written Plan Generated from the Assessment
[ACC]?
36
63%
37%
Yes
No
37. Next Steps – Example of a Simple Action Plan
37
Recommendation Response Action Plan Assignment Date for
Completion
Draft New Code Code is 4 years old and needs
only a refresh
Will edit and revise the Code General Counsel Q1 2016
Implement G&E pre-approval
tool
Currently informal approval
process in place
Determine best process and
implement
CECO Q2 2016
Implement integrated, multi-
year communications and
training curricula
Individual training stake
holders have their own plans
and there is sufficient
coordination
No action N/A N/A
Executive support for non-
retaliation could be more
visible
CEO Code letter updated and
CEO filmed video that was
sent to all hands
Already addressed N/A N/A
38. Basic Assessment Process
38
Establish:
Scope
Team
Goals
Timeline
Collect data
Review
documentation
Establish and
complete
surveys
Interviews and
focus groups
Analysis
Additional data
or interviews
Findings
Recommendations
Reporting
Actionable next
steps
Throughout the project consider process
improvement and repeatability