Sometimes questions about corporate compliance programs can be more complicated than they first seem. Such was the case when a compliance officer recently asked me, “Can you point to anything specific that says why compliance officers should benchmark their programs? Like, some requirement for benchmarking that I can bring to the board?”
At first, I almost didn’t grasp the question. Doesn’t everyone already know the value of benchmarking? Haven’t regulators stressed the importance of benchmarking your compliance program against industry norms for years? Isn’t the importance of benchmarking self-evident?
Then I began digging, and soon discovered that explicit, “Thou shalt benchmark” directives are vanishingly rare.
Fair enough, but benchmarking your compliance program against industry norms is crucial for long-term success. Let’s consider the arguments in favor of benchmarking, so you can win support from the many parts of the enterprise whose help you’ll need.
It helps with regulators.
You won’t find the words “benchmark” or “benchmarking” in the Justice Department’s guides for effective compliance programs, the FCPA Resource Guide, or any of the other texts compliance professionals hold dear. Nor have any Justice Department officials discussed the importance of benchmarking your compliance program in any speech that I could find, going back to 2014.
That doesn’t mean you can disregard benchmarking. On the contrary, benchmarking your program against others is vital to meet regulators’ expectations, even if they’ve never uttered the actual word.
Consider the following questions from the Justice Department’s guidelines for effective compliance programs. They are all questions prosecutors might ask you, depending on the misconduct issue in question.
- What steps has the company taken to determine whether its policies, procedures, practices make sense for particular business segments or subsidiaries?
- Does the company review and adapt its compliance program based upon lessons learned from its own misconduct or that of other companies facing similar risks?
- What methodology has the company used to identify, analyze, and address the particular risks it faces?
- Are the reporting and investigating mechanisms sufficiently funded?
You can’t answer those questions well without some understanding of how your compliance program compares to your peers. Benchmarking allows you to place your program into a larger context, so you can argue more persuasively that your company has given the compliance function its proper respect, resources, and attention.
The Justice Department guidance also says this: “Prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale.”
Again, you won’t score well on that point if you don’t benchmark your compliance program against others. Without that larger context that benchmarking provides, you’re updating your program in a vacuum. Maybe that approach will succeed, but if it goes wrong – if you suffer some compliance failure that peer companies addressed long ago, but your company didn’t – your decision not to benchmark could bring painful consequences.
It helps with your enterprise.
Benchmarking your compliance program helps with many practical, “internal” concerns as well. For example…
It helps with management, when you’re making budget or staff requests. Most management teams do support a strong compliance program in theory; they just want to do so as cheaply as possible. You can’t fault them for that. Bringing evidence of how other companies (above all, companies that are peers of yours) manage their compliance program will help you convince management that your requests are well-grounded.
It helps with First Line operating units, when you’re asking them to change policy or procedures for some compliance purpose. The more evidence you can offer about why that change is necessary, including how other organizations handle the same issue, the stronger your argument will be.
It helps with legal, IT, internal audit, and other risk control functions, when you want to structure risk management processes in a certain way. For example, if you’re a fairly large organization and want the CCO to report directly to the CEO rather than the board, benchmarking yourself against other large organizations will help you understand how plausible that idea truly is.
In short, understanding how your own compliance program compares to those of other companies can help you in a host of practical ways as you seek to keep your program robust and successful.
It helps with your compliance program.
Perhaps most importantly, benchmarking your compliance program helps you personally, as you strive to understand whether your approach to compliance works.
For example, you might notice a spike in complaints to your internal hotline about sexual harassment. How would you determine whether that spike is due to broad social or economic factors, such as the #MeToo movement, versus issues specific to your company, such as a problematic new manager?
You can’t, really, unless you compare your program’s performance against industry norms. Indeed, I picked that harassment example above because NAVEX’s own Whistleblowing & Incident Management Benchmark Report detected that trend (a rise in harassment complaints after #MeToo, that eventually subsided) in the early 2020s.
Or think about the structure of your program. Do you have enough staff for an organization your size? Do you have enough budget? Are you personally being paid enough money? The Society of Corporate Compliance & Ethics publishes budget and salary surveys on alternating years to help you place your own program in context.
We could keep going with more examples; vendors, consulting firms, trade associations, and even the news media publish benchmarking surveys all the time, on a wide range of issues.
The important point for compliance officers is that benchmarking is crucial to the success of your compliance program in all sorts of ways. It shows regulators that you’ve given thought to how your company can best address compliance risks; it helps you have better conversations with the rest of the enterprise about how your program should work; and it helps you and your team to better understand what all that compliance data you generate really means.
So, is there a commandment anywhere that says, “Thou shalt benchmark”? No. But you’d be wise to run your program like there is one anyway.
Ready to start benchmarking? Download our Whistleblowing and Incident Management Report now!