We are in an exploration of the recently released Evaluation of Corporate Compliance Programs – Guidance Document(2019 Guidance), which was announced(ECI speech) by Assistant Attorney General Brian Benczkowski at the Ethics and Compliance Initiative (ECI) Impact 2019 Conference. It is an update to the 2017 Evaluation of Corporate Compliance Programs, released in February 2017. This new document is available for download at no charge. It should be mandatory reading for every Chief Compliance Officer (CCO), compliance practitioner and professional or any other person interested in the latest thinking of the Department of Justice (DOJ) on what constitutes a best practices compliance program. Today, I consider the first substantive section of the 2019 Guidance, regarding what should go into a well-designed compliance program or as it states, “Is the corporation’s compliance program well designed?“ Last week, I discussed risk assessments and today we consider the backbone of every compliance program, that being the policies and procedures.
On this point, the 2019 Guidance stated, “Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process. As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees. As a corollary, prosecutors should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations.”
Design – What is the company’s process for designing and implementing new policies and procedures, and has that process changed over time? Who has been involved in the design of policies and procedures? Have business units been consulted prior to rolling them out?
There are five general elements to a compliance policy, which should stake out the following: (1) Identify who the compliance policy applies to; (2) Set out the objective of the compliance policy; (3) Describe why the compliance policy is required; (4) Outline examples of both acceptable and unacceptable behavior under the compliance policy; and (5) Lay out the specific consequences for failure to comply with the compliance policy.
Comprehensiveness – What efforts has the company made to monitor and implement policies and procedures that reflect and deal with the spectrum of risks it faces, including changes to the legal and regulatory landscape?
There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly a first line of defense when the government comes knocking. The regulators will take a strong view against a company that does not have well thought out and articulated policies and procedures; all of which are systematically reviewed and updated.
Accessibility – How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access?
If there was ever any doubt, it is now clear that your compliance policies and procedures must be translated into local language for your non-English speaking workforce. The key is that your employees have the same understanding of the compliance policies and procedures, no matter the language.
Responsibility for Operational Integration – Who has been responsible for integrating policies and procedures? Have they been rolled out in a way that ensures employees’ understanding of the policies? In what specific ways are compliance policies and procedures reinforced through the company’s internal control systems?
This means more than simply having appropriate policies and procedures. It is operationalizing them into your compliance program, down to the business unit level. How can you do so? Compliance training is only one type of communication. This is a key element for compliance practitioners because if you have a 30,000+ global work force, simply the logistics of training can appear daunting. Small groups, where detailed questions about policies can be raised and discussed, can be a powerful teaching tool. Another technique can be posting Frequently Asked Questions (FAQs) in common areas and virtually. Also, having written compliance policies signed by employees provides what some consider the most vital layer of communication.
Gatekeepers– What, if any, guidance and training has been provided to key gatekeepers in the control processes (e.g., those with approval authority or certification responsibilities)? Do they know what misconduct to look for? Do they know when and how to escalate concerns?
If you consider training as one source of your 360-degrees of compliance communications, the rollout of a new or updated code can be an opportunity. This rollout fits directly into the concept of 360-degrees of compliance as it is part of both communications and engagement. How have you trained your middle managers to listen in a speak up culture? Where do they report concerns, whether observed or reported? You will need to have a protocol in place to document this area.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2019