Compliance & Ethics Program Assessments: CCI Interview with Jeff Kaplan

The following interview took place between Maurice Gilbert, the founder of Corporate Compliance Insights, and Jeff Kaplan, a frequent CCI contributor and partner at Kaplan & Walker.

Maurice Gilbert:  What is a compliance and ethics (“C&E”) program assessment?

Jeff Kaplan:  Generally speaking, it is an effort to determine how well a C&E program is designed and how well it is functioning.

MG: Why do companies conduct program assessments?

JK: There are a number of reasons – principally relating to legal incentives and sound management practices.

MG: What are the legal incentives?

JK:  There are quite a few.

First, the Sentencing Guidelines – as amended in 2004 – provide that companies should “evaluate periodically the effectiveness of their” programs.  And this fall, the Vice Chair of the Sentencing Commission, speaking at a conference of C&E professionals, took pains to reinforce this expectation, by stating that: “Periodic reviews to ensure that your program is effective are critical.”

Second, the Department of Justice’s standards for determining when to bring criminal charges against corporations and other organizations were amended in 2008 to provide (among other things) that programs be “reviewed,” which seems to contemplate assessment.

Third, other regulatory standards – such as those governing aspects of money laundering and health care compliance – speak to the need for assessment.

Fourth, in some specific cases the government has faulted companies for not reviewing their programs.

MG: Do the Sentencing Guidelines and Justice Department standards address the issue of whether an assessment should be conducted internally or externally?

JK: They don’t. But an assessment offers a company a real opportunity to demonstrate the strength of its commitment to promoting compliance, and an external assessment can make the most of that opportunity – given the perception, based on considerable experience, that purely internal compliance measures often lack the clout and independence to accomplish meaningful internal reforms.

Another way to think about this is that, to get credit for your program in an enforcement proceeding you may need to show that you took every step reasonably possible to achieve compliance.   Having an external assessment tends to help make that showing more than an internal one – meaning it is will be more obviously reflect a company’s sincerity about achieving truly positive C&E results.

MG: You’ve been speaking about legal incentives for companies – what about incentives for boards of directors?

JK: Protecting the board is an important driver for assessments, too.  Under Delaware law, the Sarbanes-Oxley Act and Stock Exchange corporate governance listing requirements, boards have various compliance program oversight expectations – which are, in fact, echoed in the Sentencing Guidelines and Justice Department standards.  Directors – who have long been encouraged in other contexts to seek the assistance of outside experts – can help meet these expectations through commissioning an assessment and, of course, ensuring that the recommendations arising from the assessment are followed up on.

MG: You mentioned sound management practices as providing another set of reasons for program assessments. What do you mean by that?

JK:  That flows from the fact that the legal standards relating to the actual development and implementation of a program – while an essential starting point – are pretty terse. Also, that there is no generally accepted detailed set of professional standards to help fill the void.

So, as they move forward with their companies’ programs, C&E officers are faced with countless choices — many of which could be controversial within a company or otherwise challenging.  An assessment looks at the decisions made to gauge the extent to which they are optimal.  And, not only can it identify the best way to proceed, but it also can stiffen the resolve within a company to do things right.

MG: How does one assess what is optimal in a C&E program?

JK:  Based largely on the successes and failures – particularly the latter – of those who have travelled these paths before.  In a very different context, Justice Holmes once said: “The life of the law has not been logic; it has been experience.” The same is true for C&E programs.  But, of course, one must be careful to apply the lessons of others in a risk-adjusted way, because every company really does have a somewhat different risk profile.

MG: Speaking of experience, have the standards for assessing programs changed over time?

JK: They have.  I conducted my first two assessments in 1997, and at that time and in the assessments of the following few years the template was, of course, the original Guidelines’ seven steps.  With the 2004 revisions, the approach was expanded to include new C&E program requirements, such as incentives and risk assessments.  More recently, I have assessed – in addition to program elements (meaning the expanded “seven steps”) – using what I call “program attributes.”  By this I mean program characteristics that cut across individual program elements, and to which – in light of the long history of C&E program failures – companies should pay particular attention.

MG: Can you give us an example of a “program attribute”?

JK: I’ll give you two. One is independence, which is important not only to the successful operation of the C&E officer position but also to various other program functions exercised by others, such as discipline and audit. Of course, independence requirements vary based on applicable legal standards and other risk-related factors, so one needs to see the extent to which this program attribute is optimal for a given company given those factors.

Another attribute is program “reach,” meaning the extent to which the program reaches all the C&E risk areas that it should.  This inquiry might examine, for instance, whether program standards, communications, background checks and audit activities (among other things) sufficiently address risks relating to “third parties” – such as vendors, contingent workers, distributors and agents.

MG: Everything you’ve been describing sounds purely compliance related. Is there also an actual ethics component to a “compliance and ethics” assessment?

JK: There is, and that is in fact one of the “program attributes.” One might seek to assess it in a variety of ways.  At the most elementary level, one typically looks for a true ethics component in program communications and personnel evaluations. At a higher level, one also seeks to determine the role of ethics in risk assessment and strategic decision making.

MG: Is there a role for surveys in program assessments?

JK: Yes, but typically one can use the results of recent company-deployed employee awareness surveys for this – at least, if the survey asked useful questions from a C&E perspective.  An assessment need not reinvent this sort of wheel.

MG: It sounds like interviews are the most significant part of assessments. Is that right?

JK: Generally so, although document reviews are important as well.

MG: Who do you typically interview?

JK: Each assessment is different, of course, but a typical approach might be to start with the C&E team; then proceed to other key staff members (such as Law, HR, Audit, Security); and finally speak to business leaders. The final group tends to be the most challenging, so it is important to interview others first, to build a real foundation of knowledge necessary to get good information from business leaders. The process is somewhat like conducting discovery in a law suit, meaning that you often need to develop foundational information to obtain certain other, harder to get, information.

MG:  How else do you encourage interviewees to “open up?”

JK:  In addition to having the right foundation of knowledge, the key to having candid interviewees is ensuring confidentiality, which should generally be accomplished in two ways. First, to ensure confidentiality as against the outside world, the interview should be conducted under the corporate attorney-client privilege.  Second, to ensure confidentiality internally, interviewees should be told that their comments won’t in any way be attributed to them. And obviously the right follow-up measures – particularly with the attorney-client privilege – should be taken, meaning that one truly needs to give legal advice as part of the process.

MG:  Is there a role for focus groups in assessments?

JK: There certainly can be.  Among other things, focus groups are a good way of testing what one hears in the management interviews.  Or, if one proceeds in the other order, it can be a useful source of information for management to respond to in the interviews. But,  it is certainly possible to have a sound program assessment without focus groups.

MG: A moment ago, you mentioned reviewing documents as part of an assessment. Can you expand on that?

JK: There are several aspects to this, but let me mention just two. First, one should see: do the documents reflect a well-designed program?  This is important because such documents may be the first thing a prosecutor sees if she reviews your program – and bad initial impressions can be difficult to remedy. Second, are the documents consistent with the way the program is actually run?  Often, there is gap – and, if so, one obviously wants to fix it.

MG: Would a company always assess an entire program, or do assessments sometimes have a more limited focus?

JK: While most – at least in my experience – are of the former type, some are more narrowly drawn, where the focus is entirely one program function – such as investigations or board oversight – or one risk area, such as FCPA.

MG:  FCPA is obviously much in the news these days. Has that increased the interest in FCPA program assessments?

JK: Yes – particularly because boards are now seeking assurance of good compliance in that area.

MG: Why would one assess an investigations function?

JK: Because there is much that can go seriously amiss there, both in terms of not investigating in a thorough and timely way and also in terms of incurring additional legal liability or reputational harm, such as in the HP “pre-texting” scandal.

MG:  What is the end product of an assessment?

JK: Typically a written report and an oral presentation – sometimes to the board.  The report should identify all of a company’s good practices – which is useful not only for helping the company get “credit” in any investigation but also to discourage cutting back on such practices later on.  Of course, the report also includes recommendations, which can (and hopefully will be) integrated into the C&E department’s work plan for the years ahead.  Not infrequently, the recommendations will have a shelf life at a company of many years. And, tracking the implementation of the recommendations can be a good “handle” for board oversight of the program.

MG: It sounds like from both a law and management perspective a company can get a lot out of these.

JK:  Well, that seems to have been the general experience – both in terms of program direction and program momentum.  And, with time, the benefits should become even more substantial, both from a legal incentives and management practices perspective.

MG:  Thanks, Jeff

JK: Thank you, Maurice.

**********

About the Participants

Jeffrey Kaplan, a partner in the Princeton, New Jersey office of Kaplan & Walker LLP, has practiced law in the compliance and ethics field since the early 1990’s.

Mr. Kaplan is also Adjunct Professor of Business Ethics at NYU’s Stern School of Business, co-editor (with Joseph Murphy) of Compliance Programs and the Corporate Sentencing Guidelines (West Thomson), chair of the legal advisory board of SAI Global’s Compliance Division, former Counsel to the Ethics and Compliance Officer Association, and co-author of a forthcoming study by the Conference Board on the use of compliance and ethics program criteria in government enforcement decisions.

Maurice Gilbert, CPA, founded Corporate Compliance Insights in December, 2008 to further the discussion and professional knowledge exchange of important, forward-thinking GRC topics.

Mr. Gilbert is the Managing Director of Conselium, an executive search firm with a core expertise in corporate compliance, and he has been a featured speaker at The Institute of Internal Auditors and The Information Systems Audit and Control Association.

Maurice Gilbert is a member of the SCCE, the HCCA, the AHLA, and the Institute of Internal Auditors. He can be reached via email at maurice [at] conselium [dot] com or by phone at 972-934-8444.

Tags: c&e assessments, Compliance, compliance and ethics, compliance and ethics assessments, Ethics, Jeff Kaplan, Maurice Gilbert