In Part 1 of this blog series, we explored how the Department of Justice’s “Evaluation of Corporate Compliance Programs” document can help provide a blueprint for operationalizing your compliance program. Released in February 2017, the Evaluation remains a useful guide to DOJ’s current thinking on compliance program best practices. Specifically, the Evaluation provides every compliance practitioner with:
In Part 2 of this blog, we delve into the Evaluation’s No. 6 through 11, including Risk Assessments; Training and Communications; Confidential Reporting and Investigations; Incentives and Disciplinary Measures; Third-Party Controls; and Mergers and Acquisitions.
Evaluation No. 6 – Risk Assessments
In the area of risk assessments, a compliance practitioner will need to consider the methodology the company used to identify, analyze, and address the particular risks it faced, coupled with the metrics your company has collected and used to help detect the type of misconduct in question and, in particular, “How has this information “informed the company’s compliance program?” In a section titled “Manifested Risks,” the Evaluation poses the following question, “How has the company’s risk assessment process accounted for manifested risks?”
Evaluation No. 7- Training and Communications
The next area of inquiry is training and communications. Here, the inquiries are about whether you have adequately risk-based your training and then delivered effective training “tailored” for high-risk employees. This picks up the language from the recent General Cable FCPA enforcement action. It also demonstrates how the continuous loop of innovation in compliance is driving the evolution of best practices. It was General Cable that provided the tailored training as a part of their remediation efforts and now we find incorporated directly into this DOJ Evaluation. The DOJ also reiterates the requirement to determine the effectiveness of your compliance training. The Evaluation specifically suggests a company communicate about employee misconduct throughout its organization. Added to this is an inquiry into the effectiveness and availability of compliance guidance. Finally, and definitely a key inquiry, is whether employees are able and willing to seek compliance advice.
Evaluation No. 8 – Confidential Reporting and Investigations
Under confidential reporting and investigations, the tests are around determining the effectiveness of your compliance reporting mechanisms through your triage protocol, the seriousness of how a company might take a reported issue and whether compliance is kept in the loop around investigations. You will also need to consider your investigative protocol and whether investigations “have been properly scoped, and were independent, objective, appropriately conducted, and properly documented.” Following these protocol inquiries are those regarding your company’s response to investigations. The Evaluation asks, “Has the company’s investigation been used to identify root causes, system vulnerabilities, and accountability lapses, including among supervisory managers and senior executives? What has been the process for responding to investigative findings? How high up in the company do investigative findings go?” While it seems clear, it bears stating now, that all such actions must be documented going forward to show to any regulator who comes knocking.
Evaluation No. 9 – Incentives and Disciplinary Measures
The next section is an inquiry into carrots and sticks, or more formerly incentives and disciplinary measures. Once again demonstrating the need to put compliance into the fabric of an organization there is an inquiry into the role of Human Resources (HR) in any disciplinarily process. There is also a series of inquiries into the response to Code of Conduct or other violations, “What disciplinary actions did the company take in response to the misconduct and when did they occur? Were managers held accountable for misconduct that occurred under their supervision? Did the company’s response consider disciplinary actions for supervisors’ failure in oversight?” Of course, the disciplinary action should be evaluated. Finally, and in an inquiry which I can only say warms my heart, it asks has “the disciplinary actions and incentives been fairly and consistently applied across the organization?” But it is not only the sticks a company employs but also what incentives you have in place for doing business ethically and in compliance. A compliance practitioner needs to consider how his or her company has incentivized and rewarded compliance. Recognizing that compensation systems can misplace pay incentives, the Evaluation asks, “has the company considered the potential negative compliance implications of its incentives and rewards?”
There are questions around continuous improvement, periodic testing and review. First are inquiries into your internal audit functions, including the audit protocol, audit findings, who received them and how they were used for remediation going forward, particularly in high-risk business units or geographic areas. A company needs to consider its internal compliance controls environment going forward, including testing of “relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties? How are the results reported and action items tracked? What control testing has the company generally undertaken?” Lastly, how often has updated your compliance program, including your policies and procedures and Code of Conduct.
Evaluation No. 10 – Third-Party Controls
The next area is around third parties. As this has long been recognized as one of the highest risk areas in the FCPA, it re-emphasizes the need to identify those with whom your company is doing business, perform an appropriate level of due diligence; then investigate and clear any red flags which may have arisen. Beyond these straight-forward and well-known requirements, the Evaluation also focuses on the appropriate internal compliance controls for third parties in both the sales side and supply chain (SC).
Finally, and most importantly, the Evaluation recognizes that the management of your third parties is where the rubber hits the road, in a section literally entitled “Management of Relationships” where it raises these questions, “How has the company considered and analyzed the third party’s incentive model against compliance risks? How has the company monitored the third parties in question? How has the company trained the relationship managers about what the compliance risks are and how to manage them? How has the company incentivized compliance and ethical behavior by third parties?”
Evaluation No. 11 – Mergers and Acquisitions
In the area of mergers and acquisitions (M&A), the Evaluation points to the need to perform both pre-acquisition due diligence and post-acquisition integration. However, it brings in the concept to use the pre-acquisition phase to your post-acquisition integration, in asking the following questions, “What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities?”
What the DOJ Evaluation Means for the compliance practitioner
Any company that simply puts a paper program in place, whether it is certified or not, and then sits back on its collective hands, is in for a rude awakening if it comes before the DOJ in an investigation or enforcement action. The DOJ strongly emphasizes doing compliance for companies that want to receive credit for a functioning compliance program. The Evaluation of Corporate Compliance Programs was a most welcome document for the entire compliance community. It remains so one year after its release. It clearly illustrates many evolving compliance concepts that comprised the DOJ’s view of an effective program. Finally, it gives the CCO or compliance practitioner an excellent set of questions with which to benchmark your company’s compliance program and remediate any gaps that may pose risks to your company.
Tom Fox is the Compliance Evangelist™ and one of the nation’s leading experts on compliance, risk management, and corporate governance. His seminal work “The Complete Compliance Handbook” will be published in April, 2018. He is the founder of the Compliance Podcast Network. He can be reached at email@example.com.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author.