While every compliance professional aspires to create a program that changes employee behavior and cultivates an ethical culture, every program needs to meet certain regulatory requirements and expectations. In a Q&A with Eric Morehead, a certified compliance and ethics professional with 18 years of compliance experience, we explore what the Department of Justice and other regulatory bodies expect from E&C programs in 2018, how they define program effectiveness, and how to take a risk-based approach that helps meet those expectations.
Beyond looking at completion rates, how can you measure and test the effectiveness of ethics and compliance training?
I think you can look to other data metrics on timing of answers, the number of failures on particular questions, and the time spent on certain sections of the online training, as well as other data collected by the system you're using to deliver that training. You can also look at data related to demographics, location, and job function related to those responses. All of this data is helpful within a training tool to spot trends. Outside the training platform itself (or in conjunction with the platform), organizations can test through internal surveys after training (3 months or 6 months later, for example) to gauge longer-term understanding and retention. There's a great example of how employee surveys and "testing out" can work in a recent case study SAI Global completed with Johnson Controls International, where they were able to show, with data, that employees understood all nine of their risk topics more in 2017 than they did in 2016.
Can you provide a few examples of what an informal communication plan looks like around an ethics and compliance program?
A communication plan can be as simple as a quarterly message from compliance to managers encouraging them to include a few bullet points about a particular risk topic in their regular communication, or as sophisticated as a matrixed timeline of multiple ongoing communication efforts (live touchpoints, current events in the news, video, emails, newsletters, manager-led communications, “Compliance Week” activities, and quizzes/games/competitions).
These could come from a varied group of sources, including execs, compliance, legal, marketing, operational management and outside resources. The key is to start with something manageable, such as having a sample of operational managers deliver two or three key points on a risk topic (e.g. retaliation), and then evaluate the effectiveness of the approach and build on that experience.
Can you share any standard outlines which make for an "effective" ethics program in the same way that regulators give guidance on what constitutes an effective compliance program?
I wouldn't draw such a clear distinction between ethics and compliance, because the regulators don't. As mentioned in the webinar, you cannot effectively implement a compliance program without a culture of ethics. Working on building, improving, and nurturing a culture of ethics is a key aspect of any successful compliance program. Assessing and addressing culture issues, such as fear of retaliation or a belief that there is no organizational justice, should be a major piece of any risk assessment to evaluate the program. If your assessment does not include a culture assessment component in the scope, it is probably not covering your needs.
How can a company measure the "value and/or effectiveness" of their Compliance or Risk Management Program?
The framework discussed in the last half hour of the webinar, I believe, is a good place to start. I would leverage whatever has been done in the past, including enterprise risk management (ERM), or an audit process that touches on compliance issues or compliance program components, and then consider building out a compliance assessment model using the Sentencing Guidelines as a broad standard to develop findings. If you lack the resources (primarily time) to develop your own model and methodology, I'd investigate third-party models.
What programs should be included under the Compliance Department in a hospital? (ie, RAC, 340B, Contracts, etc.)
As mentioned in the webinar, I think that it's hard to draw bright lines – particularly when discussing areas that overlap with “regulatory” compliance. There are two things to keep in mind here:
First, there is no one-size-fits-all. HHS OIG, as well as other regulators, have areas and issues they expect to be addressed, but they (generally) also recognize that all organizations are different. I think you start with determining (best you can) what peer organizations include in their assessments. From past experience with a regional hospital organization, I can tell we did include the contracting process/systems and PHI/PII compliance, as well as a broad overview of payment compliance systems/process (Medicare/Medicaid/Pharma).
This was along with the sorts of items all organizations would consider (training, monitoring, written standards, etc.). There are likely going to be things you'll want to include that peers won't include based on your particular risks (the critical nature of the system/process, the potential severity of a breech or failure, etc.). And there are going to be things that peers focus on that you won't. It's important to evaluate each individual organization's risk universe to accurately make these determinations. It's hard to know what the scope is without going through the evaluation.
Second, you don't have to do it all – or do it all at once. If you develop a methodology for assessment, it could end up being a 2-3 year process where you cover roughly a third of the program per year, for example. Maybe, as with audit, the components of this rolling assessment change and certain components, because of their risk/criticality, are covered more frequently (e.g. perhaps handling of PHI/data sec is a yearly review and looking at the investigation/discipline process is every third year).
To give the lawyerly answer: it all depends. You really have to look hard at the potential risks you face and then make a determination about what you are going to cover and how. This often involves having to draw a line somewhere. I think the key is making sure that drawing that line is thoughtfully done.
What are best practices for managing and monitoring the numerous sets of regulations for changes, assessing for impact, and implementing action plans, given that emerging regulations come from many sources and impact multiple departments?
There are systems out there you can use to manage this process. For many organizations, particularly in highly regulated spaces (insurance, for example), turning to electronic systems to manage the flow and make sure a broad group of resources throughout the enterprise are aware of the impact, understand the implementation and can communicate the status and results is the only way to manage it. SAI offers regulatory compliance and risk solutions, for example, that organizations have used for this purpose in the past.
Does the DOJ's policy of not prosecuting companies based on FAQs and other guidance that haven't been subjected to notice-and-comment rulemaking affect the DOL's expectations regarding ethics and compliance?
A rule of thumb regarding compliance expectations, as with anything else, is to make sure that you are conforming with the more restrictive expectations regarding your program. It is unlikely that the Department of Labor, or any agency that has specific requirements, will be swayed by the DOJ's stated expectations if they don't address the issue or are less restrictive. And even if such an argument could be made and was successful, in most cases, it's probably easier and far cheaper to comply with the restriction in the first place.
For example, the FAR (Federal Acquisition Regulation) include a lot of requirements that overlap with our general understanding of compliance program expectations (e.g. oversight, written standards, periodic evaluation), but also have a very specific rule about hotline/helpline information being posted publicly in all common work areas operated by government contractors, as well as on their websites. So, to be in compliance with the FAR rules, they have to have very specific hotline poster regimes (see 48 CFR 52.203-14). That sort of very specific admonishment regarding posters in work areas and website notices doesn't exist in any DOJ guidance (so far), and you can imagine a program that is “effective” under the DOJ guidance but then still technically out-of-compliance with FAR. I don't know of any contractor that wouldn't post the posters and notices.
On March 28, 2018, SAI Global hosted a webinar with Eric Morehead on the expectations that regulatory bodies have of ethics and compliance programs. To watch the full CCB CEU eligible recording of this webinar, access it here.
Guest post by Eric Morehead
Eric Morehead has spent 18 years working with organizations to investigate regulatory issues and improve compliance programs. He is a former criminal defense lawyer and United States Supreme Court Assistant General Counsel, and today, he is the founder of Morehead Compliance Consulting and host of the Compliance Beat podcast series.