I read the recent FCPA Blog post “Can we really ‘measure’ compliance?” with great interest. Richard Cassin touched on one of the essential areas the compliance community needs to work together to improve our approach. We need to assess how our programs are progressing, and be able to share that data and progress with our various stakeholders.
I agree that the guidance from various regulators does not provide much detail (Richard mentions the U.S. Sentencing Guidelines, there is also the UK SFO Bribery Act guidance (Principle 6) and the French “Sapin II” requirements – Pillar 8 of an effective compliance program) but being able to measure the performance of a compliance program effectively and objectively is critical to the future of our profession.
There have been some advances on this front. I am an enthusiastic supporter of the ISO 37001 standard, and it provides a robust framework for assessing the performance of a compliance program. It all starts with the important step of identifying the goals that the compliance program seeks to achieve.
While having zero corruption cases is ideal for any organization, it cannot be the objective of a compliance program other than in a broad idealistic sense. You could easily have an organization with no compliance program that has no corruption cases simply because the company is lucky and has never been caught. At the same time, we have seen organizations with comprehensive, adequately staffed, and funded compliance programs with corruption cases in their organizations.
In an ISO 37001 framework, the objectives of the compliance program need to be set after an in-depth review of the organization’s risk profile. Each objective needs to have an action plan to address and mitigate the risk. Each action plan needs performance indicators that allow the compliance team to pilot the program and communicate its performance both inside and outside the organization.
Let’s take Richard’s example of training. Following the number of employees who have been trained is one way to measure the compliance program (this can be referred to as a “deployment” indicator). Still, it is true that an indicator of the number of people trained does not show whether the participants learned anything or that it will impact their future behavior.
How do we quantify this second aspect which measures the effectiveness of the “performance” of the training initiatives? One solution, which comes from our HR colleagues, is to implement “cold assessments,” which consist of contacting employees at a given interval after they have completed training (six months, for example) and having them complete a short quiz to see if they have integrated the concepts.
It is also important to be a bit creative and take a holistic approach to compliance. Another possibility is to review cases that have been reported through the company ethics hotline to see if either the reporter became aware of a compliance issue as a result of training or if the accused party had received training related to the alleged non-compliant activity.
Finally, if the organization has an internal audit team, this is an important source of performance data for the compliance function.
For example, let’s say that gift-giving is one of the main sources of corruption risk for a company, and a gift approval and reporting tool is in place to help mitigate the risk. In this case, the compliance team could work with the internal audit team to review the employee expense reports to its site/business audit scope to verify what percentage of identified gift expenditures followed the company policy. A high rate would indicate that the group policy has been well communicated to the employees and is well followed. This is an objective indicator that the compliance program is functioning properly about gifts.
Does this mean that no corrupt activity has taken place? No, but the twin indicators of (i) having good data on who has been trained (the “deployment” indicator) and (ii) that the objective data available shows that employees are following the rules (the “performance” indicator) tend to show that the compliance program is effective and performing well.
We cannot see into the hearts and minds of the employees in our organizations. We can identify the areas of risk and then put into place processes to help our colleagues and the organization mitigate them as much as possible and use the data at our disposal to gauge the performance. This, in one sentence, is the continuous improvement cycle that is built into any effective management system and is an integral part of an ISO 37001 approach.
I think Richard Cassin has raised a valid and important point. We in the compliance community need to continue this critical discussion to share best practices and adopt a standard benchmark for measuring our compliance programs.