200 likes | 261 Views
C&E Program Assessment. Jeffrey M. Kaplan Kaplan & Walker LLP PLI C&E Institute May 30, 2013 . Reasons to assess. Legal expectations General: USSG Risk-area specific. E.g., FCPA guidance and other anti-corruption standards Overlap between the two Practical benefits
E N D
C&E Program Assessment Jeffrey M. Kaplan Kaplan & Walker LLP PLI C&E Institute May 30, 2013
Reasons to assess • Legal expectations • General: USSG • Risk-area specific. E.g., FCPA guidance and other anti-corruption standards • Overlap between the two • Practical benefits • Identify good practices, so the company doesn’t cut back • Identify room for improvement • Serve as commitment device – to maintain (or regain) momentum • Serve asa “road map” for getting program credit in an investigation Kaplan & Walker LLP
Means to assess • Interviews • Various possibilities: • C&E personnel • other staff • operations • sometimes third parties • Interviews can serve an educational purpose, too • Should conduct on a non-attribution basis • Document reviews • Program design • Program operation Kaplan & Walker LLP
Means to assess • Surveys (cont.) • Use already existing data (regular employee engagement survey results), or • Conduct one specifically for the assessment • Survey data can be very helpful for identifying parts of company – geographic, business line, risk areas -where program faces special challenges • Focus groups • Privilege issue • Increases candor • Decreases ability to share results Kaplan & Walker LLP
Audits as distinct from assessments • Different types • General process – e.g., against program charters or other general process documents • Risk-area procedures – e.g., use of due diligence mechanisms • Risk-area substantive – e.g., improper payments • Can be stand-alone or part of general audits • Typically done by internal audit staff • But need to ensure that they have sufficient background/direction for audits to be effective • Line between audits and assessments is not always clear-cut Kaplan & Walker LLP
Assessments: who conducts? • Internal versus external. Issues are: • Cost and greater knowledge of the company, versus • Independence and breadth of knowledge • External assessment recommendations may be harder to ignore than with internal effort • Blended approach may be best • Internal should be more frequent than external • Internal assessments can be built into ongoing activities • E.g., surveys at the end of training sessions Kaplan & Walker LLP
What is relationship with risk assessment? • In principle, risk assessment tells you how to design and implement a C&E program and program assessment tells you if your approach is working • In practice, the two overlap substantially • One should be alert to risk insight from program assessments and vice versa • E.g., gap between “gross” and “net” risk tells you something about efficacy of program for a given area Kaplan & Walker LLP
Scope of assessment: full program • Generally all the elements and sub-elements of an effective C&E program • Plus program “attributes” – aspects of programs that cut across program elements: • Strength/clout • Independence • Reach • Ethics, as well as compliance • Management knowledge of, and involvement in, the program • Culture • Resources Kaplan & Walker LLP
What to assess: risk assessment • On risk assessment, focus on not only whether the company seems to know its risks, but also… • The risk assessment process • Helpful in meeting legal expectations? • Does it produce valuable information? • Is it sufficiently documented? • The extent to which the results of the risk assessment are actually used in designing, improving and deploying various program elements • Are you getting full use of the assessment? • Many companies don’t Kaplan & Walker LLP
Elements: standards and policies • Code of conduct – is it • On point? • Understandable? • Being read? • Periodically revised? • Sufficiently translated? • Individual policies – to what extent • Do they seem to address pertinent risks? Get reviewed/revised as much as needed? • Are they “connected” to other program elements, e.g., training and auditing? • A note on policy management Kaplan & Walker LLP
Program governance and management • Consider adequacy of program governance documentation, not only of C&E office but also other functions with C&E roles, such as members of C&E management committees, SMEs and regional personnel • Are the individuals in C&E functions actually doing what the governance documents say they will? • Is there an appropriate level of independence and authority to implement the Program? • Is the Audit Committee getting the right information, and at the right frequency, about the Program? • Look at both general program elements and also risk-area specific information (for high-risk areas) Kaplan & Walker LLP
Diligence in hiring and promotions • Diligence in hiring tends to be fairly straightforward. (Typically it is risk based) • But not all companies have ethics questions for hiring interviews • What due diligence steps a company should take regarding promotions is not that straightforward • Often an opportunity to develop recommendations here, based on a company’s risks and culture • Having C&E input for promotions can send a powerful message about the importance of the program • Third parties – a related dimension (which should be dealt with not only by program assessment but also risk assessment) • Goes beyond FCPA Kaplan & Walker LLP
Training and other communications • Tends to be among the most extensive parts of a program assessment • In addition to whether the right people are getting trained on the right topics at the right intervals, should look at efficacy/impact • This can lead, for some companies, to recommendations for more role-based training (and sometimes even less overall training) • A note on training fatigue • Also consider training and communications plans and documentation of training and communications efforts • Lessons of Morgan Stanley and the Black (ACL) cases Kaplan & Walker LLP
Auditing and monitoring • Examine the “three lines of defense” • Real-time monitoring by businesses • Monitoring by functions (e.g., C&E, Finance, HR) • True auditing • With each of the above: • Is there enough, based on risk assessment? • Are the results being put to full use? • For C&E auditing ask: • What percentage of overall auditing effort is C&E-related? • Same question with findings • Note that monitoring is an area where many companies have room to improve Kaplan & Walker LLP
Reporting systems • Consider • Whether sufficient reporting procedures and avenues are in place • How well those are communicated to employees and others • What is employee comfort level in reporting (good area for surveys) • Can benchmark metrics • E.g., number of calls to helpline and percentage of anonymous calls • Local results can be key here • Look closely at means to protect whistleblowers • E.g., are managers trained in relevant do’s/don’ts? Kaplan & Walker LLP
Investigations and discipline • Are protocols and procedures in place? • How these are implemented in practice? • Typically includes a review/audit of some case files to get a first-hand look at how investigations are conducted • Timeliness and state of documentation. • What is state of investigator training and other forms of guidance • Discipline: • Is it meted out for supervisory failures that contributed to misconduct in appropriate cases? • What are employee perceptions of the level of consistency of discipline? • A note on “organizational justice” Kaplan & Walker LLP
Continuous improvement • Does the organization have formal procedures for considering enhancements to the Program following violations, including across business units, staff functions and geographies? • Are investigators trained to look for this? • Procedures also necessary for smaller program enhancements, such as those recommended in an audit or following an investigation • Are there procedures and practices related to periodic program assessment, including self-assessment? • This can be on a risk-area – as well as overall - basis • In practice, how well does the organization consider enhancements following violations? • Independence issues and the 2010 USSG amendments Kaplan & Walker LLP
Incentives • Does the company use economic incentives? • Not necessary for all companies in my view, but can help in some • Does it use softer forms of incentives? • Are managers trained on how to recognize and acknowledge ethically exemplary behavior? • Does it deploy not just general incentives but also, as appropriate, risk-area specific incentives? • Can be important in rolling out major initiatives, such as third-party due diligence systems Kaplan & Walker LLP
Deep dives • By risk area, e.g., • Anti-corruption • Consider using the DOJ/SEC FCPA guidance document • Competition law • Note that this may make particular sense for emerging areas of risk • By program function, e.g., • Investigations • Board oversight • Note that dives don’t have to be very deep to be useful • Several medium dives can be more helpful than one deep one, at least for some companies Kaplan & Walker LLP
Use of assessments • Who gets a copy? • Privilege issues • Using the results • Develop an action plan • Different levels of priority • Board reporting • Senior management reporting Kaplan & Walker LLP