by Joe Murphy, JD, CCEP, CCEP-I
Among the program standards in the Federal Sentencing Guidelines (and elsewhere) is the need to “evaluate periodically the effectiveness of the organization’s compliance and ethics program.” So you know you need to measure your program, but have you thought about how this issue would come up in dealing with the government?
Here is an important point to remember. No government agency or enforcement person will be coming after your company just because the overall program was not effective. Rather, the issue will be the violation of specific laws. If there is a violation of immigration laws, then your program addressing that risk is what matters. If you engaged in foreign bribery, then what matters is your program addressed to bribery. This applies across the board to each area of risk. What did you do to address that specific risk, and was it appropriate based on the nature of the risk involved?
What does this mean in terms of measuring your “program?” Among other things, it means you need to do assessments looking at each of your risk areas. It is entirely possible, for example, that your environmental compliance program could be best practice and highly effective, your government contracting compliance effort may be just barely good enough to meet the standards, and your unfair labor practices program may get a failing grade. This entire range could exist in the same company, with the same culture. Everyone might be fully committed to environmental compliance, but simply not care at all about employment practices.
If you are only assessing your overall, generic compliance program, you may be missing the point. Instead, you need to assess the program in at least your key risk areas. An employee survey that shows that employees love their bosses, believe the executives are honest and caring, and have no hesitation about using the helpline, may still not reveal that your European managers believe competition is unnecessary and that competitors should enter into cartels to avoid “wasteful” competition. The design of your general compliance program may follow the Sentencing Guidelines’ seven steps, but not take the kinds of measures to address third-party risks in your FCPA program that the Justice Department and the OECD Good Practice Guidance call for.
What does this mean if you have dozens of risks to address? This is where your risk assessment comes in. Your assessment should tell you where to allocate resources. The same prioritization applies for your compliance program assessments. The higher the risk, the more your assessment should focus on that risk.
By all means, it is useful to assess the overall program. You can also assess each element (e.g., the helpline, training, the code, etc.). But do not forget that it is the risk areas that will get the government’s attention, and you need to be sure that your compliance efforts are appropriate, based on those specific risks.