“Only when the tide goes out do you discover who’s been swimming naked.” — Warren Buffett

You often hear chief compliance officers speak about benchmarking.  CCOs often reveal their competitive streaks when they collect information about  other companies’ compliance programs.  It can easily come off as a little insecure. 

In fact, CCOs are seeking valuable information — trying to measure their company’s performance outside their daily operational silo.  The compliance industry is not as cut-throat as the legal profession — compliance professionals are uniquely collaborative and willing to support each other.  The job is hard enough in the company and any outside support is welcomed with open arms. 

To this end, compliance professionals often embrace evaluation frameworks to measure their own performance.  The Justice Department’s Evaluation of Corporate Compliance Programs (“ECCP”) is a terrific document but lacks a rigorous way to measure and compare compliance programs.  Some complain that compliance is such an amorphous concept that evaluation techniques are often entail so many discretionary calls and measures that maintaining consistency is difficult across different companies, let alone different industries.

Do not misunderstand my point — DOJ’s ECCP and the U.S. Sentencing Guidelines contain lots of helpful suggestions.  The ECCP is chock full of important issues and questions to provoke important analysis of issues.

One framework, created in 2018, however, provides a very helpful framework for meaningful assessments of corporate compliance programs — The Ethics and Compliance Initiative released The High-Quality Ethics and Compliance Program Measurement Framework.

ECI is a best practice community of organizations that are committed to creating and sustaining high quality ethics & compliance programs. ECI brings together ethics and compliance professionals and academics from all over the world to share techniques, research and ideas.

In 2016, ECI published the Blue Ribbon Panel report entitled “Principles and Practices of High-Quality Ethics & Compliance Programs” (the “HQP Report”). Since its publication, ECI organized the E&C Program Maturity Model Working Group which eventually created a framework that organizations could use to measure their programs against those described in the HQP Report.

The framework provides a consistent model for organizations to assess the effectiveness of their programs based on high-quality program (HQP) elements. The Working Group defined five levels of maturity to address each of the five HQP principles. In support of assessing the level of maturity, the Working Group has outlined suggestions on (1) what to measure/review; (2) questions to consider; (3) potential sources of information, and (4) leading practices illustrative of HQPs.

The ECI Working Group developed a template five levels or categories of maturity:

Underdeveloped: A new ethics and compliance program or an existing one that has not progressed far in embedding HQP elements.

Defining: An ethics and compliance program that contains a number of HQP elements reflecting some important attributes, but with room to further mature.

Adapting: An ethics and compliance program that has a few HQP elements, but still lacks many important attributes.

Managing: An ethics and compliance program that can be considered effective or good, but not an HQP.

Optimizing: An ethics and compliance program that contains the majority of, if not all, HQP elements.

The ECI Working Group developed this framework by first populating the Optimizing category from the objectives outlined in the HQP Report—representing the HQPs. It then defined the other end of the spectrum by populating the Underdeveloped column, which describes the least mature level. The more difficult steps involved assessing the intermediate categories, that is, defining the progression of program maturity among the three middle levels (Defining, Adapting and Managing). While the final category—Optimizing—provides indicia for an HQP, the intent of the fourth column (Managing) is to define an “effective” or “good” program.

ECI’s research demonstrated that the higher the quality of an ethics and compliance program, the more effective it is in reducing risk of noncompliance and increasing ethical conduct. Therefore, the framework is intended to help organizations identify themselves along a continuum of growth, and to offer guidance to ultimately reach the highest level of quality that makes sense in each organization’s context.

The High Quality Principles (“HQPs”) were further defined by five basic principles:

Principle 1: Strategy — Ethics and Compliance is central to business strategy;

Principle 2: Risk Management — Ethics and Compliance risks are identified, owned, managed and mitigated;

Principle 3: Culture — Leaders at all levels across the organization build and sustain a culture of integrity;

Principle 4: Speaking Up — The organization encourages, protects and values the reporting of concerns and suspected wrongdoing;

Principle 5: Accountability: The organization takes action and holds itself accountable when wrongdoing occurs.

For each principle, ECI defined the characteristics of ethics and compliance programs in each category of maturity: Underdeveloped, Defining, Adapting, Managing and Optimizing. 

Within this framework, organizations engage in a type of matching process — self-identifying ethics and compliance program elements and characteristics that fall within one of the maturity categories.  While the process sounds a little bit discretionary, a rigorous approach can lead to some very interesting findings and results.  This process in itself, is helpful for organizations to engage in self-analysis and measure its own performance against elements of this helpful framework.