As the name of our fifth hallmark suggests, monitoring and effectiveness are critical parts of the seven hallmarks of an effective compliance program. According to the Federal Sentencing Guidelines for Organizations, this hallmark breaks down into three areas:
- Monitoring and auditing the organization’s compliance program
- Periodically evaluating a program to establish its effectiveness
- Ensuring the proper mechanisms are in place to report on this hallmark or to seek guidance on minimizing or resolving potential conflicts.
Monitor and Audit a Compliance Program
According to former Department Of Justice (DOJ) enforcement consultant Hui Chen, many companies count training completion rates as a measure of a training program’s success and the effectiveness of their compliance program.
Chen, however, disagrees with using completion rates as a measure of success. Using completion rates as a metric is on par with grading students based on class attendance only, without ever checking their homework.
“Now, if you’re a company that rewards people with a promotion simply because they show up at their job every day, then go ahead — that would be consistent with your values,” Chen states. “But I don’t know of any company that awards promotions purely because somebody showed up for work. They need to demonstrate that they do good work, so why is the same not true when you’re measuring training?”
While many organizations think that measuring and monitoring simply that employees receive training on a program is enough to prove compliance, this is not always the case. For an organization to effectively manage their compliance program, they must prove that employees have not only received certain training, but that they actually understand the content of those training and can follow their instructions. They need to continuously measure their employees understanding of what they’ve been told.
In other words, it’s not about teaching employees a subject, it’s about ensuring they know what to do. In order to efficiently run an effective compliance program, companies should keep in mind they don’t need to turn their employees into subject matter experts in specific areas of compliance. Rather, they need to teach their employees how to follow the rules that keep them compliant.
“For example, why would you want to turn your employees into anti-trust experts or have them be knowledgeable about anti-UK bribery acts?” Chen asks. “What you actually want is for them not to take a bribe, not to give a bribe and to raise their hand if they see something that needs to be reported.”
In this case, Chen states, you don’t need employees to understand the differences between different types of bribes or what specific statute various bribes violate, you just need them to recognize what a bribe looks like and not take one.
“The problem is not with knowledge,” Chen states. “The problem is with behavior. You should be measuring behavior.”
Evaluate the Effectiveness of Your Compliance Program
Remember that compliance is never a one-time event. There is never just a single point in an organization’s history where their commitment to compliance will be put to the test. Compliance is an ongoing commitment.
While many organizations are guilty of “compliance cramming” at the end of the year to prove their compliance via annual certifications to auditors at audit time, to maintain an effective compliance program, organizations should regularly conduct reviews. They need to regularly question, evaluate and prove their compliance program’s effectiveness.
One of the ways Chen recommends companies achieve this goal is to measure a company’s compliance culture, as well as their tone from the top.
In the anti-corruption community, Chen mentions, there’s a belief that you can’t measure culture. However, the Corruption Perception index is often cited as a type of perception measurement.
“It’s interesting that people say they don’t know how to measure culture, yet they’re actively using this metric without thinking about the specifics,” Chen states. “If you can measure a whole country’s perception, why can’t you measure a company’s perception?”
According to Chen, you can generally measure a company’s commitment to compliance through the choices they make, the way they spend their time and how they allocate resources.
“There are a number of ways to measure tone from the top,” Chen states. “When you just measure the number of times someone says something pro-compliance, that measurement doesn’t present the full picture. Are you also measuring how often the same people send messages that may be contrary to compliance and comparing the two numbers?”
Ensure Proper Mechanisms are in Place
While monitoring and evaluating a compliance program’s effectiveness are two important steps in adhering to the fifth hallmark, those two items alone can’t be fully effective without a third component. This third component provides employees with a well-known and understood system for reporting that allows for anonymity, confidentiality and for employees to seek guidance regarding potential or actual criminal conduct without fear of retaliation.
One of the main areas regulators look for when it comes to proving effectiveness is employee whistleblowing. These employee led reports prove an organization truly has a culture of compliance in place where employees can feel safe reporting violations.
“What I look for is a form of measurement to back the adjectives people tend to use,” Chen states. “For example, if a company states they have a robust compliance tone at the top, yet a survey indicates a significant number of employees believe they will be retaliated against if they raise an issue, then the measurement doesn’t back up the claim.”
One way an organization can measure their compliance culture and the effectiveness of their reporting mechanisms is to look at the data on the number of violations reported. This data can prove a trend in the right direction towards greater transparency and cultural compliance.
Implementing and providing technology as a reporting tool can be a great way to allow for easier and more anonymous employee reporting.
“I do think that technology offers the ability to make certain processes easier,” Chen states. “If you want people to behave a certain way, it helps to make that behavior an easier choice to make.”
According to the DOJ’s whitepaper on the Evaluation of Corporate Compliance Programs, DOJ regulators thoroughly review a company’s internal reporting mechanisms when it evaluates compliance programs. For example, regulators will evaluate how a company collects, analyzes and uses information from these mechanisms, as well as how the company assesses the seriousness of the allegations it receives. Lastly, they measure whether the compliance function within an organization has full access to reporting and investigative information.
In order to go beyond merely ticking off boxes on a how-to-be-compliant checklist, organizations need to monitor and evaluate how to make their compliance programs truly effective. They also need to put the proper mechanisms in place so employees can report misconduct without fear of retribution.
Without this vital hallmark in place, even the best written policies and procedures, program oversight, ethical due care and training and communications will fall short of creating a truly effective culture of compliance.
Check back next week for our exploration of the sixth hallmark of compliance — enforcement and internal investigations.
Need help bringing your compliance program up to par? Contact a Mitratech representative and find out how our solutions can help your compliance program become truly effective.