A good question to ask yourself when assessing the effectiveness of program is what ethics and compliance KPIs do you need to consider?
Before we get to that, we should take a step back and address why it is important to look for program KPIs in the first place. Back in 2002, the Department of Justice issued Opinion Letter 02-04, which discusses some of the practices that the Department was looking for at during the early 2000s. It specifically talks about the value of having someone from outside of your program examine it periodically (i.e., every three years) to identify potential blind spots or areas for improvement.
This guidance is in pursuit of proving the effectiveness of your program in the absence of a major disaster. In the event that you do have a major issue and you get credit from the Department of Justice for the quality of your program, then you have the proof you need. But fortunately, most organizations will not find themselves in that situation. So they have to come with ways to demonstrate that their ethics and compliance programs are effective without something really bad happening first.
This is why it is important to set ethics and compliance KPIs. These KPIs show how your program is making the impact you want. The best KPIs to consider come in two basic categories: activity metrics and performance metrics.
Activity Metrics:
Most programs are very good at producing activity metrics such as :
Hotline call volume
Case management system days to close
Substantiation rates
Anonymity rates
Willingness rates for reporters to identify themselves once they engage with an investigator
Policy clicks
Communications clicks
These activities are absolutely worth tracking. If you are not tracking them currently, then consider setting up formal processes for capturing that data. In the meantime, look at what data you can obtain already that reflects those kinds of activities associated with your ethics and compliance program.
Performance Metrics:
This is a trickier metric because it seeks to answer more nuanced questions, such as:
How do you measure an employee pausing and asking for help?
How do you measure an employee refusing a kickback request?
How do you measure an employee going to their manager and figuring out the right response to a particular situation they find themselves in?
Every organization is going to be a little different in terms of how frequently those moments occur, but they are definitely the kinds of E&C metrics you want to measure. This may entail asking managers to give you information on ethics and compliance questions that come to them through employees—that’s not really an activity, metric that’s more a performance metric.
On Monday, Sept. 23, the Department of Justice issued its 2024 update to its Evaluation of Corporate Compliance Programs, the criteria it uses to determine whether or not to prosecute a company when one of its employees breaks the law. This DOJ ECCP update contains significant new and revised language, giving ethics and compliance officers plenty to consider when incorporating this guidance into their program.
This blog will list some helpful resources Ethisphere has made available to E&C practitioners as they operationalize the DOJ 2024 COD Evaluation of Corporate Compliance Programs update.
Ethicast
As news of the ECCP update broke, the Ethicast went live with insights on what this update will mean for your ethics and compliance program. You can catch the episode here.
On-Demand Webinar
Ethisphere Chief Strategy Officer Erica Salmon Byrne provides a deep dive on some of the particular aspects of the update—including risk assessments, AI, anti-retaliation policies, and whistleblower protection—in a special on-demand webinar that you can access here.
E-Book Overview
This handy document describes the full scope of changes to the ECCP, and will only take a few minutes to read. Download the e-book here.
Comparison
Ethisphere published a language comparison checks the March 2023 and September 2024 updates against each other to identify every instance of new and updated language in the 2024 update. You can read the markup here.
Self-Assessment
The update stresses how and how often you measure your program’s effectiveness. To start building actionable data around your overall compliance efforts, take this free program self-assessment.
Culture Assessment
The guidance asks what companies are doing that might chill employees’ willingness to speak up. To find out how well your culture of compliance is really working, explore our culture assessment.
Anti-Retaliation
93% of employees surveyed say they would report misconduct if they saw it, but only 50% ever do. To understand more about this speak-up gap, download the 2024 Ethical Culture Report.
Whistleblower Protection
The update asks what companies are doing to protect employees who report misconduct. To learn how you can take meaningful steps forward on this subject, read Erica Salmon Byrne’s latest article in Fast Company.
BELA Virtual Roundtable
And for members of the Business Ethics Leadership Alliance (BELA), don’t miss a special virtual roundtable with Ethisphere subject matter experts on further questions around the 2024 ECCP update. Click here to register. Or, if you’re not a BELA member, click here to request guest access.
Resources offer ethics and compliance teams with practical insights into the 2024 Updateand ways it can guide program improvements
September 24, 2024 – Ethisphere®, the global leader in defining and advancing the standards of ethical business practices, has unveiled a range of resources providing insights into the U.S. Department of Justice (DOJ) Evaluation of Corporate Compliance Programs (ECCP) 2024 Update. This is the first Evaluation of Corporate Compliance Programs Update since March 2023, and the purpose of this update is to provide new and revised language around several key areas including artificial intelligence (AI), speak-up culture, risk assessments, program resourcing, and more.
Key resources include:
•Webcast: On Wednesday, September 25 at 1 pm EDT, Ethisphere’s Erica Salmon Byrne and Bill Coffin will discuss the DOJ Evaluation of Corporate Compliance Programs 2024 Update and what it means for ethics and compliance professionals. Register here.
•Redlined draft of the ECCP 2024 Update: Learn how the 2024 Update compares to the March 2023 Update. For example, there is an 83% increase in the use of the term ‘data’ illustrating the increased importance of data in programs; a 41% increase in 3rd parties; and a 36% in resources with references of the importance of companies ensuring that ethics and compliance is effectively resourced. Download here.
•An exclusive roundtable for Business Ethics Leadership Alliance (BELA) members where senior leaders can share perspectives on the update and discuss changes they will be making within their organizations. Learn more here.
•Special Ethicast podcast episode: Immediate insights into the 2024 Update and how these changes impact ethics and compliance teams. Watch here.
•Blog featuring top takeaways: An overview of the 2024 Update along with practical steps for E&C teams to integrate the expectations into programs. Read it here.
“The 2024 ECCP Update is significant. For ethics and compliance teams, not only does it provide direction for topics such as risk assessment, speak-up culture, and managing AI risk, it also is a huge boost to the function, with expectations that E&C teams have ‘sufficient qualifications, seniority, and stature (both actual and perceived)’ within the organization and the data, resources and technology needed to mitigate risks,” said Erica Salmon Byrne Ethisphere’s Chief Strategy Officer and Executive Chair. “We are excited to discuss this Update with ethics and compliance teams and also integrate these expectations into our benchmarking and data analysis.”
About Ethisphere
Ethisphere is the global leader in defining and advancing the standards of ethical business practices that fuel corporate character, marketplace trust, and business success. Ethisphere has deep expertise in measuring and defining core ethics standards using data-driven insights that help companies enhance corporate character. Ethisphere honors superior achievement through its World’s Most Ethical Companies® recognition program, provides a community of industry experts with the Business Ethics Leadership Alliance (BELA), and showcases trends and best practices in ethics with Ethisphere Magazine. Ethisphere also helps to advance business performance through data-driven assessments, guidance, and benchmarking against its unparalleled data: the Culture Quotient dataset focused on ethical culture and featuring the responses of 2+ million employees around the world; and the Ethics Quotient dataset, featuring 200+ data points highlighting the ethics, compliance, social, and governance practices of the World’s Most Ethical Companies. For more information, visit Ethisphere.com.
The September 2024 update to the Department of Justice’s Evaluation of Corporate Compliance Programs brings significant changes that will impact compliance programs across industries. Understanding these changes and their implications is essential for staying compliant and ensuring your organization remains prepared to showcase its compliance program if needed.
In this blog, we’ll break down the 2024 updates to the DOJ’s ECCP and share our insights on what has changed and provide actionable guidance on what compliance programs need to do next.
Overview of the 2024 DOJ Update
The Evaluation of Corporate Compliance Programs (ECCP) is a set of guiding principles used when deciding whether or not to prosecute a company for wrongdoing—namely, by asking three important questions: Is the corporation’s compliance program well designed? Does the program have the resources and support it needs to do its job? Does the program work in practice?
What Has Changed in the ECCP
This is the first Evaluation of Corporate Compliance Programs Update since March 2023, and the purpose of this update is to provide new and revised language around several key areas including artificial intelligence (AI), speak-up culture, risk assessments, program resourcing, and more.
Speak-Up Culture. The September 2024 update includes new and updated language on speak-up culture that covers 1) how companies encourage and incentivize reporting of potential misconduct or violation of company policy, 2) if the company chills such reporting in any way, and 3) how the company assesses its employees’ willingness to report misconduct.
This focus on speak up is not new; the DOJ has been discussing building a strong speak up culture to support voluntary disclosure for some time now. The language used, though, especially around both internal AND external mechanisms to raise concerns, is amplified compared to prior iterations of the ECCP. Some of the language around external reporting mirrors what we have seen in the human rights sector, with a focus on listing external sources in your discussion around raising concerns. Given the breadth of the DOJ’s remit, however, this expansion is notable.
Anti-Retaliation. Separately, the update also provides new language on how companies protect those who speak up against misconduct, namely around 1) if there is an anti-retaliation policy; 2) does the company train employes on both internal and external anti-retaliation and whistleblower protection policies, procedures, and laws; and 3) are employees who report treated differently because of it?
Peers and managers are the most likely sources of retaliation, so a discussion around the need to train managers specifically would have strengthened this section. That said, the emphasis on a robust policy and training is welcome.
Artificial Intelligence (AI). This is one of the most detailed sections of the update with a total of 10 questions that ask companies how they identify and manage risks with potential compliance implications, especially around the use of AI within the business. The questions touch on 1) how companies incorporate AI into their enterprise risk management (ERM), 2) baseline human-decision-making for using AI, and 3) accountability for use of AI.
Like all of us, the DOJ is clearly grappling with how to navigate this new technology. The emphasis is on both the risks and opportunities AI presents and sets a clear expectation around the extent your organization is using AI in its products, and those products cause harm, the compliance team’s involvement in vetting those products will be subject to scrutiny.
Lest the reader think the news on AI in the ECCP Update is all bad, the DOJ also added the fact that any delta in technology investments for sales compared to compliance/risk will be looked at carefully and with a jaded eye. If you’re fighting to get dashboards like sales has, this is a useful addition for sure.
Risk Assessments. The update also asks if companies periodically review their risk assessment and whether they have a process for incorporating lessons learned from their own risk management issues or from those of other companies operating within the same industry and/or geographical region. It is clear from the text of the document that a risk assessment must be an ongoing process and not a one-and-done; arguably even an annual process should be augmented by periodic check-ins as the business evolves and lessons are learned.
Each of these changes in compliance requirements and risk management requires a close look at your existing processes to ensure best practices. Ignoring these updates could lead to increased regulatory risk, fines, or even reputational damage.
What Compliance Programs Should Do Next
In light of such a substantive regulatory update, compliance teams should take the following steps to prepare:
Review Your Current Compliance Program: Conduct an internal audit to ensure your program aligns with the new requirements.
Update Policies and Procedures: Revise any policies that are impacted by the regulation changes.
Implement Training Programs: Train your employees and stakeholders on the new regulatory requirements.
Leverage Technology: Ensure your compliance technology is equipped to handle the changes, including real-time monitoring and reporting.
Taking these proactive steps will help ensure that your organization is fully compliant with the updated regulations and prepared for any future changes.
Ethisphere specializes in helping organizations of all levels of program maturity navigate complex regulatory changes, ensuring your compliance program is equipped to handle evolving requirements.
Our team of dedicated business integrity experts can offers a range of proven solutions to make it easier to monitor and adjust your compliance efforts in real time. Whether you need help with compliance program assessments, program benchmarking, or measuring and evaluating your speak-up culture, our team of experts is here to support you every step of the way.
Conclusion
The September 2024 Update to the ECCP represent a significant shift in how the DOJ views your compliance strategy. By staying informed and proactive, your organization can remain compliant while minimizing risks in our ever-hanging regulatory landscape.
Stay ahead of future updates and subscribe to our Ethisphere Insights newsletter for the latest insights and guidance on compliance strategy, compliance program updates, and regulatory changes.
External review of your ethics and compliance program is not only a best practice, but also an expectation by regulators as outlined above, enforcement authorities, and other standards setting bodies. An independent assessment provides valuable insights into whether your program aligns with evolving standards and informs your resource allocation and priorities. Read our Guide to Ethics and Compliance Program Assessments: Strategies, Tips and Tools and begin your 20-question program assessment to get a glimpse into your program’s overall effectiveness in our free Compliance Program Self-Assessment.
And for helpful additional resources on artificial intelligence, risk assessments, speak-up culture, and more, please visit the Ethisphere Resource Center at www.ethisphere.com/resources.
by Curtis Leicht, Senior Culture Analyst, Ethisphere
Ethical culture matters to employees, investors, and all stakeholders. Companies that have strong, values-based cultures are better places to work and well-poised for long-term success. But the key to maintaining a strong ethical culture is by measuring it. When we elevate culture from a subjective art to an empirical process, business integrity becomes something achievable, measurable, repeatable, and sustainable.
Ethical culture is the act of closing the loop between your ethics and compliance program and the lived experience of your employees.
– Curtis Leicht
Senior Culture Analyst, Ethisphere
The 2024 Five-Year Ethics Premium is 12.3%. That is the amount by which the publicly listed honorees of the 2024 World’s Most Ethical Companies outperformed a comparable index of global companies from January 2019 to January 2024. That is a pretty big number. Specific metrics like this are instrumental not only for helping to prove the value of a strong ethical culture, but they help organizations better understand where their cultural strengths and opportunities for improvement lie.
When people think of “culture,” they often think of it as a subjective and unquantifiable thing. But we know that’s not true. The truth is, it is crucial for organizations to measure their culture and develop a strong set of skills around that process so they can better understand what their data tells them, and take substantive action to transform their workplace for the better.
It’s helpful to think about ethical culture as the act of closing the loop between your ethics and compliance program, and the lived experience of your employees. At Ethisphere, we measure across eight different pillars:
Awareness of the E&C Program and Resources
Perceptions of the Function
Observing and Reporting Misconduct
Pressure
Organizational Justice
Perceptions of Managers
Perceptions of Leadership
Perceptions of Peers and Environment
Organizations can measure the degree of each of these pillars through things like employee surveys. It is important to make sure there is some sort of robust benchmark or comparison tool against which to measure any survey data, since data in a vacuum is difficult to contextualize.
But this speaks to the reality that culture is not some kind of amorphous thing that organizations can just hope works out for the best. Organizations need to take concrete steps to make sure that their culture is strong by addressing problem areas, celebrating successes, and supporting strengths.
Typically, they start that process through some sort of measurement effort to see where they’re at, to kind of get a gauge of how the employees are feeling about the program.
What does the Culture Measurement Process Look Like?
At Ethisphere, we partner closely with organizations to help plan their surveys. Ethisphere has its standard topics that we typically survey, but most organizations have the survey topics in mind that speak to their particular situation. Besides the survey itself, we also help organizations after the survey data comes in to know what it really means.
Surveys often produce thousands, if not tens of thousands of data points. How do you slice and dice that data? Are there differences in your organization from department to department? Are there differences from country to country? (And if so, are you really diving into what are those differences?) How does that compare to a peer benchmark?
Answering those questions provides a lot of context for organizations where they may not be sure where to start. But it can also help make the best use departments’ finite resources. There is a tendency to focus on a particular topic or area of the business that might be struggling more than others, but this could also be an opportunity to identify areas of the business that are doing really well, and sharing success stories on something the organization is quite strong in. It could be a particular business unit, manager, or senior leader that’s really crushing it in a specific area. And then the question becomes, how can you take what they’re doing and operationalize that across the organization?
Keeping Data Fresh
When a company undergoes a cultural survey and they’re starting to measure their culture, it produces a lot of data. And that data can be like gold if it’s used the right way. But once you have that data and you’ve worked to analyze and really understand what story it’s telling you, how long is that data good for?
There isn’t one true answer for all organizations, but data does, in fact, get stale. Typically, we see organizations measure either on an annual basis, every 18 months, or every two years. And the reason for this is because the conditions in which a survey is conducted can be impacted by big world events that themselves may affect the results of the survey. A good example of this is the COVID-19 pandemic. That crisis really changed the cultural experience for a lot of employees. A lot of employees went from on-site all the time to remote entirely, and then maybe back to hybrid. How they interacted with the organization during that time really changed the types of things that they saw and heard from their coworkers, managers, and leadership.
COVID-19 is a really clear example, but that kind of phenomenon is always happening to some extent that can impact survey results. There could also be organizational changes, leadership changes, reorganizations, different pressures depending on economic conditions. The list of potential X-factors can be extensive, so organizations will want to measure their culture on a relatively regular basis, both to see how those types of things are affecting their organization, but also, they will want to see to what degree the changes in their ethics and compliance program have had upon the organization’s culture itself.
Consider, for example, when an organization addresses a particular area like perceptions of whether people believe in the non-retaliation policy. That organization will want to remeasure to see if that work actually made a difference and then either adjust if it didn’t, or celebrate that success if it did.
Spreading the Word
Messaging and communications is incredibly important when it comes to improving organizational culture. Many compliance departments know this already, but that doesn’t make executing on it any easier. Compliance programs have a lot of control over what they do and the messages that they specifically put out. But whatever the message is that the compliance team puts out, what we see as being the most effective is when people outside of the compliance program also echo that message. That goes a long way to gaining buy-in from various stakeholders.
It also pays to think beyond the message itself—the words on the page, the content in the email or on the SharePoint site, the video or audio content—and think about who is sending that message. Who is talking about it? Who is backing it up? Because if it always comes from the same source all the time, and that source is the ethics and compliance department, then there is probably an opportunity being missed to incorporate people like senior leaders outside of ethics and compliance, middle managers, and direct managers, to talk about the messaging and really magnify its impact.
The role that managers play as the “point people” for employee perception of the health of the organization’s culture is incredibly important. When we look at Ethisphere’s own culture survey database, it’s clear that managers are the most trusted person in someone’s work life. You work really closely with your direct manager. In our 2023 data set, for example, 90.9% of employees believe that their manager acts ethically at all times. But that number for senior leadership is only 78.5%. So the data shows us there is a bit of a gap there. Largely, we think about this as people interact with their immediate manager a lot more than senior leadership. They interact in more of a direct way, either in person, day to day on Zoom calls, via Slack, and so on.
There is distance between senior leadership and the bulk of your employees. There are layers of the organization, and less interaction between them. So, knowing that immediate managers are a more trusted source of information, ethics and compliance teams can collaborate with them on ethics messaging or to have their conversations and messaging with their team align with your compliance program messaging around key topics.
We often advise organizations to engage their managers in order to amplify ethics and compliance messaging. If you can gain buy-in from your managers on a particular topic that you want to improve, and have them echo the messaging that’s coming from the compliance program or senior leadership, that will have an effect on employees because it’s coming from an internal source of information that they trust.
Case in point: An organization may have a great non-retaliation policy with a lot of messaging around it. Oftentimes we’ll hear, “We message around this all the time. I don’t know why employees don’t have faith in this policy.” If you can engage managers to talk about that policy and how it is enforced at the organizational level, then the message will come from a source of trust that will really matter to employees.
To that end, one of the things that we measure frequently is whether conversations happen between managers and their direct reports on ethics and compliance issues. This doesn’t have to be a dedicated conversation. It could be a part of a larger conversation or part of a team meeting. But we know that there is often a strong correlation between the frequency of those conversations from direct managers and positive perceptions about other key areas that we measure.
Again, turning to our 2023 data, 88% of employees that are having these conversations with their managers monthly believe that the company enforces their non-retaliation policy. But if they are only having conversations about ethics and compliance related issues annually, that confidence drops to 70.5%. There is a big impact that that we can glean from that correlation. It really shows that when managers are echoing the message or aligned with it, that makes the efforts in the ethics and compliance department a lot more effective, because they are coming from a source that is trusted already.
It is often said that people don’t leave jobs, they leave managers. With that in mind, and as we consider just how important the manager’s role is as an arbiter of organizational culture, it falls to the organization itself to ensure that managers are adequately trained to live up to that role.
Managers are the heart of your culture, and they are a big lever that you can pull to affect cultural change. So when you’re thinking about your managers, remember that they are already being asked to do a lot from different departments, from their direct reports, and their own manager. So it’s important to remember, when we’re thinking about training managers to have these conversations, that their time is scarce. It might be worth thinking about not necessarily having more conversations about ethics and compliance, but perhaps incorporating them into something else that’s already happening. That could be a weekly team meeting, or during their one-on-ones with their direct reports. It doesn’t always have to be a brand new thing.
But it’s important to remember that managers are asked to do a lot, and gaining even five minutes of their time to have a conversation can be difficult, which is certainly something to look into if you are measuring culture and you are not seeing the conversation rates that you would like, or if you’re seeing poor perceptions of managers in general.
Final Thoughts and Best Practices
The Ethisphere Culture team conducts a great deal of culture surveys. We definitely see some common threads between those organizations that see really terrific results in advancing their culture once they started to measure it.
First and foremost, they know where they stand when it comes to ethical culture. It starts with knowing where your culture is at, because only then can you know exactly where to focus your efforts, time, and resources. They also know how engaged their managers are and whether that is helping their cause or reinforcing their message.
Some of the organizations with best-in-class results do this is by providing resources and tools for managers to have the conversation. Sometimes ethics and compliance topics can be difficult to start a conversation around, but there are ways to make it an interesting conversation.
The best-in-class companies also keep in mind that their employees are probably wondering how some of this stuff works. They might get training about it on an annual basis, but it sometimes leaves them wondering, does this really work this way? Is the organization really going to, for example, protect me if I need to report misconduct? So giving those employees conversation starters and toolkits around those topics can be really helpful.
Another common thread among best-in-class organizations that we see is leadership buy-in throughout the organization. Not just the ethics and compliance department or senior leaders, but when you can get people’s direct managers all the way down the chain having the conversations, that tends to have a big impact.
And finally, we’ll see organizations incorporate ethics and compliance as a key factor in how they evaluate managers. This could be something as formal as putting it as a small piece of an annual review process or just something that they consider when somebody moves up in the organization. Does this person embody our ethical culture? Do they embody our core values? And how does that translate as they move up in the organization?
If people feel like this is a way to differentiate themselves and make themselves stand out in their career goals, then they tend to care a little bit more about it too.
To connect with the Ethisphere Culture team and learn how you can measure and elevate your organization’s culture, pleaseclick here.
Curtis Leichtis a Senior Culture Analyst in the Data & Services group at Ethisphere. In his role, Curtis helps manage and execute Ethisphere’s Ethical Culture Assessments, Culture Benchmarking, and other Ethisphere services to help organizations assess and improve their ethics and compliance programs.
