Risk assessments, program audits, and industry benchmarks are some of the most important evaluative tools in a compliance officer’s kit. That is not just opinion; it’s the policy position of the U.S. Department of Justice, which has expressly advised compliance officers to adapt their programs based on “lessons learned” from these key measures.
"Programs with good evaluative tools are twice as likely to report high program performance."
Recently, NAVEX Global conducted an in-depth survey and analysis of how organizations are using these and other tools to improve their own program’s efficiency and effectiveness. The results were published in this year’s Definitive Risk & Compliance Benchmark Report, an in-depth analysis of the latest industry trends and best practices, based on the survey responses of over 1,400 risk and compliance professionals. Central to this year’s findings are the "7 Drivers of Program Performance" – factors shown to have a substantive, measurable impact on critical compliance areas and activities.
This week, we are taking a look at evaluative tools – specifically risk assessments, program audits and benchmarks – to better understand and evaluate your program. According to our survey results, programs with effective evaluative tools were twice as likely as their peers to report high program performance. The benefits of these resources has also caught attention of regulators. As legal several experts have recently noted, the DOJ specifically has placed increasing importance on the use of these effectiveness measures, setting the expectation that compliance officers will use them to inform and adapt their own programs.
But what do effective assessments and audits look like, and how can compliance professionals use them in practice?
Risk assessments are foundational
In their Evaluation of Corporate Compliance Programs, the DOJ’s Criminal Division highlights risk assessments foundational to an effective compliance program. “The starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program," it states, "is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.”
As we've discussed, using compliance data to accurately identify, analyze and address the risks its organization faces. This risk management process should drive risk-tailored resource allocations, ensuring the time and effort expended is proportional to the level of risk posed by a given area or activity. Risk assessments also should be conducted regularly, with their results informing program updates and revisions.
The DOJ is also increasingly interested in whether compliance officers have continuous access to information across functions when making their assessments. Even in the current environment, regulators still expect regular risk assessments informed by operational data. In June of 2020, the DOJ updated their guidance to include the following questions for prosecutors to ask in the event of a compliance failure:
- Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?
- Do any impediments exist that limit access to relevant sources of data?
- If so, what is the company doing to address the impediments?
In our 2020 Benchmark, we found 2 out of every 3 programs conduct regular risk assessments. However, this trend is closely correlated with sophistication; virtually all (99%) advanced programs conduct organizational assessments, as opposed to 11% of reactive ones. Program sophistication also impacts the quality of the assessment, with 91% of advanced programs rating their risk assessment performance as good to excellent, versus just 35% of reactive programs, and 55% of programs overall. Advanced programs are more likely to use risk assessments to inform their R&C program, ranking them alongside internal investigation and hotline incident reports as a primary source for decision making.
"Lessons learned" also key
In addition to assessments of their organization’s risk profile, compliance officers should also be conducting regular audits of their program’s own performance. Honest evaluation of a program’s own failures can help inform decisions that will prevent them in the future. Though nature and frequency will vary depending on the firm’s size and complexity, all audits seek to answer the same essential questions: Are the program’s controls are functioning well? If not, how can those failures be addressed?
Regulators consider these internal audits a necessary part of any effective program. In the event of a compliance failure, be prepared for prosecutors to ask:
- Does your program regularly review its performance? How did you determine audit frequency?
- Do you have the resources (namely staff) to perform adequate program audits?
- Are audits conducted at a level sufficient to ensure their independence and accuracy?
- What steps were taken in response to issues elicited?
- Were relevant audit findings reported to management and the board?
- Did your audit detect evidence of the misconduct in question? If so, what was done? If not, why was it missed?
Despite their importance, program audits are not as common as risk assessments. This year’s benchmark found that just over half (56%) of compliance programs use audits to measure effectiveness. As with assessments, audit effectiveness is closely tied to program sophistication; 85% of advanced programs rate their evaluative capabilities as “good” or “excellent,” as opposed to just a quarter (25%) of reactive programs and 44% of programs overall. This may be linked to audit tools: 71% of Advanced programs use purpose-built software to conduct program audits, but only a quarter of even Maturing programs use R&C solutions for this task.
In addition to organizational risk assessments and program audits, regulators also expect compliance functions to use industry benchmarks to evaluate their overall performance. The DOJ guidance advises:
“Ensure your company has a process for incorporating information from a variety of sources including risk assessments, program audits, and industry benchmarks. Organizations should adapt their programs based on those lessons learned.”
These “lessons learned” are a major focus of the DOJ’s latest update, as is the emphasis on using external as well as internal markers to gauge program health. Investigators want to know that you are not simply “ticking boxes,” but are instead looking to your peers to see if your program is adopting industry best practices.
Risk assessments, program audits and benchmarks are critical tools for compliance officers looking to evaluate and improve their overall program performance. Combined, they present an instructive set of “lessons learned” that can help you avoid the mistakes of both your past and your peers. The periodic and documented use of these measures have been shown to both significantly improve their effectiveness and act as a defense against heavy fines when a compliance failure occurs.