Metrics that Matter: Part 7 – Communications and Tone from the Top

Metrics that Matter: Part 7 – Communications and Tone from the Top

George Bernard Shaw had it right when he said, “The single biggest problem in communication is the illusion that it has taken place.”  Communication is a critical part of a compliance program.  After all, without communication, how would anyone know the program even exists?  And perhaps more importantly, without communication from the top management (and middle management), how would anyone know that the managers support the compliance program? 

In this blog, we’re going to explore metrics relating to communications and tone from the top.  This is Part 7 of our series.  If you haven’t read Part 1, I recommend you go back and start there, as it sets the stage regarding why certain metrics should be chosen.  We’ve already explored metrics that can be used with policies and procedures, which can be found HERE, monitoring and auditing, which can be found HERE, training, which can be found HERE, third-party risk management, which can be found HERE, and governance, which can be found HERE

What Should We Measure?

When it comes to metrics relating to communication and tone from the top, there are three things you should measure.

Metrics that Matter: Part 6 – Governance and Oversight

Metrics that Matter: Part 6 – Governance and Oversight

“A focused Board concentrates on strategy, oversight and governance practices, to avoid getting lost in the forest,” said Pearl Zhu, author of the Digital Masters series.  There is much consternation over the role of the Board of Directors/Audit Committee.  Boards are tasked with setting corporate culture and the tone from the top, often without instructions for how to actually do that.  One key way Compliance can help is to provide the Board with useful metrics.  Those metrics should include a mirror of how involved the Board  and top management (C-suite) is with Compliance, and how supportive top management has been to the program as a whole.   

In this blog, we’re going to explore metrics relating to the governance and oversight of the program.  This is Part 6 of our series.  If you haven’t read Part 1, I recommend you go back and start there, as it sets the stage regarding why certain metrics should be chosen.  We’ve already explored metrics that can be used with policies and procedures, which can be found HERE, monitoring and auditing, which can be found HERE, training, which can be found HERE, and third-party risk management, which can be found HERE.

What Should We Measure?

When it comes to metrics relating to governance and oversight, there are three separate types of metrics…

Metrics that Matter: Part 5 – Third-Party Management

Metrics that Matter: Part 5 – Third-Party Management

Jean-Paul Sartre famously said that, “Hell is other people.”  For many compliance officers, hell is dealing with other people known as third-parties, and the companies they own.

Third-party management is a perennial headache.  Recently at the Compliance Week conference, on-the-ground polling found that third-party management was the greatest challenge facing compliance officers today.  Tracking metrics around third-party management is critical to seeing trends in your company, and being able to respond to movements in the business quickly.

In this blog, we’re going to explore metrics relating to third-party management.  This is Part 5 of our series.  If you haven’t read Part 1, I recommend you go back and start there, as it sets the stage regarding why certain metrics should be chosen.  We’ve already explored metrics that can be used with policies and procedures, which can be found HERE, monitoring and auditing, which can be found HERE, and training, which can be found HERE.

Too Much Information (for a change!)

Perhaps more than any other area of the seven elements of an effective compliance program, third-party metrics are usually the easiest to collect.  Most large companies have some sort of online or technology-based system that can gather data.  Even small companies managing third-parties on an Excel sheet can sort by column to find out how many third-parties they have in a certain country. 

Because of this wealth of data, choosing the right metrics relating to third-parties is critical.  Having numbers for numbers’ sake is not useful.  You must carefully answer the most fundamental question when choosing third-party-related metrics…

10 Critical Lessons and Must-Haves for Compliance Officers from the new DOJ Evaluation Guidelines

10 Critical Lessons and Must-Haves for Compliance Officers from the new DOJ Evaluation Guidelines

Compliance officers, it is time to rejoice, reflect and re-educate.  We should rejoice because the U.S. Department of Justice just issued a guidance document that unequivocally supports our role, especially in places where we’ve had trouble making a case with specificity (e.g., resources).  We should reflect on our programs because there are seriously high expectations for risk assessments, program evaluations, planning and tracking metrics, and integration with other functions.  And we should re-educate our leaders about the criticality of the independence of our function, requirements to fund it correctly, and to provide access to the Board and/or Audit Committee. 

The Evaluation of Corporate Compliance Programs Guidance Document (“Guidance”) is structured into questions that a prosecutor will ask to evaluate the effectiveness of the company’s compliance program – both before an incident occurs and after an incident is known.  These questions give answers – they show what the DOJ thinks is important in an effective compliance program.  Here are 10 critical musts that compliance officers need to know from the new DOJ’s Guidance.

1.     Compliance MUST be Properly Resourced 

There can be no doubt that a major factor in the evaluation of a compliance program is this: Is the compliance department properly resourced?  The word “resource” appears 21 times in the 18-page document.  The compliance program must be properly resourced with staff and budget.  Twice the Guidance states that the compliance function must have the resources to be able to “audit, document, analyze and act.  Importantly, one of the questions prosecutors are to ask is, “Have there been times when requests for resources by compliance and control functions have been denied, and, if so, on what grounds?”  It is critical that you explain the DOJ’s approach to resourcing the compliance department to your board of directors and C-Suite.  They need to know how thoroughly that resourcing will be analyzed if there were a prosecution.  Speaking of the Board…

2.     Compliance MUST have Independent Access to the Board of Directors or Audit Committee

The Guidance leaves no wiggle room for this: Compliance MUST have independent access to the board of directors or audit committee. ..

White Paper: Ground-breaking Research on how to Benchmark your Compliance Reputation

They say you never have a second chance to make a first impression.  And yet, most compliance officers don’t think about how their compliance program looks to the outside world.  It’s the first thing regulators, customers, potential investors, shareholders and employees see.  What does your external appearance say about your company’s commitment to compliance and ethics?  What are others in your industry doing?  And perhaps most importantly, what are best practices in this critical space?

We’ve created a white paper exploring our groundbreaking results from our research into how compliance programs look from the outside.  In this white paper you’ll find out how other companies in your industry scored using Spark Compliance’s proprietary algorithm, which employs 25 specialty inputs to determine the scoring of the program in six critical areas, including:

  • Code of Conduct

  • Corporate Governance

  • Whistle-blower Provisions

  • Anti-Bribery Commitments

  • Data Privacy

  • Supply Chain / Modern Slavery / Sustainability

Spark Compliance has reviewed over 120 companies in the past two months to obtain this data.  You’ll learn best practices for each area, and find out how to benchmark your own program to see how it appears to the outside world.  Download for free for an exploration of the new compliance benchmark. 

Combating the $150 Billion Problem – What Compliance Can Do About Human Trafficking

Combating the $150 Billion Problem – What Compliance Can Do About Human Trafficking

Last month, the City of Atlanta hosted Super Bowl LIII.  A sporting event of this magnitude brings a lot of energy and excitement to the host city.  This year was no exception.  In the days leading up to the “big game”, the City of Atlanta showcased spectacular parties and special events, a diverse range of music concerts, and countless celebrity sightings.  While there was much to celebrate, this event also brought with it a darker side and highlighted an issue that does not receive the attention it deserves:  Human Trafficking

Just days before the Superbowl, authorities announced that 33 people were arrested in Atlanta on sex trafficking charges.  This roundup was the result of a cooperative effort between the Department of Homeland Security, the FBI and local law enforcement.  The details of the arrests are undisclosed as the investigations are ongoing, but it has been reported that at least four victims have been rescued as a result of the effort.

Sadly, this issue is not limited to major sporting events where big-spending tourists from across the globe gather in one location.  Indeed, sex trafficking, human trafficking and forced labor (collectively referred to as “human trafficking”) are far more prevalent than many realize.  Human trafficking extends to all corners of the world –even to developed nations – and targets men, women, and children.  This global scourge, commonly referred to as Modern Slavery, generates $150 billion a year in illegal profits making it the third largest criminal industry behind drugs and arms trafficking

The International Labor Organization estimates that there are 40.3 million victims of human trafficking globally.  One in four victims are children, and more than 16 million people are exploited in the private sector throughout a wide range of industries.  While governments around the world are beginning to address this issue with increased urgency, commercial enterprises can play an important role in combatting this evil.  That is, by ensuring their business activities are not indirectly supporting, encouraging or financing Modern Slavery, companies can substantially diminish the market for this illegal and immoral practice. 

Before discussing the proactive steps to mitigate the risk of human trafficking in a company’s business activities, it is important to first understand what it is and in which industries it is most prevalent. 

What is Human Trafficking?  While the legal definitions of human trafficking tend to be broadly worded to cast as wide a net as is practicable, at its core human trafficking has three primary elements: (1) the transporting of people, (2) by illegal means, and (3) for a specific purpose.  For example, the Trafficking Victims Protection Act of 2000, a United States Federal Law, defines each part of the formula as follows: 

§  Transporting:  the recruitment, harboring, transportation, provision or obtaining of a person

§  Illegal means:  use of force, fraud, or coercion

§  Specific purpose:  involuntary servitude, peonage, debt bondage, slavery or commercial sex acts. 

Other laws and regulations addressing this issue take a similar approach to define this term. 

No discussion on the definition of human trafficking is complete without dispelling the common myth that human trafficking only involves the transporting of people for commercial sex.  This is simply not the case as forced labor is a large part of this illegal industry.  In fact, by some estimates, there are more instances of labor trafficking than sex trafficking….

Metrics That Matter: Part 1, Setting the Stage

Metrics That Matter: Part 1, Setting the Stage

“Llamas are up 5% this quarter, while 22% of people have chosen blue instead of red year-to-date.”  So what?  Do I care if llamas are up?  Is that a good or a bad thing?  Is there a goal associated with whether red or blue is chosen?  Why do these things matter?

Too many compliance departments track metrics because they think they are supposed to.  Managers, the C-Suite and the Board are used to getting metrics from other departments, so they assume they’re appropriate from Compliance as well.  But many metrics tracked by compliance programs don’t inform the business about anything.  And because of that, tracking them isn’t useful.

A New Series

We’re creating a new series of blogs on metrics that matter.  We’ll be delving into examples of metrics being used by the most forward-thinking companies in the world.  We’ll also be examining how to use metrics effectively to understand the trends in your business and in your program.  Lastly, we’ll be giving lots of examples for you to choose from so you can bring your metrics to the next level.

What is a Metric?

Management consulting guru Peter F. Drucker said, “What gets measured improves.”  A metric is simply a measurement.  If you can measure it, it can be a metric.  Compliance departments typically use metrics to monitor and audit the state of the program.  They can also be used to drive efficiency and identify areas for improvement.  Ideally, they should provide critical data to show whether Key Performance Indicators (KPI) are being met.

Good Metrics vs. Bad Metrics

Good metrics provide important information.  They can tell you whether your program is effective.  They can help you to prove that your program is adding value to the business.  They can also tell you whether your program is improving over time. 

Bad metrics don’t provide any of this information.  Creating and reporting on bad metrics has two disadvantages.  Number one – it probably takes a long time to collect the information, which is time you’ve wasted at work.  Number two – management isn’t getting anything out of the metrics, so they won’t pay attention to them.  What’s worse – management may think you’re not adding value because your metrics don’t show effectiveness, efficiency, or positive change in the organization. 

We’re Not Confident

Five Best Practices for Every Code of Conduct

Five Best Practices for Every Code of Conduct

By Diana Trevley, Spark Compliance Consulting’s Chief of Global Services.

 We’ve seen the good, the bad, and the ugly when it comes to Codes of Conduct.  In 2018, Spark Compliance launched Spark Score, a new benchmarking standard that measures how your compliance program looks to the outside world, and as part of our groundbreaking research, we’ve reviewed hundreds of Codes of Conduct at companies of every size and across all industry.  Following are the top five best practices consistently displayed by companies that receive a high Spark Score:

 1.      Tailored to YOUR Company

 Creating a bespoke Code is deceptively time-intensive, but incredibly important because people don’t read what they perceive to be boilerplate language.  Some of the best practices we have seen from Spark Score’s highest-scoring companies include the following:


·         The Code has your branding, logos, fonts, and colors

·         Leadership (generally the CEO) introduces and endorses the Code

·         The authority and autonomy of the CCO is emphasized

·         The name of your CCO and DPO are included instead of being referred to just by their title

·         The origins of your company and what values led to its success are prominently featured

·         Highest risks are prioritized and given separate sections

·         The Code references operations and locations where your company actually does business

·         Leaders and employees from various levels, locations and departments are featured in photographs and interviews.  (Extra Credit:  While professional photography is great, less formal photographs of employees at promotional and charity events, at holiday parties, or even socializing in the break room really create a personal touch AND it will get your employees to crack open the Code with each new update to see whether they and their friends are featured in it.  One of our clients revamped their Code by including employees with pictures of their dogs.  It was a huge hit.  Just be sure that you are complying with local data protection laws.)

·         The Code includes a FAQ section of actually frequently asked questions at your company

2.      Online and Easy to Find

If you’ve got it, flaunt it!  While most companies do have their Code of Conduct on their website, there are still some companies that don’t post their Code. 

Groundbreaking Results: Join us for a Webinar on Benchmarking Your Compliance Reputation

I'm delighted to be partnering with Steele Compliance Solutions to present a webinar unveiling the groundbreaking results from our research into the external reputation of compliance programs.  During this webinar you'll learn critical information to answer questions like:  What does your company’s external appearance say about your company’s commitment to compliance and ethics? What are others in your industry doing? And perhaps and most importantly, what are best practices in this critical space?

Join us for a webinar to hear the results of this research and to find out how companies in your industry scored using Spark Compliance’s proprietary algorithm, that scores programs in six critical areas:

  • Code of Conduct 

  • Corporate Governance 

  • Whistle-blower Provisions 

  • Anti-Bribery Commitments 

  • Data Privacy 

  • Supply Chain / Modern Slavery / Sustainability 

I'll be presenting with Tony Charles, Chief Client Officer for Steele.  Sign up HERE to join us, Tuesday, March 5th, 11:00 AM EST (4:00 PM GMT).  See you there!

5 Questions to Ask About Your Third-Party Risk Management

5 Questions to Ask About Your Third-Party Risk Management

When was the last time you thought through your third-party management and due diligence process?  Perhaps you inherited a system that was in place when you arrived, and you’ve never changed it.  Perhaps you’re trying to manage it on an Excel sheet.  Perhaps you know it’s a problem, but you’ve never actually done anything about it…

Considering that 90% of reported FCPA cases involve a third-party intermediary, and one-in-two global enforcement actions involved a third-party, your third-party risk management program is a crucial part of your compliance program.

Is your current third-party risk management and due diligence system up-to-scratch?  Here are five questions you should be asking yourself to find out.

Question 1: Is my system truly risk-based?

The most frequent problem we see in due diligence program reviews is non-risk-based systems.  This usually happens because a conservative lawyer or compliance person worried that a risk-based system might let a problematic party through the system, endangering the company.  What tends to result from this blunt-instrument approach is over-spending and too much attention spent on lower-risk third-parties.

The DOJ endorses a risk-based approach.  The DOJ’s Resource Guide to the Foreign Corrupt Practices Act states that “performing identical due diligence on all third-party agents, irrespective of risk factors, is often counterproductive, diverting attention and resources away from those third-parties that pose the most significant risks.  DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low-risk area because greater attention and resources had been devoted to a higher risk area.”

Ask yourself whether lower-risk parties get a lower level of due diligence and whether the hoops those parties jump through are smaller than those required for higher-risk third-parties.  If the answer is no, re-think your approach.

Question 2: Is my system consistently applied? …

Congratulations to Kristy Grant-Hart, named a Trust Across America 2019 Top Thought Leader in Trust

Spark Compliance Consulting is delighted to congratulate CEO Kristy Grant-Hart for being named a Trust Across America 2019 Top Thought Leader in Trust. For the past nine years, Trust Across America has identified, and honored professionals who are transforming the way organizations do business. 

The award celebrates global professionals who walk their talk in terms of trust.  This year’s honorees come from a broad functional base, including integrity, trust, leadership, culture, compliance, ethics, reputation and risk management, governance, communications, employee engagement, sales, and customer service. 

Ms. Grant-Hart stated, “I couldn’t be more honored to be given this distinction. To be named in the prestigious company of the others who have won this award is humbling.  I’m very grateful to Trust Across America for choosing me.” 

[a copy of the press release can be found HERE]

Kristy Grant-Hart Trust Across America Award (small).jpg

5 things to do NOW to deal with Sexual Harassment Compliance Challenges

5 things to do NOW to deal with Sexual Harassment Compliance Challenges

Two years ago, Time Magazine’s Person of the Year was the silence-breakers of the #MeToo movement.  In late 2018, in response to the movement, many U.S. state laws came into force requiring sexual harassment training and policies for employers.  For instance, in New York, most employers are now required to implement an anti-harassment policy as well as delivering “interactive” anti-harassment training.

The public, regulator, and shareholder expectations for companies are sky-high when it comes to preventing and responding to sexual harassment.  What can you do to protect your company in 2019?  Start with these five actions.

1.     Define Who is in Charge

In most companies, sexual harassment complaints are dealt with by the human resources team.  However, the new laws are mandating policies and training – frequently topics owned by compliance.  Additionally, investigations into whistle-blower complaints relating to sexual harassment may fall into the murky area between HR and compliance.

Get ahead of the problem by defining roles.  Pro-actively talk to HR, as well as to your investigations team (if you have a separate function) so that it is clear who is in charge of which actions.  Like data privacy or modern slavery, the response to this compliance risk can’t live just in the compliance department.  A multi-functional approach is best, so get people together and make a plan.

2.     Add Questions to Your Engagement Survey…

Diana Treveley: Kangaroos and Compliance: A Trip to Sydney to Develop New Compliance Standards and an ISO 37001 Handbook

Diana Treveley: Kangaroos and Compliance: A Trip to Sydney to Develop New Compliance Standards and an ISO 37001 Handbook

I was on top of the world in the Land Down Under earlier this month, where I had the privilege of joining the best and the brightest in the compliance profession to discuss guidelines for best practices, including the only global anti-bribery standard, ISO 37001.

Our mission?  To develop three new compliance standards and create an ISO 37001 Handbook.  

ISO TC-309, as the committee is called, is organized under ISO, the International Organization for Standardization.  The committee is comprised of delegates from over 48 participating member countries and 17 observing member countries – a truly global effort! For our annual meeting, Standards Australia generously hosted delegates from over 27 countries for five days in Sydney, supplying conference rooms for the four different working groups meeting simultaneously – and loads of coffee. 

While some people in the United States don’t understand the importance of the ISO 37001-Anti-Bribery Management Systems standard, standards in other countries are incredibly important.  Policy-makers use the standards as the driving force behind new legislation, regulatory bodies audit and benchmark companies they are reviewing against the standards, and many companies treat the standards – certifiable or not – as de-facto requirements for their organization.  

We are working on several key initiatives that every compliance officer should know about:

Brand New Compliance Standards

ISO TC-309 is developing two new standards:

  • Guidelines for the Governance of Organizations (ISO 37000) 

  • Guidelines for Whistleblowing Management Systems (ISO 37002)

Four Steps to Get the Most Out of Your Compliance Program Assessment

Four Steps to Get the Most Out of Your Compliance Program Assessment

“These recommendations are great, but what should I do with them?”  We all know that a best practice for any company in any industry is to periodically evaluate and assess the current state of its compliance program.  Such an assessment, whether performed internally or by an outside consultant, should be completely objective with a clearly defined purpose.  For example, some assessments may be designed to measure an organization’s preparedness for complying with a new law or regulation.  Others may be broader in scope and seek to measure the effectiveness of a program (or aspects thereof) in mitigating an organization’s compliance risk.  Irrespective of its scope, a good assessment can provide invaluable insights into a compliance program with important recommendations for improving its overall structure and effectiveness. 

While feedback on your program is important, there’s a risk that the company will view the assessor’s recommendations as a check-box exercise.  At worst, the company may race to complete the recommendations as quickly as possible, sacrificing quality and thoughtfulness in the process.   Because each task completed is another checkmark on the “to-do” list and, thus, a measure of progress and performance, the recommendations are often prioritized based on ease-of-completion starting with the low-hanging fruit, first.  This approach, while effective in quickly checking items off a “to-do” list, is often counterproductive and can result in a disjointed and inconsistent program.     

Four Steps to Getting the Most Out of Assessment Recommendations

A better approach is to take a more holistic view of the assessment and…

Are you in an email communication rut? 20 alternatives for better comms

Are you in an email communication rut?  20 alternatives for better comms

Ding. Ding. Ding.  Email. Email. Email… For many compliance professionals, communication takes place only one way – via email.  It’s estimated that the average employee receives 121 emails per day.  While email can be a valuable way to communicate en masse about compliance policies and requirements, it’s not always the best way to communicate.  What else can you do?


There are a variety of great ways to communicate to the whole employee population.  Not only can some of these channels be more effective than email, but by varying the way you communicate, you’re more likely to engage your employees and pique their curiosity.  If you’re in an email rut, how can communicate more effectively?  Here’s a checklist of 20 communication channels that you can use instead of email.  Why not try:


o   Videos from compliance

o   Videos from the CEO / managers

o   Intranet messaging

o   Screensaver messages

o   Via e-learning platform

o   Live meetings

o   Live training

o   Whitepapers

o   Podcasts…

How good is your whistle-blower hotline? Three crucial questions

How good is your whistle-blower hotline?  Three crucial questions

Ring. Ring. Ring…is anyone there?  Can you hear me now?  Have I reached the right number?  Nearly everyone with a compliance program has some sort of reporting mechanism, whether it’s a formal whistle-blower hotline or an email address for the compliance department.  But how good is your whistle-blower hotline?  To find out, answer these three questions.


1.     Who can call?


Do you want to hear about the ethical concerns of your employees?  Of course.  What about the concerns of your suppliers?  How about the compliance concerns of your customers?  Yes?  Yes.  Knowledge is power.  While it’s true that if you extend the availability of your whistle-blower hotline to the outside world, you may get some spurious complaints, a real concern that you can properly investigate is worth the irritation of a couple of consumer gripes about your product.

A mature compliance program’s whistle-blower hotline should be available to:

·       Your employees

·       Your suppliers

·       Your business partners

·       The public

Extend the reach of your hotline so that everyone who needs to contact you can do so.

2.     How can they communicate with you?

Accreditation Hits the Mainstream: ISO 37001 Anti-Bribery Program Certification

Imagine you’re really hungry.  You walk up the street and see two restaurants.  One has an “A” rating on the window for food safety, certified by the city’s health and safety body.  The other has a handwritten “A” on the window, without any information as to who gave the grade.  Which restaurant would you go into?

With respect to the ISO 37001 Anti-Bribery Management Systems Certification, many commentators have asked the question, “Who is doing the certification!?!”  Up until recently the answer was simply, “Certification bodies.”  But which certification bodies?  And how do you know whether a certification body has a quality process in place to ensure that it only certifies companies that meet the high threshold requirements of ISO 37001? 

When the anti-bribery ISO standard was published in Oct. 2016, a second standard was published with it.  This second Standard, ISO 17021-9, laid out the auditing criteria that was to be used to determine whether a company had met the standard, and specified that only anti-bribery experts could be auditors. While the auditing criteria could be applied immediately, verification that a certifying body was following that criteria would take longer to judge.  That is because, similar to companies seeking ISO 37001 certification, certification bodies can seek accreditation by proving that they are following proper ISO certification standards.

The Accreditation Process

ISO is a global NGO comprised of member bodies from all participating country.  Each country has what’s called an accrediting body.  This body evaluates certifying bodies and decides whether the certifying body is following the auditing criteria associated with various ISO standards, including ISO 37001. This is a rigorous process.  After reviewing audits, if the accrediting body is satisfied, it will accredit the certifying body

Where I live in the United Kingdom, the ISO member body is called UKAS.  It is “responsible for determining, in the public interest, the technical competence and integrity of organizations offering testing, calibration and certification services.”  UKAS began a pilot program in July 2017 to begin accrediting certification bodies for the ISO 37001 Standard.  The process is long and arduous, requiring the applicant certification body to submit to multiple reviews while the UKAS personnel observe the ISO 37001 certification audits as they take place to ensure the certification body is adhering to the ISO 17021-1 and -9 standards, and awarding ISO 37001 certification only when it is truly earned. 

In the United States, the ISO member body is called ANSI/ANAB. It is responsible for granting accreditation to certifying bodies.  After launching its ISO 37001 accreditation process last year, it has now accredited several certification bodies and several more certification bodies are going through the accreditation process, including ETHIC Intelligence and Perry Johnson Registrars, Inc. 

It’s Happening!

The good news?  Accreditation is FINALLY being granted to the best ISO 37001 certification bodies.  It is now possible to separate the wheat from the chaff, as the multi-year review process is coming to an end for the early adopters. 

Four Reasons You Need a Compliance Program Evaluation

(Note - this post is written for compliance officers by Spark Compliance Consulting's CEO, Kristy Grant-Hart)

Do you need a compliance program evaluation?  And if so, should it be done by an outside party?  It can be scary to allow an outsider to perform an assessment.  I know this first hand – when I was in-house, I remember being deeply uncomfortable when we brought in the evaluators.  Would the assessor say my program was terrible, which would embarrass me or make me look bad?  Would they say everything was great, when I knew there were unresolved problems, and then management wouldn’t hear my requests for more resources?   Was it worth subjecting myself and the program to a review?

The short answer is yes, it was not only worth it, my program benefitted for years to come.  Here are four reasons why that’s true:

No. 1: Program Evaluations are Expected Under Regulatory Guidelines

Make no mistake, the Federal Sentencing Guidelines say that to companies need to “evaluate periodically the effectiveness of the organization's compliance and ethics program.”  Likewise, ISO 37001 requires auditing of the anti-bribery program on a regular basis.  Obtaining and maintaining certification requires it. 

There’s good reason regulators expect program reviews, because you can’t improve without them.  Why is it critical to have an external reviewer? Because…

No. 2: You Can’t Effectively Audit Your Own Work

Six Do’s and Don’ts for Due Diligence Questionnaires

Six Do’s and Don’ts for Due Diligence Questionnaires

“Wait, they want three months of the CEO’s personal bank statements?  Are they insane?”  This was a real request to one of my clients via a due diligence questionnaire.  When I called to inquire with the requesting company why they needed this, they said that they wanted to ensure that the CEO wasn’t receiving “unusual payments” that could be a bribe. 

Due diligence questionnaires are a critical tool for understanding third-parties.  But they can quickly get out of control, putting unreasonable burdens on the answering party, and at worst, invading the privacy of individuals in wholly unnecessary ways. 

How do you balance the legitimate need for information with the reality that no questionnaire can fully protect the company from the possibility that the third-party will misbehave?  Here are three do’s and don’ts when it comes to due diligence questionnaires.

1.     Don’t Ask For Information That Won’t Stop The Third-Party From Being Approved

Most due diligence questionnaires are far too overreaching.   The rule should be this: if you wouldn’t deny a third-party if the answer is negative, don’t ask the question. 

Some questionnaires ask if any employee has ever been convicted of a misdemeanor.  First of all, as many companies have thousands of employees, how could they possibly answer this in good faith?  Secondly, if a key manager had a shoplifting offense or marijuana conviction from twenty years ago, would this stop the third-party from being engaged by your company?  If the answer is yes, ask the question.  If the answer is no, don’t.

2.     Do Ask All Questions Your Require for Your Risk Ranking and Approval

You probably need to know information about the ultimate beneficial owner(s) of any higher-risk third-party working with your company.  You also probably need to know the names and titles of key managers, as well as if the company has ever been convicted of bribery or other compliance-related offense.  Ask all of the questions you need up front so you’re not going back to the third-party again and again.  Have an “if yes” methodology that allows the third-party to explain itself if it answers important questions in the affirmative.