Rebecca Walker (rwalker@kaplanwalker.com) is a Partner at Kaplan & Walker LLP in Santa Monica, California, USA.
The gods had condemned Sisyphus to ceaselessly rolling a rock to the top of a mountain, whence the stone would fall back of its own weight. They had thought with some reason that there is no more dreadful punishment than futile and hopeless labor. . . . At the very end of his long effort measured by skyless space and time without depth, the purpose is achieved. Then Sisyphus watches the stone rush down in a few moments toward that lower world whence he will have to push it up again toward the summit. - Albert Camus, The Myth of Sisyphus
Compliance and ethics (C&E) professionals toil every day to prevent misconduct. Indeed, the U.S. Sentencing Guidelines initially called compliance programs, programs “to prevent and detect criminal conduct.” And, by the time an issue is up for detection rather than prevention, our organizations will be in trouble. Prevention is our highest calling, and undoubtedly an enormously worthwhile pursuit. However, this creates a challenge—not in the work of prevention but in quantifying our success. How does one measure the unmeasurable—the crises averted, the investigations not conducted, the legal battles not fought, the fines avoided, the business operations not interrupted, the communities not harmed? The difficulty in proving the value of our work—and in quantifying the return on investment of compliance resources—can lead to existential doubts of the highest order. Indeed, one of the important lessons learned from the business debacles of the early 2000s is that a program that shines on paper might falter in implementation. The question becomes, do the various program elements of codes, policies, training, and communications truly embed themselves into an organization’s cultural fabric? How do we ascertain if our program actually reaches hearts and minds? Program assessment hopes to address these types of questions and quell these types of doubts.
What is a program assessment?
Program assessments are comprehensive evaluations aimed at understanding a compliance program’s depth, breadth, and efficacy. They are critical tools in proving the value of compliance efforts, guiding improvements, and demonstrating a company’s commitment to ethical standards.
A foundational aspect of program assessment is considering whether a program possesses all the elements it should. This includes the Sentencing Guidelines’ seven-plus elements and relevant aspects of other government standards, such as the U.S. Department of Justice memorandum on the Evaluation of Corporate Compliance Programs, as well as best practices, as applicable. We then consider the effectiveness of each program element. So, for example, we are looking not just at whether a company engages in a C&E risk assessment but also at whether the risk assessment methodology is sound, if it is documented if it is consistently followed, if the results are reasonable, if the assessment leads to appropriate mitigation plans, if the results are reported out to appropriate stakeholders, and so on. In this manner, program assessment seeks to identify the most serious opportunities for improvement.