This week, in a podcast series sponsored by Affiliated Monitors, Inc. (AMI), I visit with Vincent DiCianni, founder and President of AMI, and Eric Feldman, Senior Vice President of AMI. We look at the Department of Justice (DOJ) announcements over the past year and back to the FCPA Corporate Enforcement Policy, announced in November 2017, to consider what strategies companies can use based upon these documents. Over this series we will explore what companies can do both internally and externally to incorporate the Benczkowski Memo (the “Memo”) and other DOJ guidance into their organizations, show how to use a strong compliance program as both a sword and a shield and the benefits of using a third-party to fulfill the compliance mandate. In Episode 2, I consider with DiCianni how companies can use this information internally to bolster their compliance programs.
DiCianni began by emphasizing the DOJ now mandates companies who come before them have an effective compliance program. The days of wheeling in a large stack of documents are long gone and companies need to have substantive evidence on not simply their program but its effectiveness. In December 2018, Principal Deputy Assistant Attorney General John P. Cronan, in a speech by at the Practising Law Institute Eventin Washington, said that companies must demonstrate they had an effectivecompliance program, not a paper compliance program. He stated, “whether a corporation’s compliance program is merely a ‘paper program’ or whether it was designed, implemented, reviewed, and revised, as appropriate, in an effective manner.”
DiCianni said that one of the strongest elements he took away from the Memo is that a company needs to demonstrate that it has an effective compliance program. From there you can move to remediation and strengthening of the program, which the Memo also addresses. If you begin with the premise that your company has a program, the next step is to assess whether or not that program is strong and effective and its weaknesses.
What does a company do if it uncovers a problem? Does it have the wherewithal to conduct an investigation and determine whether or not it is something that has to be self-reported to the government? On the remediation side, has the company gone deep enough to find out what was the root cause of that problem? Questions such as “how did we get here” and “what do we do to address it?” can become paramount. DiCianni believes one of the key elements the Memo underscores is how serious the company is taking its compliance program and then what it’s doing when a problem has been discovered.
DiCianni believes this has been a consistent message from the DOJ, as far back as the 2012 FCPA Guidance. However, as we move into 2019, it has become a more “front end concern” of the strength of the investigation process. The question then becomes, how a company can demonstrate that? If a problem has surfaced, what does the company do about it? Does an organization simply try to “cauterize it and say one bad apple kind of thing, does it do a deep dive into a learning whether or not it’s real, the merits of it and gathering information around the issue.”
This leads to such questions about the strength of the internal investigation process or whether the company has someone internally with investigator skills. For example, if someone in Human Resources (HR) or a transactional attorney are “all of a sudden thrown into an investigation and they just don’t have the experience and the depth of knowledge” this can have negative effects going forward or can lead to even further problems. DiCianni believes the Memo implores companies to both recognize that they may not have a strong investigative process and then move to strengthen it.
Another key area that a company can focus on internally is discipline. This means discipline for those who engage in internal controls and policies and procedures violations. But even more critical going forward is fair process for discipline and incentives around compliance. This means that discipline is meted out fairly, with process, with consistency and transparently. It also means that a company must promote simply beyond those who may be friends and colleagues of senior management to persons who truly do merit promotion because they have engaged in business ethically and in compliance with laws and regulations.
Internal controls testing also plays a big role what a company can do. DiCianni discussed the third-party flow process, most generally under the Foreign Corrupt Practices Act (FCPA) or other anti-corruption legislation. He said that a company could pose multiple internal queries, such as some of the following: “What are the controls around cash? Do you have some kind of mechanism for determining where cash is being spent? Do you have some control over bank accounts, particularly when you are working in a variety of countries? Do you have some kind of control over who is making decisions about where dollars can be spent? All of those kinds of things require internal controls.” First, you must establish internal controls and second you must test them to make sure that they are both appropriate and effective.
Join us tomorrow when we explore what companies can do externally with this information related by the DOJ in 2019.
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors, Inc. at www.affiliatedmonitors.com.