Good morning, and welcome back. This is the eighth edition of OIG Shorts, a publication of Sheppard Mullin’s Organizational Integrity Group. In this series, we discuss practical approaches to creating a more effective Ethics & Compliance program. Past editions have provided tips on ensuring the Ethics and Compliance program is reality‐based, not letting the program become a check‐the‐box exercise, and measuring the program’s efficacy.  

Today, we discuss a compliance obligation that is sometimes honored in the breach: regular compliance self‐assessments. If you have not conducted a compliance self‐assessment in the last year or two, there are good reasons not to let this linger. First, virtually all U.S. regulatory agencies require risk‐based compliance analysis, and most of them recommend periodic self‐assessments as a way to achieve it. Second, in our experience, most company compliance programs explicitly commit the company to periodic self‐assessments. Third, and maybe most importantly, a well‐executed self‐assessment empowers you to target your scarce compliance resources to the greatest risks. That reduces the likelihood of violations, and adds a powerful mitigating factor in the event a violation does occur.

In our experience, a good compliance self‐assessment need not be overly complex. There are a few basic steps that should always be considered, though, including the following:

1. Establish a high‐level scope and outline of steps before beginning the review

2. Consider conducting the review under the cloak of the attorney‐client privilege, so that findings can be discussed openly within the company and disclosure to third parties can be prevented

3. Conduct framing interviews and revise the scope of the review as necessary

4. Collect and analyze data and records

5. Interview personnel

6. Analyze the facts and establish risk‐ranking criteria

7. Document the analysis

8. Take specific risk‐mitigating actions

   1. Highest priority risks must be addressed first

   2. Consider required measures (for example, applicability of any mandatory disclosure rules)

   3. Establish a budget and timeline for remedial measures

   4. Establish task owners for remedial measures, and find ways to enforce accountability for completing the tasks

9. Test the efficacy of the corrective actions in future compliance assessments

So don’t wait any longer. Taking these steps can help your organization target scarce resources to the highest risks. It will also help you prevent and detect violations. And if there are violations, having conducted a good compliance self‐assessment will help demonstrate the organization’s commitment to compliance, document decisions not to spend resources in certain areas, and mitigate penalties.