Is Your Compliance Program Working to Mitigate Compliance Risk?
The Federal Sentencing Guidelines require “reasonable steps to evaluate periodically the effectiveness of the organization’s compliance program.”
The Department of Justice (DOJ) has publicized a list of common questions the DOJ’s Criminal Division “has frequently found relevant in evaluating a corporate compliance program” in context of a criminal investigation.
The Office of the Inspector General (OIG) and the Health Care Compliance Association (HCCA) have published Measuring Compliance Program Effectiveness: A Resource Guide, a list of 401 possible metrics for measuring compliance program effectiveness (“What to Measure”), and 630 recommendations for how to measure against the metrics (“How to Measure”), that organizations could use to evaluate the effectiveness of their compliance programs.
How does your organization evaluate its compliance program?
Compliance Program
Evaluation
Organizations request our compliance program evaluation services for many reasons: reassurance that a new compliance program is headed in the right direction, confirmation that the program they’ve built and implemented is well designed and is working effectively, and sometimes because an evaluation is required by a Corporate Integrity Agreement. Whatever the context or reasons for your compliance program evaluation, confirming and facilitating your success as you operate the best compliance program for your unique organization will be our aim.
OUR THREE TIER APPROACH
At Arete we have developed a three-tier approach to evaluating the structure and operation of compliance programs. This approach allows us to provide meaningful feedback – to confirm where organizations are doing well, and to help facilitate improvement of compliance programs – at every stage of a compliance program's development and maturity cycle.
TIER III:
Evaluates whether the compliance program is strategically addressing compliance risks inherent in your unique organization.
TIER II:
Evaluates the implementation and operation of core compliance procedures.
TIER I:
Evaluates the structure of a compliance program and how it measures up against government and industry guidance.
TIER I
Program Structure and
Core Operations
Our Tier I evaluation is focused on the structure and core operations of a compliance program.
At this level our objective is to help an organization understand and evaluate at a foundational and structural level how its organizational compliance program measures up against the common elements outlined in governmental and industry guidance.
Because our “on site” assessment of a compliance program at this level is limited, our Tier I evaluation offers a good value for organizations that are just starting out on their compliance program journey or are for the first time formally evaluating the structure and operation of their compliance program.
TIER II
Assessment of the Program's Implementation and Outcomes
A Tier II compliance program evaluation works well for organizations whose compliance programs have progressed in their maturity to a place where more careful testing of the function of core compliance processes is possible and will help the organization confirm and further improve its compliance program operations.
A Tier II evaluation includes a Tier I evaluation as outlined here, and adds an in-depth assessment of the implementation and operations of core compliance program functions, including:
-
Interviews of key organizational personnel and staff
-
Evaluation of data related to core program operating procedures
-
Case studies of select compliance investigations and compliance audits
-
Identification of core compliance risk-related control procedures (e.g., physician arrangements procedures, employee & vendor screening)
-
Cultural testing to confirm a culture that understands and expects ethical and compliant decision making and operations
TIER III
Compliance Program's Strategic Mitigation of Compliance Risk
Our TIER III compliance program evaluation generally include all evaluation procedures conducted at TIER I and TIER II as outlined above.
At TIER III we add extensive mapping of the organization’s compliance risks environment (based in organizational and industry information and data), and an evaluation of the organization’s efforts to mitigate each key compliance risks.
At TIER III our work-product helps client organizations confirm that their compliance program is effectively identifying, evaluating, and mitigating key risks of non-compliance for their unique organization.
At TIER III we also work with clients to evaluate, or where needed and possible, develop and implement, metrics that will allow measurement over time of the effectiveness of specific compliance processes in mitigating compliance risks.
Compliance Program Evaluation
That Recognizes the Uniqueness
of Your Organization
It is a common refrain that “no one size [of compliance program] fits all” organizations. No two organizations will have the same organizational culture or structure, or the same compliance risks to manage. Our compliance program evaluation processes have been designed to assess both the sameness and the uniqueness we find in every compliance program we review.
The Federal Sentencing Guidelines, OIG and DOJ effectiveness documents, and industry guidance all reflect common compliance program elements that must be in place in any organization – regardless of organizational and cultural differences. And there must be an organizational culture that promotes and expects ethical and compliant decision making and conduct if a compliance program is to be effective. How these core compliance program elements interact with each unique organization, and with the unique risk profile each organization’s operations create, will cause each compliance program to vary in size, scope, approach and focus. Our evaluation process is designed to address both the common elements all compliance programs must maintain, and the unique approaches organizations must take to make a compliance program effective for their organization.
