Joe Murphy – Compliance & Ethics Professional – March 2018
In 2004, the U.S. Sentencing Commission amended the compliance program standards to make one of its most important improvements: It required companies to “evaluate periodically the effectiveness” of their programs. Other standard setters have followed. Sadly, I still see commentators mistakenly confusing this with auditing and monitoring or ignoring it completely. But evaluation is the key to having a program that works.
Lack of this element has been a fatal flaw in the fight against harassment, for example. Companies have been misreading two Supreme Court cases, thinking that all they need is a policy that meets the legal standard, some training (in California just 2 hours every 2 years), a helpline, and jumping into action when someone calls. Of course, the training is often seen as punishment and sometimes even hurts the effort. But no one seems to care, because they see no need to evaluate its effectiveness.
The Supreme Court did not issue a checklist. It called for “reasonable” efforts. In my view, no effort can be reasonable if you do not evaluate whether it works.
Sometimes people dodge the difficult evaluation work by issuing surveys, maybe once a year—a nice step, but limited in value. It provides a data point, nothing more.
Even if you had the perfect survey questions (and there is no such thing), and an employee base that only told the truth, and you had truly amazing survey results, is that enough measurement? Suppose an incredible 80% gave consistently positive answers to the survey: They trust the helpline, believe management is honest, and have witnessed no unreported misconduct—everything you could want. But keep in mind, even in a case with these excellent results, you still have 20% giving negative answers. Consider also that statistics suggest that 3%–5% of any group may be sociopaths who have no sense of right and wrong. So if you have 10,000 employees, you have 2,000 who have not given positive responses and hundreds who may be sociopaths. You still need to measure how well your control systems are working to address this group.
Measurement is essential. It cannot be covered by mere box ticking, even a survey box. Measurement needs to be ongoing and address all the risks, all the compliance program functions, and all the parts of the business (prioritized by the risk assessment). Look at each compliance tool: Is it functioning correctly? Does it have the impact it is supposed to have? Policies no one reads or believes, training that puts people to sleep, and helplines that no one calls are a waste of time. If you are not evaluating these things, you are wasting people’s time, ignoring basic management principles, and failing to meet compliance program standards.