: Steve, our most recent exchange was on risk assessment – so, while we’re in that neck of the woods, maybe we should chat about program assessment. Indeed, it seems like a natural topic for us since, by my count, you and I have partnered on seven or eight such assessments over the years.
So, to start off, let me ask you to assess the area of program assessments – what makes a good one, and where can they fall short?
Steve Priest: Well, first a reminder for our readers: good assessments don’t have to be done by smart, good looking outsiders such as you and me! The body of knowledge and experienced that has been codified in e.g., the US Sentencing Guidelines, the DoJ/SEC guidance on the FCPA, and UK anti-bribery guidance offers a great foundation for a self-assessment. Obviously conferences and programs run by professional associations such as the ECOA offer even more. I am a big believer in self assessments every year. All that said, an independent program assessment can be very valuable from time to time, especially for E & C officers who have some doubts about the efficacy of their program and for whatever reason do not believe their senior management will give them the support and resources they need to address weaknesses.
Your point about “inside jobs” is an important one that is insufficiently appreciated – particularly as there are now many more E&C officers with the experience to conduct an assessment than there ever used to be. But, as you say, there are also plenty of reasons to commission an external assessment – including that in the event of a government investigation enforcement personnel are more likely to credit a company’s program if it has been assessed externally.
Turning from the “who” of the assessment to the “what” and “how,” perhaps we should flesh out what the goals of an assessment are, and what methodologies are available to achieve these goals. Of course, getting actionable recommendations is obviously essential - and ideally those recommendations can help guide the management and oversight of a program for years to come. But it also seems important to document all the good things a program is doing – not only because that will help in any government inquiry but also because findings of this sort can help prevent cutbacks to the program later on.
Steve: Absolutely agree. My assessment reports include findings (strengths and the wonderfully euphemistic “opportunities”), analysis and recommendations in categories that are close to those of the Sentencing Guidelines:
1. Risk Assessment
2. Governance, Structure and Leadership
4. Communications and Training
5. Human Resources Systems/Integration
6. Upward Reporting and Response
7. Auditing, Monitoring and Remediation.
I find this organizational scheme is quite intuitively understood, and thus actionable, by business leaders. Sometimes I will add a “deep dive” section in an area of special concern. And it is in the organization’s best interest if we include an 8th section on culture, but there is not always an appetite for the time and expense involved in that, and sometimes a fear of the results.
Sounds very good, Steve. My seven steps are close to yours (though I tend to break investigations and discipline into their own step) and, like you, I offer the option of looking at culture. Additionally, I sometimes have stand-alone discussions of other program “attributes,” meaning characteristics that apply to more than one element – such as resources, independence and the extent to which a program truly addresses ethics, as well as compliance (e.g., is ethics part not only of the standards and training – but also the risk assessment?)
Another big picture topic we should touch on is the relationship between program and risk assessments. They are different animals, but there is also some overlap. After all, it is hard to assess a company’s program without knowing what the key risks are, and equally hard to assess risks – at least residual/net risk – without knowing how well the program addresses such risks. How do you see this connection?
Steve: You save this question for the end? That is like a talk show host asking about an author’s latest book with 20 seconds to go in the show. . . . . As you note, they are very interdependent. The first section of my program assessment reports, guided by the wisdom of the Sentencing Guidelines revision, is Risk Assessment. But I don’t do a risk assessment, I review its process and quality. Similarly when moving from inherent/gross risk to residual/net risk in a risk assessment I do need to know about the program itself. Thus the difference between a risk assessment and a program assessment is primarily about depth and perspective. Does this mean we should be integrating the two more comprehensively? We cut to commercial in ten. . . .
: I agree with your depth-and-perspective analysis but also think that for some organizations a more integrated approach will make sense – in that it could be more economical than doing the two separately, and also from a content perspective exceed the sum of its parts.