Effective Compliance Program Evaluations Are Not Report Cards
Key Points:
- Report Cards look backwards; Compliance Program Evaluations look forward
- Some mistakenly believe evaluation findings signal management weakness
- Compliance Program Evaluations without findings lack value and credibility
The Department of Justice (DOJ) and Office of Inspector General (OIG) have made it clear that effective compliance programs are works in progress. They are never completed and must continually change and evolve in response to the ever-changing regulatory, legal, and business environment. DOJ guidelines state that organizations should have periodic, rigorous reviews of their compliance programs to identify opportunities for improvement. The guidelines note that evaluations conducted by experts external to the compliance function are viewed as significantly more credible than self-assessments or internal reviews. Similarly, the OIG expects entities to have periodic effectiveness assessments of their compliance programs and encourages boards to consider engaging outside experts for those reviews.
Despite this, many Compliance Officers often worry that findings from evaluations of their programs might suggest weakness in management and operation. As a result, some attempt to steer reviews toward a “passing” report card that confirms policies exist, training occurred, and boxes were checked. That mindset is not only inaccurate but risky. Regulators, executive leadership, boards, and enforcement agencies are seldom impressed by reports that provide a passing “A” grade. Such reports have little value, lack credibility, and are often a poor use of resources. A Compliance Program Effectiveness Evaluation is not about checking all the boxes and process outputs. It is about determining whether the program is effective, evolving, and capable of managing current and emerging risk. A properly conducted Compliance Program Effectiveness Evaluation by experts should identify weaknesses and gaps, along with providing actionable recommendations to address them. This provides a defensible roadmap for remediation and strengthens executive leadership and board confidence that the program is moving along a track of continuous improvement.
Boards have fiduciary and oversight obligations that require more than a report card to provide comfort. A Compliance Program Effectiveness Evaluation provides information that they need to know, such as where the organization is most exposed to compliance risks; whether compliance staffing is adequate to meet obligations; which issues warrant remedial action; and whether management has been responsive to compliance findings. A simple report card grade does not answer these questions.
The DOJ and OIG focus on improvements and enhancements to compliance programs, often arising from evaluations, more than any expectation of perfection. They expect evaluations to identify issues and weaknesses and are most interested in whether organizations take meaningful corrective action. Evaluations that lack findings and actionable recommendations for improvement are likely to be viewed as flawed and of little value. A report card approach to an evaluation that focuses on whether required elements exist, activities occurred, and minimum expectations were met is of little value. It is merely a checklist review of process and outputs and may mask serious compliance blind spots. These types of reviews are most appropriately conducted internally.
On the other hand, Compliance Program Effectiveness Evaluations focus on whether risks are identified early, whether controls are reducing exposure, and whether the program adapts as the organization changes, which relates to effectiveness of the program or outcome. A Compliance Effectiveness Evaluation assesses how well the program functions in terms of whether it is fully embedded in operations, not completeness of the program. The most valuable results of a report is to have better alignment between compliance and operations, clear prioritization of resources, stronger documentation of good-faith efforts, a defensible narrative if regulators ever question a program, risk assessments driving audit priorities, referral source arrangements actively monitored, third-party risks managed beyond onboarding, and compliance having meaningful access to data.
Strategic Management has conducted hundreds of Compliance Program Effectiveness Evaluations in close collaboration with Compliance Officers. Every engagement resulted in actionable findings and recommendations and was well received by leadership and boards. For more information on this subject, please contact [email protected].
