Compliance officers, it is time to rejoice, reflect and re-educate. We should rejoice because the U.S. Department of Justice just issued a guidance document that unequivocally supports our role, especially in places where we’ve had trouble making a case with specificity (e.g., resources). We should reflect on our programs because there are seriously high expectations for risk assessments, program evaluations, planning and tracking metrics, and integration with other functions. And we should re-educate our leaders about the criticality of the independence of our function, requirements to fund it correctly, and to provide access to the Board and/or Audit Committee.
The Evaluation of Corporate Compliance Programs Guidance Document (“Guidance”) is structured into questions that a prosecutor will ask to evaluate the effectiveness of the company’s compliance program – both before an incident occurs and after an incident is known. These questions give answers – they show what the DOJ thinks is important in an effective compliance program. Here are 10 critical musts that compliance officers need to know from the new DOJ’s Guidance.
1. Compliance MUST be Properly Resourced
There can be no doubt that a major factor in the evaluation of a compliance program is this: Is the compliance department properly resourced? The word “resource” appears 21 times in the 18-page document. The compliance program must be properly resourced with staff and budget. Twice the Guidance states that the compliance function must have the resources to be able to “audit, document, analyze and act.” Importantly, one of the questions prosecutors are to ask is, “Have there been times when requests for resources by compliance and control functions have been denied, and, if so, on what grounds?” It is critical that you explain the DOJ’s approach to resourcing the compliance department to your board of directors and C-Suite. They need to know how thoroughly that resourcing will be analyzed if there were a prosecution. Speaking of the Board…
2. Compliance MUST have Independent Access to the Board of Directors or Audit Committee
The Guidance leaves no wiggle room for this: Compliance MUST have independent access to the board of directors or audit committee. The Guidance instructs prosecutors to ask whether the compliance function has, “direct reporting lines to anyone on the board of directors and/or audit committee.” The Guidance reiterates this requirement when it instructs prosecutors to evaluate the sufficient autonomy from management, such as “direct access to the board of directors or the board’s audit committee.” The guidance again reiterates this requirement when it instructs prosecutors to evaluate, “the authority and independence of compliance and the availability of compliance expertise to the board,” and yet again when the prosecutor is instructed to evaluate the structure of the compliance function, including whether the compliance function is, “an independent function reporting to the CEO and/or board.” There is no ambiguity – Compliance must have a direct reporting line and time with the board.
3. Compliance MUST be Integrated with Other Functions
Throughout the Guidance, it is clear that prosecutors expect that Compliance is integrated and pro-actively working with other functions, especially internal audit, procurement, and third-party vendor management. The Guidance also states that during mergers or acquisitions, Compliance is expected to participate in the pre-merger/acquisition due diligence and participate in the integration process of the new company. It’s not enough to for Compliance to stand by itself on an island. The Compliance function should be working with others effectively and on a regular basis to implement the program systemically throughout the organization.
4. Compliance MUST Adopt a Risk-Based Approach:
Some companies fear truly implementing a risk-based approach because they are worried that they’ll miss something and be held accountable. The DOJ guidance makes crystal clear that this isn’t the case. The Guidance states that a risk-based approach is not only acceptable - it is expected. This is true “even if [the program] fails to prevent an infraction in a low-risk area.”
The Guidance goes on to state that a risk-based approach is necessary to avoid “devot[ing] a disproportionate amount of time to policing low-risk areas instead of high-risk areas.” It gives examples, and warns that companies should “give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than more modest and routine hospitality and entertainment.”
5. Compliance MUST Implement Metrics that Matter
The Guidance repeatedly instructs prosecutors to ask whether metrics have been created, monitored, evaluated, and acted on to determine whether the program is effective. The word “metrics” appears three times, and “monitor” appears ten times within the Guidance.
The Guidance expects that metrics are implemented and monitored with respect to (1) policies and procedures, (2) investigations, (3) third-party relationships, (4) risk management/risk assessments, and (5) training. A successful compliance program needs metrics, and it needs those metrics to show the effectiveness of the program. (See our multi-part series on Metrics that Matter, beginning with Part I here)
6. Your Gatekeepers and Managers MUST be Trained Differently
The Guidance is clear that those in the business responsible for carrying out compliance obligations must be trained and educated differently (or additionally) to the general employee population. Prosecutors are instructed to inquire whether “supervisory employees received different or supplementary training.”
The Guidance reiterates this requirement when it asks, “What, if any, guidance and training has been provided to key gatekeepers in the control process (e.g., those with approval authority or certification responsibilities)? Do they know what misconduct to look for? Do they know when and how to escalate concerns?” Blanket training of all employees simply isn’t good enough. The DOJ expects “gatekeepers” and those in charge to know how to respond to high-risk activity specifically. To do so, they must be properly trained.
7. Compliance MUST Adopt Stringent Third-Party Controls AND Continuous Monitoring of those Third-Parties
Gone are the days when a single sanctions check was acceptable third-party risk management. The Guidance sets very high expectations when it comes to third-party management. As previously highlighted, the Guidance endorses a risk-based approach to third-party management, but the approach to high-risk third-parties must be robust. Not only should the company ensure that contract terms provide safeguards and a description of the work to be provided by third-parties, but follow-up should be done to ensure that the work is actually being performed. To that end, for high-risk relationships, the Guidance anticipates that the company will have audit rights to analyze the books and accounts of third-parties, then evaluates whether the company has exercised those rights in the past.
Prosecutors are instructed to assess “whether the company engaged in ongoing monitoring of the third-party relationships, be it though updated due diligence, training, audits, and/or annual compliance certifications by the third-party.” Third-party due diligence has always been key to a good compliance program. The Guidance makes clear that the DOJ expects this area of risk to be covered consistently and with great focus.
8. Compliance MUST Communicate its Policies and Procedures to Third-Parties
Continuing on the theme of third-parties, it is incumbent on the company to communicate its policies, procedures, and expectations to third-parties in no uncertain terms. Prosecutors will evaluate whether steps have been taken “by the company to ensure that policies and procedures have been integrated into the organization, including through periodic training and certification…where appropriate, [for] agents and business partners.”
Companies are expected to communicate “its policies and procedures to all employees and relevant third-parties.” Policies and procedures can be provided to third-parties through a Supplier Code of Conduct, via contract terms, or online on the company’s website.
9. Companies MUST have a Robust Whistle-Blowing Process
Companies must have a robust whistle-blowing process, and this process must include, “pro-active measure to create a workplace atmosphere without fear of retaliation, appropriate processes for the submission of complaints, and processes to protect whistle-blowers.” Companies can expect to be asked whether they have a whistle-blowing procedure, “and if not, why not?”
The system must be publicized to the company’s employees, and the compliance function should have “full access to reporting and investigative information.” The company should review whether and how the system is used, and the types of allegations received. The company should also “apply timing metrics to ensure responsiveness.” An entire section of the Guidance is focused on confidential reporting structure and the investigations process. Make sure your company’s whistle-blowing process would pass inspection.
10. Compliance MUST have Compliance Program Evaluations Performed
Prosecutors are instructed to consider, “whether the company has engaged in meaningful efforts to review its compliance program, and ensure that it is not stale.” It is critical that companies “evaluate periodically the effectiveness of the” program. It’s not enough to set up a compliance program and have it trundle along.
Compliance program evaluations should be expertly designed and documented, as prosecutors will ask “what testing of controls, collection, and analysis of compliance data, and interviews of employees and third-parties does that company undertake? How are the results reported and action items tracked?” The evaluation must include, “a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training.” A professionally designed and conducted compliance program review is the best way to ensure your compliance program meets regulatory expectations and best practices.
The DOJ’s Guidance isn’t Earth-shatteringly new. Rather, it expands upon previous guidance in a deeply practical and pragmatic way, highlighting specific expectations a prosecutor would have when evaluating the effectiveness of a compliance program. Compliance officers can and should apply the lessons contained in this Guidance. Your company’s prospects for mitigating credit against fines and prosecutions depends on it.
Spark Compliance Consulting provides expert compliance program evaluations and risk assessments incorporating the Guidance provided by the DOJ. Contact email@example.com or visit our website for more details.