How to Progress Compliance Plans from Paper to Practice

On paper, many compliance programs may seem comprehensive; however, are they effectively being moved from paper to practice? Talking the talk and walking the walk are two very different things, especially to corporate shareholders and enforcement agencies. While not unexpected or even novel, recent updates to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (EECP) guidance and pilot program on compensation incentives and clawbacks have clearly communicated that individual accountability and a culture of compliance are essential.

Taking actions to measure a company’s compliance culture against industry benchmarks and considering improvements to the plan are two steps in the right direction. The same can be said for identifying potential blind spots and making continuous improvements, especially during an administration as active and vocal on white collar and compliance expectations as the current administration.

In this Insight, we review the elements of a successful compliance program and the ongoing and emerging compliance challenges facing many companies, including practices made possible by artificial intelligence (AI) and machine learning.

Measuring Compliance

It’s “Mushy”

Unlike more straightforward measures of things like employee demographics, company profits, or sales figures, measuring compliance can be difficult. For example, an increase or decrease in the number of compliance hotline complaints, compliance-related violations by employees, or compliance-related investigations by management could be interpreted in two very different ways: that there is an uptick in noncompliant behavior or that there is a culture that feels comfortable raising issues. One could be viewed as a setback and the other as progress.

Valuable Datapoints

So, what can companies measure in order to better gauge compliance? Certain data that compliance officers should have access to and can leverage may serve as indicators of the culture of compliance.

Performance Objectives

Consider embedding metrics in annual performance goals across different levels of the organization (C-suite members, managers, etc.). These could include a “tone-at-the-top” metric that measures how leaders are reinforcing the need to be compliant in a way that resonates with their teams.

Other accountability metrics can be seen around escalating or failing to escalate allegations of misconduct. It can be helpful to show as an example a leader who is accountable for their team’s behavior and is actively part of a solution when a problem is solved. On the flip side, managers who bury misconduct or make a habit of investigating it themselves should be disciplined and perhaps made an example of. Be careful, however, when tying performance to numbers that would discourage employees from flagging compliance failures.

Recently updated ECCP guidance from the DOJ’s Criminal Division detailed very clearly the expectation that leaders share why senior executives are disciplined or exited within an organization. While there is often a reluctance from companies to disclose these incidents internally, sharing lessons learned throughout an organization can be incredibly impactful.

Investigations Data

Ultimately, review investigations data and be thoughtful about how to interpret and use it. Helpful investigations benchmarking data exists, including figures such as the following:

• How many investigations occur per every 100 employees?
• What percentage of allegations were raised by anonymous sources or via company compliance hotlines?
• What are the substantiation rates for different categories of issues raised?
• How many retaliation reports are coming in?

Organizations don’t necessarily need to be where the industry benchmarks are, but leaders need to know how far they are from benchmarks and why. In many instances, issues with low reporting numbers can be addressed by a robust communications campaign. Advertising the various avenues to raise concerns and emphasizing that it’s safe to speak up should be part of these communications.

Leaders must be sure to take investigations data one step further to examine not only what issues are being raised by employees, but also where, geographically, they are being raised (across countries and business units (BUs)) and why any differences exist.

Training Data

Another metric for consideration is the amount of employee training that’s being assigned and completed. High training completion statistics, and even the timely completion of mandatory training by teams managed by C-suite members and managers can be a good indicator.

Attrition Data

An organization’s human resources (HR) department should be in a position to provide company attrition data, industry attrition data, company versus industry attrition, and attrition levels across regions. Overlaying all this data and having an enterprise view, a BU view, and a regional view can help bring to light problem spots as well as employees that can be positioned as a champion or an ambassador for company compliance.

Culture Survey Data

In employee surveys conducted by an organization of its management or strategy, the resulting data will only be as good as the questions that are asked. Certain questions will provide a good view of the culture specific to compliance while others may not. Standard questions should include, “Do you believe top performers/managers at the company are held to the same standards as everyone else?” and, “Have you ever felt pressure to violate the code of conduct?”

Culture Matters

Evaluating key indicators of a company’s culture can help identify environments that are potentially more prone to incidents of noncompliance. 

• Leadership style is among the commonalities across incidents of major compliance failures. Truly autocratic leadership can lend itself to more risky compliance atmospheres. In these instances, sufficient checks must in place from a compliance standpoint.
• Organizations in which information is siloed and intentionally not shared across divisions or BUs can encourage cultures of noncompliance.
• Having guardians, such as lawyers, auditors, HR, and compliance professionals who interpret part of their roles as protecting the company’s reputation, not solely liability exposure or other concerns, is important.
• An abdication of responsibility and accountability by corporate board members can signal a problem source.

Structural Checklist

Organizations with good corporate governance and the right structures in place likely apply the following best practices:

• The general counsel (GC) should attend board meetings regularly.
• The head of internal audit and chief compliance officer should report directly to the audit committee.
• Special compliance training should be provided to employees in guardianship roles.

The Future of Compliance

AI and machine learning present a tremendous opportunity for compliance. With resources from data scientists, for instance, companies may discover unusual and unanticipated correlators between compliance violations and specific factors. This could include HR complaints about particular managers or the absence of complaints, high voluntary attrition, or involuntary attrition. AI provides an opening to measure and develop algorithms that help identify blind spots.

Machine learning is also making a difference in compliance by identifying risky transactions. If algorithms produce a concerning risk score, more scrutiny can be applied to a transaction. Still, there is a balance between being able to predict compliance violations and other important concerns such as privacy. Also, while they may be incredibly effective, implementing AI or machine learning to in these kinds of scenarios may result in biased results.

If you are interested in Culture Matters: Former Inhouse Counsel Perspectives on Measuring Compliance, as part of our Technology Marathon 2023, we invite you to subscribe to Morgan Lewis publications to receive updates on trends, legal developments, and other relevant areas.