The phrase “effective compliance and ethics program” is widely used and frequently discussed. Determining whether your program is effective, however, requires more than a superficial understanding of the U.S. Federal Sentencing Guidelines and Department of Justice guidance. It requires a specialized knowledge of the laws and regulations that apply to your organization, the compliance and ethics risks for your organization, and knowing which controls you should have in place to mitigate them. Conducting a self-assessment is your first step.
A compliance and ethics program self-assessment is for mature programs with leaders who are willing to take a critical look at what’s working and what needs improvement. It is not for the faint of heart or for a compliance program in its infancy; however, the concepts detailed here can also be used to set goals and objectives when developing or advancing a young program.
Considerations for All Self-assessments
While the self-assessment must be customized to your organization, there are uniform principles that apply as well. For example, the self-assessment should:
Be an official part of your compliance and ethics program that is supported by written procedures, technology, and adequate resources;
Reflect the structure of your program (For example, will it be organized by the seven elements of an effective compliance program, the questions and topics outlined in Department of Justice guidance, or a combination thereof?);
Consist of a series of questions or statements;
Include simple multiple-choice responses (e.g., yes/no or a numeric scale) that will allow you to quantify the results;
Be conducted at a prescribed frequency (e.g., once per year, every two years); and
Include communication and action plans.
Developing your self-assessment can be a long and arduous process, so it’s also important to get the framework and content right to allow you to measure progress over time using the same set of questions or statements. A first step toward this effort may be establishing the taxonomy—that is, the data you want to filter and report on. For example, you may want to include the following terms: program element, compliance risk area, category, subcategory, topic, question or statement, score, findings, and/or supporting documentation. The technology you use to capture this information may be determined by what’s available, such as Microsoft Excel or survey technology. It’s important that you can quantify the results but also provide qualitative information in your reporting; notes, comments, and supporting documentation should also be captured.
Another key consideration is the scope of your self-assessment. Based on the demographics of your organization, you may choose to conduct it at the program level (a single assessment), by country or region, by business unit, or by operating company. The latter options often result in multiple responses that you will need the flexibility to combine or report separately. You may also need to consider customizing the self-assessment for different areas of the organization and translating it accordingly. I recommend steering clear of questions that are only applicable to specific areas, which can make aggregation difficult.
Lastly, the more complex the self-assessment, the more people you will need to engage. It may be helpful to document who responded to each question or statement. An important part of the engagement is the sharing and soliciting of feedback on responses received from others. The results should be thoroughly vetted before being finalized and shared with your board or executive team.
‘Right Size’ Your Self-assessment
Not all organizations are created equal; size and industry matter greatly when developing your self-assessment program. Larger, global, or multinational companies in a highly regulated industry will likely need a longer, more complex self-assessment. Organizations that are smaller or operate in a single country may benefit from a simpler version.