Can You Prove Your Ethics and Compliance Program Works?

There’s a temptation to treat program assessment as a regulatory exercise to do because the DOJ guidance says you should. But program assessment really deserves to be framed as a management discipline, with the regulatory expectation almost secondary to the operational one.

Organizations that conduct external assessments most consistently don’t doing so because they’re compelled. They do so because they’ve accepted a basic reality: any team, no matter how capable, develops blind spots when it operates in isolation long enough. Benchmarking against peers, identifying structural gaps before they become liability, understanding whether what you believe about your program matches what your stakeholders actually experience — these are all operational questions. They don’t belong on a compliance checklist. They belong in a program strategy.

That question got a thorough examination in a recent Ethisphere webinar, Can You Prove Your Ethics & Compliance Program Works? How Leading CECOs Assess Gaps, Prioritize Action, and Prepare for Scrutiny, moderated by Jonathan Whitacre of Ethisphere. The conversation featured two people with direct, practical experience on both sides of the assessment process: Emily Miner, Ethisphere’s Director of Data and Services, who leads this work with client organizations, and Pete Blumberg, Vice President and Chief Compliance Officer at FedEx Corporation, who has been through it and came prepared to say what it actually taught him.

For a program operating at FedEx’s scale (500,000 team members, 220 countries and territories, currently undergoing a major organizational restructuring), that gap between belief and evidence is simply too consequential to leave unexamined. The people those policies are designed to protect deserve something more rigorous than self-assessment.

The triggering conditions for an external review don’t have to be dramatic. Blumberg points to three that converged for FedEx: significant organizational change, new program leadership, and a program that had been running long enough that its founding assumptions needed stress-testing. Any one of those is a reasonable trigger. All three together make the case almost automatically.

What Good Assessment Actually Looks Like

The structure of a credible external assessment follows a logical progression, and understanding it helps compliance leaders know what to expect and what to push for.

It starts with organizational context: structure, risk profile, operating model, business strategy. From there, a structured questionnaire covers program design, implementation, and how effectiveness is measured. Then document review: policies, training materials, investigation protocols, org charts, across every program element. The documentation tells you what the program looks like on paper. What comes next tells you how it actually works.

Stakeholder interviews are where an assessment earns its value. Miner’s approach organizes these in concentric circles, with the ethics and compliance team at the center, then sister control functions (HR, legal, internal audit, procurement), then the business: operations, sales, executive leadership, the chair of the oversight body. The outer circles get scheduled first, because that’s where calendar conflicts are most likely and the stakes of missing the conversation are highest.

One detail that matters: interviews don’t come with prepared questions sent in advance. The goal isn’t to let anyone rehearse. It’s to understand how the program actually functions on the ground, not how people frame it when they’ve had time to prepare their answers.

The assessment concludes with a maturity rating across six program pillars and a prioritized set of recommendations, organized to be actionable over a two-to-three year horizon. Not a laundry list, but a roadmap.

Two elements of the assessment process tend to be underestimated by organizations going through it for the first time.

The first is stakeholder burden. The instinct is to let the external assessor handle logistics, reaching out directly to schedule interviews and collecting documents independently. The smarter approach is for the compliance team to absorb that work entirely. Handle document collection. Manage interview scheduling. Give executives a clean, contained ask: here’s the window, here’s the half hour, this is when we need you. The more friction the program team absorbs, the more cooperation it gets from the people whose perspective is hardest to access and most valuable to have.

The second is what the process reveals about relationships that weren’t previously visible. When an assessment calls for conversations with people in operations and sales, the question of who to call surfaces quickly. If identifying those people is a struggle, that difficulty is itself a data point. The assessment doesn’t just measure the formal program. It maps the actual network of relationships the program depends on.

On Cadence, and the Trap of Doing It Too Often

Among Ethisphere’s World’s Most Ethical Companies® cohort, roughly 73% conduct an external assessment at least every three years. The range runs from annual to triennial, but the underlying principle is consistent: frequency has to be calibrated to utility.

An assessment done properly is resource-intensive. It generates a substantial action agenda. Organizations need time to implement changes, observe their effects, and build genuine evidence of progress before submitting to external scrutiny again. Done too frequently, assessments accumulate without producing real change.

The right model treats the external assessment and ongoing internal monitoring as complementary instruments, not substitutes. Culture surveys, targeted risk assessments, and focused business-unit or regional reviews keep the program honest between larger periodic reviews. A close partnership with internal audit keeps it honest year-round. FedEx, for instance, runs a biannual integrity survey, builds integrity-specific questions into a broader annual HR survey, and organizes risk assessments by region, operating unit, and specific risk type. The external assessment provides the holistic picture while the internal monitoring keeps it current.

What the Report Is Actually For

When the findings report lands, the instinct is to move quickly: present it to leadership, show the board, start addressing gaps publicly. The more effective approach is to slow down deliberately.

The compliance team should review the findings together before anything goes to leadership, not to sanitize the results, but to show up with the beginning of an action plan rather than a raw list of findings. The framing shift from “here’s what they found” to “here’s what we’re doing about it” changes the entire dynamic of the conversation with executives and boards. It positions the program team as strategists, not subjects.

A second thing worth understanding: very little in a well-run assessment should come as a surprise. Compliance leaders generally know their programs well. They know where investment has been strong and where it hasn’t kept pace. What the external assessment provides isn’t revelation; it’s validation. Third-party confirmation of what the program team already suspected, with benchmarking data to support arguments that might otherwise stall internally, and a credible independent voice to make the case for investments that leadership hasn’t yet prioritized.

When the findings do surface something unexpected, that’s valuable too. But it shouldn’t be the expectation.

Strengths Matter as Much as Gaps

The gap-analysis framing tends to dominate how people think about program assessment, and it misses something important. A well-conducted assessment identifies what a program does well with the same rigor it applies to identifying where it falls short, and those strengths deserve to be communicated with the same intentionality as the improvement areas.

The team running an ethics and compliance program needs to know where its work is genuinely effective. So does the leadership it reports to. Strengths aren’t just morale boosters; they’re the foundation the program builds from, and they’re the argument for sustained investment. An assessment that only surfaces gaps undersells the work and leaves the program team without the evidence it needs to advocate for itself.

That’s the real case for treating an external assessment as a complete picture rather than an audit. It’s not there to find what’s wrong; it’s there to show you what’s true.

Want to go deeper? Watch the full webinar — Can You Prove Your Ethics & Compliance Program Works? — and reach out to Ethisphere to explore a custom benchmark report for your industry.

---

---