Yesterday, I began a two-part series on continuous monitoring of your anti-corruption compliance program. In Monday’s post, I looked at the regulatory framework for such a requirement. In today’s conclude with some thoughts on how to continually improve and update your Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance regime and take a look again at how the regulators might view your program, in some quick, easy and pithy ways.
Anti-corruption, anti-bribery, anti-money laundering (AML) programs policies and procedures and even export control systems are seemingly in a constant state of evolution. Many companies are struggling with the challenge of implementing effective controls and monitoring risks across a spectrum that could include the three above listed compliance areas as well as others. One area that has evolved into a minimum best practices requirement for compliance is that of continuous monitoring.
While many companies will look at continuous monitoring as a software solution that can assist in managing risk, provide reporting metrics and, thereby, insights across an organization, it should be viewed more holistically. You will need to take many disparate systems, usually across a wide international geographic area, which may seem like an overwhelming process. Justin Offen, explained this in his article, entitled “Mission Impossible? Six steps to continuous monitoring”, where he detailed a six-point program to ensure that your “CM solution doesn’t become part of the problem” rather than a solution.
- Know your global IT footprint. It is important to understand how continuous monitoring will be incorporated into your company’s overall IT strategy as well as your compliance strategy. This advocates that this inquiry begins with understanding what your current IT structure is and what it is anticipated to be in 3 and 5 years. Once you identify your global IT footprint you can determine which system will be the best fit.
- Define scope and necessary resources. You should determine what your goal is, begin by identifying your needs and then prioritize them. You should perform a risk analysis and then rank the risks. Next, you need to understand the amount of talent you have in your organization, identify who can implement and work with the system and determine your budget, which may need to be increased based upon your need for outside experts and unknown contingencies.
- Conduct a pilot or proof of concept. A phased rollout can be used as a proof of concept, which can yield greater functioning efficiency throughout your entire program implementation. It should also allow you to chalk up an early success to present to the inevitable nay-sayers in your organization.
- Decrease false positives. This is important because improper or incomplete testing may well lead to a larger amount of false positives which you are required to evaluate and clear. From each test, you can further refine your continuous monitoring solution to the specific needs of your organization and increase time and efficiency in your overall continuous monitoring program.
- Establish your escalation protocol. You should establish a response protocol when an exception or Red Flag arises. This protocol should include an escalation protocol if the Red Flag suggests that it is warranted or additional investigation determines a wider problem exists. This protocol should include specific individuals and departments that need to be notified, the makeup of your initial and secondary triage team and the accountability for each person in the process, all the way up to the Board.
- Demonstrate control through case management. This demonstrates once again the maxim of Document, Document and Document. You need to be ready to “respond with appropriate documentation of any transaction that’s been reviewed, showing the level of review and any additional steps taken.”
The benefits of such a continuous monitoring program are significant; the creation of documentation that can lead to a ‘ready response’ by a company to an issue before it becomes a larger problem, coupled with the ability to recall all steps and information when a regulator comes knocking. Internally, using the pilots or proofs of concepts, the compliance department can bring in other stakeholders to see the value of continuous monitoring within the organization.
You Have a Strategic Plan – Now What Do You Do?
Have you thought about your anti-corruption through the lens of a strategic plan? If not, you might want to use the formulation proffered by Bruce Rector, in an article entitled “Strategic planning needs constant follow-up to be successful”. Recognizing that a strategic plan can serve as guide for your company going forward, it must actually be utilized to garner any use out of it. I believe that the steps he lays out translate, without difficulty, into steps a compliance officer can take to meet the suggestion laid out by Offen above.
- Review the Goals of the Strategic Plan. This requires that you arrange a time for the Chief Compliance Officer (CCO) and team to review the goals of the Strategic Plan. To the extent possible this should be done in person. The CCO should lead a discussion of the Strategic Plan and determine how this goal in the Plan measures up to its implementation in your company.
- Design an Execution Plan. The “Keep it Simple Sir” or KISS method is the best to move forward. This would suggest that for each compliance goal, there should be a simple and straightforward plan to ensure that the goal in question is being addressed. Any such plan must be specific with clear goals for all involved, with tasks handed out, deliverables defined and a definite timeline for delivery.
- Put Accountabilities in Place. In any plan of execution, there must be accountabilities attached to them. Simply having a time line is not enough. This means that the persons tasked with the responsibility of performing the tasks be clearly identified, by both the individual so tasked and the actual task they are assigned to complete. Accountability requires that there be follow-up to confirm that these targets are met. This requires the CCO or other senior compliance department representative to put these in place and then mandate a report requirement on how the task assigned is being achieved.
- Schedule the Next Review of the Plan. There should be a regular review of the process. While noting that this may seem time consuming, this means the group responsibility gets into a regularity, which will assist the process moving forward more smoothly. It also allows any problems which may arise to be detected and corrected more quickly than if meetings are held at a less frequent basis.
It is a function of the CCO to reinforce the vision and goals of the compliance function, where assessment and updating are critical to an ongoing best practices compliance program. If you follow this protocol, you will put a mechanism in place to demonstrate your company’s commitment to compliance by following through on intentions as set forth in your strategic plan.
The Regulators Perspective
What does an effective compliance program look like? Over the years, we have heard various formulations of inquiries that regulators might use when reviewing a compliance program. While not exactly a review of a compliance protocol, one of my favorites is what I call McNulty’s Maxims or the three questions that former United States Deputy Attorney General, and Baker & McKenzie LLP partner, Paul McNulty said were three general areas of inquiry the he would assess regarding an enforcement action when he was at the DOJ. They are: first: “What did you do to stay out of trouble?” second: “What did you do when you found out?” and third: “What remedial action did you take?”
Stephen Martin said that an inquiry he might make was along the lines of the following. First he would ask someone who came in before the DOJ what the company’s annual compliance budget was for the past year. If the answer started with something like, “We did all we could with what we had ($100K, $200K, name the figure), he would then ask, “How much was the corporate budget for Post-It Notes last year?” The answer was always in the 7-figure range. His next question would then be, “Which is more business critical for your company; complying with the FCPA or Post-It Notes?” Unfortunately, it has been Martin’s experience that most companies spent far more on the Post-It Notes than they were willing to invest in compliance.
Andrew Ceresney, Director of the Division of Enforcement of the SEC, speaking at Compliance Week 2014, said that he has “found that you can predict a lot about the likelihood of an enforcement action by asking a few simple questions about the role of the company’s legal and compliance departments in the firm.” He then went on to detail some rather straightforward questions that he believes could show just how much a company is committed to having a robust compliance regime.
- Are legal and compliance personnel included in critical meetings?
- Are their views typically sought and followed?
- Do legal and compliance officers report to the Chief Executive Officer (CEO) and have significant visibility with the board?
- Are the legal and compliance departments viewed as an important partner in the business and not simply as support functions or a cost center?
Near the end of his presentation, Cerensey said that “Far too often, the answer to these questions is no, and the absence of real legal and compliance involvement in company deliberations can lead to compliance lapses, which, in turn, result in enforcement issues. When I was in private practice, I always could detect a significant difference between companies that prioritized legal and compliance and those that did not. When legal and compliance were not equal partners in the business, and were not consulted as a matter of course, problems were inevitable.”
McNulty’s Maxims, Martin’s question on budget and now Cerensey’s questions all provide significant guideposts to how regulators think about FCPA compliance programs. For me, I think the point is that companies which actually Do Compliance are easy to spot. For all the gnashing of teeth about how hard it is to comply with what the DOJ and SEC want to see in FCPA compliance, when the true focus can be distilled into whether a company actually does compliance as opposed to saying how ethical they are, I think it simplifies the inquiry and the issues senior management and a Board of Directors really needs to pay attention to.
Continuous improvement through continuous monitoring or other techniques will help key your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. The Guidance makes clear that the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.”
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2014