Four Steps to Get the Most Out of Your Compliance Program Assessment

“These recommendations are great, but what should I do with them?”  We all know that a best practice for any company in any industry is to periodically evaluate and assess the current state of its compliance program.  Such an assessment, whether performed internally or by an outside consultant, should be completely objective with a clearly defined purpose.  For example, some assessments may be designed to measure an organization’s preparedness for complying with a new law or regulation.  Others may be broader in scope and seek to measure the effectiveness of a program (or aspects thereof) in mitigating an organization’s compliance risk.  Irrespective of its scope, a good assessment can provide invaluable insights into a compliance program with important recommendations for improving its overall structure and effectiveness. 

While feedback on your program is important, there’s a risk that the company will view the assessor’s recommendations as a check-box exercise.  At worst, the company may race to complete the recommendations as quickly as possible, sacrificing quality and thoughtfulness in the process.   Because each task completed is another checkmark on the “to-do” list and, thus, a measure of progress and performance, the recommendations are often prioritized based on ease-of-completion starting with the low-hanging fruit, first.  This approach, while effective in quickly checking items off a “to-do” list, is often counterproductive and can result in a disjointed and inconsistent program.     

Four Steps to Getting the Most Out of Assessment Recommendations

A better approach is to take a more holistic view of the assessment and (1) categorize each recommendation by the element of the compliance program it is intended to improve; (2) analyze each of the recommendations to determine whether it is a mandatory requirement to meet a given standard or a suggested best practice; (3) develop a strategy for implementing the recommendations using a sequential and organized approach; and (4) create a schedule, with interim deadlines and milestone dates, for the complete implementation of the recommendations.  Each of these steps will be described in more detail below: 

Step 1: Categorize Each Recommendation by Element

Most compliance programs are segmented into discrete elements or categories – especially if they are modeled after the United States Sentencing Guidelines, the 10 Hallmarks of an Effective Compliance Program, ISO 37001 or similar guidance.  These categories generally include some or all of the following elements:  Leadership and Commitment, Risk Assessments, Autonomy and Resources of the Compliance Function, Policies and Procedures, Training and Communications, Reporting and Internal Investigations, Incentives and Disciplinary Measures, Third-Party Management, and Monitoring, Auditing, and Continuous Improvement.  When reviewing the results of an assessment report, categorize each of the recommendations by the element of the compliance program it is intended to improve. 

Grouping your recommendations in this manner will allow you to more easily identify opportunities to gain efficiencies in implementation by combining similar recommendations or eliminating duplicate work.  For example, an assessment report may identify several areas of your program where improved training and communication are needed.  By grouping these recommendations together, you may determine that the issues are sufficiently related so that they can be addressed in a single training or communication.  Alternatively, you may decide that releasing all of the recommended training and communication at, or near, the same time will overwhelm the employees and potentially dilute the message(s).  In such circumstance, you may decide that a staggered roll-out is more effective.    

Step 2: Determine whether a recommendation is a mandatory requirement

Typically, assessment reports include two types of recommendations: (1) those that are necessary to meet mandatory requirements of a given standard; and (2) those that, while important and helpful to improve the effectiveness of the compliance program, are suggestions or best practices in your industry. 

It is important to note which of the recommendations are mandatory and which are suggested best practices.  While all the recommendations are likely to be implemented, recognizing this distinction will be helpful in prioritizing your work – especially, if you are operating under a strict deadline.  For example, last May when many companies were scrambling to comply with the GDPR, it was more important to have proper privacy notices, which are mandatory under the regulation, than translating a “White Paper” with more detailed GDPR-related information into the local language of each of the countries in which your business operates. Translation of information is a good idea, but not required by the GDPR.

Step 3: Develop an Implementation Strategy 

When implementing the recommendations of an assessment report, it is important to resist the temptation to rack up easy wins by grabbing the low hanging fruit.  While this may provide a fast, short-term sense of accomplishment, this strategy, in the long run, can create more work as it will likely result in disjointed and inconsistent elements of your program. 

The better approach is to take a big-picture view of the recommendations and develop an implementation strategy that is sequential and organized.  Start with the foundational elements first and save the smaller, complimentary aspects for the later stages of the implementation plan.  This is essential as the foundational elements often inform your decisions on the complementary pieces. 

For example, an assessment report may recommend: (1) perform a risk assessment to measure the bribery risk for each category of personnel; and (2) assign high-risk personnel to take specialized anti-bribery and corruption training.  While it may be tempting to quickly assign a group of employees to take the specialized training based on a cursory review of their job responsibilities to mark this activity as “complete”, the better approach is to perform the risk assessment first, and then, use the results of the assessment to inform your decision as to which employees should take the specialized training.        

Step 4: Create a Schedule with Interim Deadlines and Milestone Dates 

To complement the sequential and organized implementation strategy, it is important to develop a comprehensive schedule with interim deadlines and milestone dates.  In the absence of a schedule, senior management will likely use the assessment report itself as a tool for measuring your progress.  Without the “easy wins” to check off, there could be a perceived lack of progress in – or worse, lack of commitment to – implementing the recommendations, even while you are hard at work getting the foundational pieces exactly right. 

To avoid these types of misunderstanding, it is imperative to have a written schedule.  The schedule should clearly present your implementation strategy by illustrating the sequence of the activities to be performed and the dependency relationship between related activities, if any.  That is, the schedule should demonstrate which activities are predecessor activities (i.e., activities that must be completed before a related activity can begin), which are successor activities (i.e. activities that can only begin upon completion of a predecessor activity) and which activities are completely independent. 

Gantt charts are effective tools for communicating the schedule as they show the relationship between related activities and graphically demonstrate which activities are critical.  Critical activities are activities that, if delayed in their completion, directly impact and delay the progress of the overall schedule.  Knowing which activities are critical will help you decide how resources should be allocated and whether changes in the strategy are prudent. 

The schedule should also include projected completion dates, with interim milestones where appropriate, and show your progress to-date.  The schedule should be regularly updated and shared with senior management, so they can monitor and follow your progress – but instead of looking at which boxes can be checked, they will be looking at where you are on the schedule, what is left to be done and whether you are still on track.

Compliance program assessments are valuable tools for improving the structure and overall effectiveness of your compliance program.  To get the most out of the assessment, it is important to resist the temptation to rack up easy wins by randomly implementing the recommendations that are simple to complete, first.  Instead, by taking a more holistic approach, you’ll benefit your program to the greatest degree possible.