On 30 April, 2019, the Criminal Division of the US Department of Justice (DOJ) published new guidance for the Evaluation of Corporate Compliance Programs that expands and elaborates on its previous version, issued in February 2017.
The guidance is meant to assist prosecutors in making determinations regarding the effectiveness of a company’s compliance program, both at the time of misconduct and at the time of charging in the context of criminal investigations. Now that companies are aware of the minimum standards the regulator will expect, there is the opportunity to proactively think about pragmatic ways to define and implement adequate corresponding controls.
- Leverage on previous experiences
There is no disconnect between the elements of a corporate compliance program as described in the guidance and those of an overall well established internal control environment, as for example, implemented for Sarbanes Oxley purposes. Effectiveness will be assessed through the same three overarching questions around (i) its design, (ii) its implementation and (iii) whether it works in real life.
Thus, it is valuable to obtain input from people within the organization who have experience in the relevant areas, in order to (i) not reinvent the wheel and (ii) benefit from valuable advice, especially regarding pitfalls to be avoided.
- Focus on what matters
A company will never be able to prevent every misconduct or identify every incident. Not only would such an approach be too costly but it would also be unreasonable. As with commercial business matters, a company has to adopt for compliance matters, a risk-based and proportionate approach, and decide which area to address first to catch misdeeds that have significant impact on its business, value or reputation.
Logically, considering the ever changing environment of companies (e.g. business, regulatory), as well as feedback on previous incidents, the company has to periodically review and revise its risk assessments. This has to be an iterative and continually evolving process.
A thorough ongoing identification of the risks, with focus on relevant high-risk areas, will optimize the resources of the company, and evidence maturity in front of the regulators.
- Keep accountability over third-parties
Too many companies still think that they are exempt from understanding whether their third-parties take compliance seriously. Business partners can legitimately be an essential part of the organization’s overall compliance program and any misconduct by a supplier is a potential liability (financial, reputational, etc.) for the company. It is therefore crucial that third-parties be monitored on compliance as they would be on any other business aspect, and appropriate controls and measures are put in place.
An interesting point mentioned in the guidance is the global management of blacklisted suppliers. How can international organizations, with often times decentralized structures and disparate ERP systems, ensure that suppliers failing during a due diligence or being terminated after a misconduct are not re-engaged? Pragmatic ways would include: (i) start every third-party due diligence with a strong background check within the organization, and automatically disqualify suppliers who failed at that stage, (ii) suspend all dormant third-parties accounts and impose due diligence for their re-activation. This might appear obvious, but most incidents also result from obvious oversight.
- Make sure your employees understand
The goal of policies and procedures is much more than being able to exhibit written statements to the regulator to prove their existence: it aims to make sure employees understand the set of rules, and how to comply with them.
To that purpose, they should be kept simple. They should not continuously play with vague or complex concepts but rather link those to practical day-to-day operations. They should not be written with legal jargon but rather understandable wording. Finally, companies should ensure that employees have read them, understood them, and adhere to their content.
This last point can be covered with training sessions, provided that those remain targeted, on form, content and audience. As for any other compliance-related topics, the “one-fits-all” online training may be tempting, but it should never be more than one single element of a broader training strategy that also includes for example one-to-one or group sessions.
- Develop the culture of compliance
Last but not least, and probably encompassing some elements above, the corporate culture will condition the most significant part of the compliance program. The behavior of top leaders (tone-at-the-top) will show how they align in practice with the program and the messages they aim to convey. It will also condition how the organization itself will consider compliance: a message alone does not define the culture within an organization, the way employees embed compliance in their daily operations does.
Yet this cultural aspect is often reduced to a top-down all-purpose statement by top management, when the message is too vague, imprecise, and hard to translate in metrics. In a word, culture is “a soft issue [that] companies struggle to measure [the] effectiveness [of]”.
Feedback is key. Employees (at all levels), clients, suppliers, all groups interacting with the organization should be regularly given the opportunity to assess the way compliance is living within the company. In addition, transaction testing is essential in providing context and empirical evidence. The results render the compliance program and the overall culture well defined and concrete.
Of course, this may end up with statements or an outcome that top management is not happy with, but this is a good way to measure how individuals adhere (or not) to the program, and consequently its effectiveness.