As the United States continues to muddle through the current recession, corporate executives have been faced with the challenge of finding areas in which to cut operational costs. As previously reported by Corporate Compliance Insights, even in a booming economy, compliance and ethics budgets are often unfairly scrutinized, due to the misperception that there is no return on the investment of compliance dollars.
While academics and political pundits disagree as to whether current economic conditions will cause an increase in ethical/legal misconduct or simply bring such behavior to light, recent repeated statements by government and regulatory personnel make it abundantly clear that now is not the time to cut your compliance budget.
On December 14, 2008, President-Elect Barack Obama announced his selection of Mary L. Schapiro to chair the Securities and Exchange Commission. In response to an oft-criticized period of lax enforcement, Schapiro quickly announced that she intended to re-empower the SEC and provide for an era of “swift and vigorous enforcement.”
Schapiro’s plans included putting an end to a two-year old program that had required Enforcement staff to obtain a special set of Commission approvals in securities fraud cases that involved civil monetary penalties against public companies. In addition, Schapiro announced her plan to provide more rapid approval of formal orders of investigations authorizing the staff to issue subpoenas. While the effects they will have are not yet clear, these changes are expected to not only expedite the resolution of investigations, but also increase any penalties that are assessed.
Since the robustness of a compliance program is taken into account when determining penalties, pre-existing compliance procedures and controls are likely to be assigned increased weight in light of these changes. A compliance program is also likely to receive greater scrutiny by Enforcement staff when determining whether the company under investigation appropriately responded to the institution of the investigation.
Current and former representatives of the Department of Justice, which certainly was not lenient under the Bush administration, have also made statements that indicate an increased scrutiny of compliance programs in the coming years. For example, at the recent Dow Jones-Ethisphere Global Ethics Summit, former Deputy Attorney General Paul McNulty predicted “more enforcement in more categories,” where enforcement is looked to as the way of addressing a problem, as well as “high expectations on behalf of the government to see best in class compliance.” Mark Mendelsohn, Deputy Chief of the Fraud Section for the Department of Justice, confirmed McNulty’s premonitions at the same conference, going so far as to warn companies against “diverting resources from compliance and corruption prevention.”
In response to the focus that is now being placed on ethics and compliance programs, how can those with overall or operational responsibility for such a program make sure it remains robust when there simply may be fewer dollars to go around?
The best way to accomplish this is to make sure all compliance dollars are spent wisely. Despite the fact that Mendelsohn’s statement warns specifically against cutting compliance budgets, the activity he is likely cautioning against is letting compliance take a back seat during an economic time in which corporate personnel may be more likely to cut corners—an event that could end up resulting in a massive compliance failure. In fact, Lori Richards, director of the SEC’s Office of Compliance Inspections and Examinations, stated that the activity that is being targeted is sacrificing compliance in an effort to manage expenses and reduce costs.
So, if your compliance department recently experienced a proportionate budget cut, or if you expect that one may be on the horizon, a way in which to stretch your compliance budget and still maintain a robust program is to tailor it to the results of an ethics and compliance risk assessment.
Understand Your Risks
Compliance programs are designed to prevent and address corporate risk. Nevertheless, a staggering number of companies continue to spend their compliance dollars without first determining whether the expenditure will actually serve this purpose.
For example, a survey of 458 in-house attorneys by the Association of Corporate Counsel and Corpedia reveals that, while 70 percent of the organizations represented conducted business outside of the United States, only 39 percent of them provided a mandatory training session regarding bribery and corruption. Additionally, while 54 percent of the organizations represented were subject to the Sarbanes Oxley Act, only 25 percent had a mandatory training session in financial integrity and only 21 percent offered training on SOX compliance.
In order to avoid spending your organization’s compliance budget in a way that may only produce marginal results, refashion it so that it centers upon the compliance risks your organization faces.
By engaging in an ethics and compliance risk assessment, an organization is able to analyze the effect risks have on the organization, prioritize these risks, and develop options and actions to reduce the threat they pose. Nevertheless, organizations often confuse an ethics and compliance risk assessment with a general corporate-wide risk assessment, and are uncertain as to the scope, frequency, and structure of such an assessment. As an increasing number of organizations have begun to institute ethics and compliance risk assessments, leading practices have started to emerge. They are as follows:
- Examine all major areas of misconduct. A common mistake organizations make when conducting a compliance risk assessment is to limit the potential risk universe to a preconceived list of likely high impact risks. Rather, a proper ethics and compliance risk assessment includes all potential risks, including both those that are systemic to the average organization and those that are unique to the industry in which the specific organization operates.
- Examine risk contextually. To be effective, the ethics and compliance risk assessment must take into account the ability of the organization to plan for, prevent, or mitigate each risk area. This focus entails examining the controls, processes, and procedures designed to prevent compliance failures, as well as assessing the effectiveness of the individuals in positions of substantial authority in recognizing and preventing a compliance breakdown.
- Address current and potential risks. An effective ethics and compliance risk assessment should take into consideration risks that currently exist, as well as those activities that are currently legal but could reasonably be called into question in the future.
- Review internal and external information. Ethics and compliance risk assessments should include an examination of internal corporate documents, as well as industry information and historical incidence reports. To be adequately predictive, the ethics and compliance isk assessment should include not only compliance breakdowns and failures, but also near misses.
- Include participants from all levels of the organization. When collecting and assessing potential risk areas, ethics and compliance risk assessments should involve personnel across various disciplines and seniority levels. This can be accomplished through workshops, focus groups, surveys and interviews.
- Consider impact and likelihood of occurrence. Compliance risk assessments should weight risk areas to account for impact and likelihood of occurrence. By assigning quantifiable weights or ratings to each relevant risk area, organizations will be able to rank them appropriately.
- Document the outcome. The outcome of the compliance risk assessment should be documented in a defensible action plan. This plan should include not only a description of the process that was followed, but also the actions that were taken to design, implement or modify the compliance program.
- Be defensively objective. The compliance risk assessment process should fairly assess the full universe of the organization’s potential risks, including existing acceptable industry practices. The temptation to ignore or de-emphasize risks because they could be costly to address from a financial or internal political perspective should be resisted.
- Quantify each risk area. The ethics and compliance risk assessment process should allow for quantification of each risk area. A compliance risk assessment that goes beyond “likelihood” and “impact” can be more useful in prioritizing compliance budget spending and activities, as well as in justifying any incremental controls, policies, processes or spending that must be implemented. Furthermore, if executed correctly, such quantification can be used to measure program effectiveness, a U.S. Federal Sentencing Guidelines (FSG) criterion of an effective ethics and compliance program.
- Conduct compliance risk assessments periodically. The frequency with which an organization chooses to conduct ethics and compliance risk assessments and schedule follow-up risk reviews may depend on the nature of the organization’s industry, but if the methodology and process is adequately defined, it can reasonably be conducted on an annual basis and year-over-year results can be appropriately compared. Since operating environments, regulations and government enforcement priorities routinely change, it is inadvisable to conduct compliance risk assessments on a less frequent basis than every two years.
- Measure employee knowledge. The ethics and compliance risk assessment should include a measurement of employee knowledge and awareness of the compliance program and supporting controls. Doing so can help pinpoint where training and communications programs need to be improved.
- Benchmark. The compliance risk assessment should benchmark against peer organizations when possible. In addition to industry peers, consider those organizations that are peers in terms of size and geographic scope. This is particularly important as it ensures that the organization meets “accepted or applicable industry practice,” as outlined in the Federal Sentencing Guidelines.
- Coordinate with internal analysts. It is helpful to coordinate ethics and compliance risk assessments with internal audits. Completing a compliance risk assessment produces the following results for the internal audit process: (1) it aligns company focus and resources to address areas of greatest significance to the organization; and (2) it allows the auditor to design a program that tests the most important internal controls.
Use the Information Gained During the Compliance Risk Assessment Process Wisely
At the end of the ethics and compliance risk assessment process, an organization should be armed with extensive documentation of identified and prioritized risk areas. Failing to act upon this information could subject an organization to exposure in the event the information is disclosed during litigation or in connection with a government investigation. Some budget-conscious ways to spend your compliance dollars follow.
Communicate, Communicate, Communicate
One of the most cost-efficient ways to use the information gained during the compliance risk assessment process is to shape your compliance communication program with this information in mind. As the FSG note, a communications program should help “promote an organizational culture that encourages ethical conduct and a commitment to compliance within the law,” which is commonly known as setting the tone from the top.
Compliance communications should be driven by managers at all levels in your organization, thereby rendering a proper tone from the middle as well, in order to effectively drive down this tone. In addition, all available communications options should be seized. In order to ensure that your organization is taking advantage of all communications opportunities and is communicating about the appropriate risk topics, these communications should take place according to a written communications plan.
If your organization currently does not have a communications plan in place, now is the time to create one. The plan should be multi-year in format and tailored to your organization’s risks. Although it is logical to focus on communications when rolling out a significant training initiative, it is a mistake to concentrate on compliance communications during a particular time of the year. Instead, communications should be provided consistently throughout the year in order to maintain a minimum level of awareness of ethics and compliance issues amongst employees.
Your organization’s communications plan should clearly describe your communications initiatives, the format by which they will be delivered, and the person responsible for ensuring they take place. The topics selected for discussion should directly relate to those risk areas identified by the compliance risk assessment. If your organization faces risk in a particular area and is rolling out a major training initiative to address that risk, you will likely want to reinforce the topic in your compliance communications. However, you may want to focus more of your communications efforts on those related or secondary risk topics to which you are not responding with a major training initiative. And, although communications are often distributed across an entire employee population, targeting your communications to specific groups, locations or departments is an excellent idea, especially if the risk identified relates to such a swath of employees.
The form that your communications take is primarily limited by your creativity and your organization’s culture. For high-tech organizations, a paper newsletter may not be appropriate, but a short video clip regarding a topic of concern may be. For organizations where a significant portion of the employee base does not have access to a computer, however, a paper newsletter may be a more effective means of communication. In addition, you may want to consider branding your communications program by creating a slogan that would appear on all compliance communications materials. Doing so provides an opportunity for employees to identify quickly an ethics- and compliance-related communication. This slogan can then serve as a marketing piece for your company’s compliance program by being placed on items such as posters, mugs and post-its.
Train on Your Key Compliance Risk Areas
Information gained during an ethics and compliance risk assessment process is commonly used to modify an organization’s training program. When determining how to use the information gained from a compliance risk assessment to revise the organization’s compliance program, your organization should strongly consider modifying its three-to-five year training plan.
Again, if your organization does not currently have such a plan, now’s the time to create one.
Although it may be tempting to create a training program curriculum that outlines only the first year of the initiative and to then make subsequent years’ curricula decisions concurrently with the annual budgetary cycle process, doing so is a mistake and can result in an inherent bias of viewing compliance training programs (and implicitly the overall compliance program) as a year-by-year activity. As a result, it becomes more difficult to create a truly ongoing and sustainable process that is institutionalized into the daily operations of your organization and is managed with a long-term view. Instead, the compliance training plan should be viewed as a living document that should be updated as necessary during its lifespan to account for organizational and risk area changes.
By adding the information gained from an ethics and compliance risk assessment to its multi-year training plan, your organization is taking steps to mitigate the job-related risks identified during the compliance risk assessment process. However, training can be an expensive endeavor if it is not well planned, appropriately and effectively delivered, and closely monitored, especially for multi-national enterprises that are attracted to the relative ease by which they can roll out eLearning training to thousands of employees. To ensure that your compliance training budget dollars are wisely spent, your organization should give careful consideration to the mode and mechanism by which training is delivered.
In general, there are three common modes of training—eLearning, instructor-led training (ILT) and document-based training (also known as “workbook training”)—each of which all have positive and negative features. For instance, eLearning is consistent, trackable and measurable, enabling organizations to transcend challenges posed by language or distance barriers. In addition, eLearning training courses can be taken by the employee at a convenient time during his or her workday.
However, eLearning is not without cost, especially when taking into account potential infrastructure issues and translation needs. And, for many companies, while eLearning may be appropriate to train on broad-based risks that span across a country or around the globe, many risks may not pose such a large threat. Further, eLearning does not allow for face-to-face interaction, which adds a human element to compliance training efforts, and eLearning does not provide a mechanism by which an employee’s questions can be instantly answered.
ILT, on the other hand, allows for face-to-face contact, which often leads to productive discussions among employees regarding the issues included in the training session. However, ILT can be logistically difficult to deliver and requires an investment of human capital both in the development and delivery of the materials.
Finally, workbook learning may be the best option for employees who are remote and/or do not have computer access, but it can be less effective for those employees who are not visual learners.
It is important to consider all of the potential delivery mechanisms for in-depth training, which include not only eLearning, ILT, and workbook learning, but also emailed scenarios or mini-training sessions, and presentations provided during sales or business meetings. Focus on the high-risk areas first, targeting those individuals that are most likely to face the training issue in question.
Also, be creative in the method of delivery. Some training may be effectively presented by a manager at a working lunch. Train-the-trainer sessions may be appropriate in locations where managers speak English but those reporting to them do not, especially where the training issue also implicates cultural concerns. Consider delivering “spot training” via a short animated training segment provided via email that includes entertaining, but substantive, training on a particular risk topic.
By broadening your training delivery methods and focusing delivery to those audiences that are most likely to face the issue of concern, you are afforded an opportunity to save on costs and focus on getting your message across in the most effective manner for the target training population.
Give Your Code a Facelift
When armed with the results of your compliance risk assessment, you might also consider using that information to refresh your organization’s Code of Conduct. The code serves as the cornerstone for your organization’s ethics and compliance program, and is only effective if it is current and relevant. If your code is more than three years old, does not sufficiently explain the risks your organization faces, or was written prior to a significant corporate, legal or regulatory change, it is likely due for a revision.
This is not to say that every time your organization conducts an ethics and compliance risk assessment, you will then need to revise your company’s Code of Conduct. Rather, if your risk assessment reveals some significant issues, and these risks are posed by the industry in which your company operates or are inherent in your organization and are likely to be of concern for some time, you will want to make sure it is covered in sufficient detail in your code.
Consider adding learning aids to supplement the content and to help bring the more difficult topics into context for the reader. Of course, the code should cross-reference standalone policies on the company’s main risk areas. If these policies are outdated, they should be revised prior to or concurrently with code revision, as to ensure that the code material corresponds to the revised policies and the cross-references to the policy titles are correct in the code. This timeline is generally feasible, since this activity can often take place in house and is generally time and not capital intensive.
Gain Support Without Adding Headcount
How can your compliance department tackle such a myriad array of tasks?
In general, compliance departments are slimly staffed; of those organizations surveyed by the Association of Corporate Counsel and Corpedia, the majority had fewer than five full-time employees dedicated to managing their companies’ ethics and compliance programs. Since adding headcount is likely not a viable option in this current environment, an effective way in which to gain support is through the appointment of compliance champions.
“Compliance champions” are often instituted by organizations in order to lend assistance to over-tasked compliance departments. In addition to being able to help with the rollout of compliance initiatives, compliance champions can serve as a conduit by which information can be gathered regarding certain business units or groups, or operations in select geographic locations. This is certainly invaluable, particularly when the compliance champions serve in areas that may be more or less isolated from corporate headquarters. Compliance champions can also help spread the tone from the top and provide the compliance message through a unique voice.
By coordinating periodic meetings attended by compliance personnel and your organization’s compliance champions, information gained during these sessions can not only aid in the development of new training and communications initiatives, but also afford an opportunity to discuss ethics and compliance issues or reports, which can then be monitored and tracked. While at the end of the day compliance personnel will still be tasked with overseeing and organizing compliance initiatives at a high level, compliance champions will be able to assist greatly to this extent.
By conducting an ethics and compliance risk assessment and using the resulting data to shape your organization’s ethics and compliance program, your organization is helping to ensure that its program remains effective. Acting in this manner also helps your organization use its compliance budget in a cost-effective manner, which in the current economy is a critical component of your program’s continued success.