It is an exciting time to be a Compliance and Ethics professional because you can disrupt existing practices to better deal with the current issues and risks. Our world faces significant changes, including increased regulatory scrutiny, social movements, political instabilities, health crises, climate change, and technological disruptions. Also, companies are now facing an increase in filed complaints. The U.K.’s Information Commissioner’s Office saw an increase of 34% of reported cases of potential data breaches and misuse of customer data.
A compliance professional is supposed to be the ethical conscience of an organization and therefore help protect its users, society, and the company. However, how do you design a compliance program that focuses not only on the present but also future issues? How should auditors assist the compliance professionals in this journey?
The Federal Sentencing Guidelines provide direction for the development of compliance programs. The U.S. Department of Justice (DOJ) recently updated one of these guidelines in a document titled “Evaluation of Corporate Compliance Programs.” This guideline, points out three main questions for evaluating the effectiveness of a program:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
While these questions sound simple, each item carries profound implications. For example, the first question should resonate with most compliance professionals and auditors. The question asks if the program is designed to include effective controls to mitigate risk. In the guidance provided by the DOJ, the controls should be based on a risk assessment backed by historical data and metrics. The assessment should be reviewed and updated regularly, and it should incorporate lessons learned from identified issues. One benefit from more frequent (e.g., quarterly) risk assessments is the ability to track changes over time to visualize how your program is changing over time. From this information, you can then investigate further to get to the underlying reason for the change.
From my experience of building two Enterprise Risk Management programs, when performing the risk assessment, it is most helpful to start with a library of compliance and ethics risks. The risk library helps facilitate conversations and often helps stakeholders “see” risks they would not normally consider. A great tool to use when building your risk library is the Ethical OS Toolkit, which includes eight ethical risk categories relevant to data and technology. Data is currently one of the most critical assets for a company, and analysts project data will be the most crucial asset in the future. The use of data and the effect of technology disruptions are currently felt by most people, but especially those who use social media. It is crucial for compliance professional and internal auditors to consider the following key risk areas, which are included in the Toolkit:
- Truth, Disinformation and Propaganda.
- Addiction and the Dopamine Economy (methods used by social media to trigger a dopamine release which causes addiction).
- Economic and Asset Inequalities.
- Machine Ethics and Algorithm Biases.
- Surveillance States.
- Data Control and Monetization.
- Implicit Trust and User Understanding.
- Hateful and Criminal Actors.
Another area to consider when evaluating design is compliance-related policies. In the policy management process, you should have the ability to track how often individuals access each policy. Access rates will help you understand the type of questions and issues that attract the most attention so that you can ultimately influence culture changes.
The second question of the DOJ guidance addresses the program implementation, and this is where many organizations misapply guidance. The intent of the question goes beyond the surface level statement about adequate staffing. Unfortunately, some organizations address ethics and compliance by overstaffing, thinking that a large program equates to an effective program. Likewise, with the idea “empowering the function,” the point of this statement can be misapplied by giving the legal department oversight of the program.
An excellent process for determining the size of your team is capacity planning. Once you have completed the risk assessment and agreed on the top compliance risks with management, choose the projects and level of effort that it will take to build or scale a program that mitigates those risks. Capacity planning models can be simple. It can include the projects, staffing assigned to each of the projects, and estimated hours associated with completing the project. Once you populate the model, you will understand if the current staff can support the projects or if you need to hire additional people. Once you have completed this exercise, make sure to run it by leadership and eventually Board for final approval.
Several other key takeaways from the DOJ guidance to keep in mind during this phase:
- Root cause analysis: ensure that you document the analysis to understand why your organization’s governance failed. Determine if the problem is isolated or evidence of a pervasive cultural issue, then track the resolutions to completion per your compliance procedures.
- Third Parties: Get involved with third-party due diligence and monitoring. The due diligence process should include evaluating a business case that justifies the need to outsource work. When monitoring the third parties, do not forget to review change orders and track terminated third parties.
- Mergers and Acquisitions: When it comes to mergers and acquisition due diligence and planning, only 44% of surveyed companies by LRN say their ethics and compliance functions are fully involved. Get involved with the planning and due diligence phase. Otherwise, the company will be required to document the “why.” After that, the company needs to develop a plan to accomplish the same objectives as if you had involved a compliance team, including mitigating and tracking risks.
The last of the three questions addresses effectiveness. Does the program work, or is it just a mindless task? A Harvard Business Review article titled “Why Compliance Programs Fail – and How to Fix Them” highlighted that “only 70% of firms even try to measure the effectiveness of their programs”. According to the article, management uses invalid or incomplete metrics to measure the success of the program. Even these could be biased if individuals are forced to acknowledge the policies to keep their jobs. If the effectiveness of the controls in place pivot on an annual training program, the actual effectiveness test should be whether the “employee has converted knowledge about policies into everyday work practices” or if it was an entirely mechanically exercise.
Additional practices that can help you measure the effectiveness of your program include:
- Compliance and Ethics questions in your employee engagement survey.
- Round-table discussions about ethics and compliance among leaders and their employees.
- Promotions which ignored employee ethical issues or recognized strong ethical conduct.
For additional KPIs, refer to the paper from KPMG called “In Pursuit of Compliance Metrics.”
How can Auditors help the Compliance professionals?
Internal audit should consider evaluating ethics and compliance programs against the DOJ guidance annually and provide recommendations for improvements. Audit should also audit the compliance risks. The urgency for developing an ethical corporate mindset through an effective ethics and compliance program has never been more significant.
When approaching an ethics and compliance audit, we can start with a general approach, describe so far that considers the design, implementation, and operating effectiveness of the ethics and compliance program. In the DOJ guidance, “Evaluation of Corporate Compliance Programs,” the document is divided into sections corresponding to the elements of control testing. The last section of the document addresses the question of control effectiveness by considering three topics:
- Continuous Improvement, Periodic Testing, and Review.
- Investigation of Misconduct.
- Analysis and Remediation of Any Underlying Misconduct.
Each topic poses a series of questions that are essentially an audit program you can take into the field. Using this guidance as a starting point for your audit approach, you will be more prepared for an ethics and compliance audit.
Considering the increased volatility in the overall risk environment and the impact a strong compliance program can have in mitigating those risks, implementing an effective ethics and compliance program has never been more critical. By reviewing the program each year based on the DOJ guidance, internal auditors will help identify any risk exposures and control weaknesses in the program before these lead to more problems.