This time of year executives think about year-end measures of performance. So what do you provide them to measure the performance of the compliance program? Even if you assess a program annually, you come up far short of a measure, where a measure is something you can track and trend.
Many organizations try to measure compliance by administering a survey to their employees. This is a good approach but it can backfire. If you just make up a survey, the chances that it measures anything are small. You may get wild fluctuations from year to year depending on the mood of the workforce. And many of the commercially available surveys are no better.
An example. If you ask the employees of any large organization if they believe the organization engages in illegal conduct, about 30% will respond affirmatively. This is equally true of highly ethical organizations as it is of wholly unethical organizations. Why?
The first myth is that compliance program assessment is optional. The same sentence in the Sentencing Guidelines that mandates a hotline also mandates compliance program assessment. And, even if program assessment were not mandatory, it would be incumbent on your organization to undertake assessment. Organizations measure what they consider important. If there is no call for compliance program assessment in your organization, your compliance program is not as important as it should be.
The second myth about compliance program assessment is that an internal assessment is as good as an external assessment. Internally conducted program assessments are good and they are useful. But, they are also conflicted. It is a rule in audit – and should be a rule in compliance – that you don’t audit your own work. Both compliance and internal audit are part of the control environment of the organization and both need to be periodically tested in terms of their ability to mitigate risks. This need not be done annually but there should be a fixed schedule such as every 3 or 5 years.
The third myth is that it is risky to have an external program assessment since it may turn out negatively. It is true that an assessment that turns out positively is more protective than one that indicates a flawed compliance program. But we have seen more than one case in which a negative assessment, when paired with a detailed plan of remediation, has forestalled an enforcement action. Why? The fact that you conducted and acted on a program assessment indicates that your organization takes its compliance program seriously and will remedy weaknesses without undue prodding from the outside.
A final myth about compliance program assessment is that everyone uses the same standards – the Sentencing Guidelines, OIG Guidance, CMS Guidance, etc. While this may seem to be the case, different consultants interpret these external standards in widely divergent ways. The standards to be used in your assessment should be fully disclosed before you choose an assessor. A sound assessment also includes bench marking. Boards and senior executives are often indifferent to consultants’ opinions. But they are interested in real information about how your organization stacks up against other like organizations.