We are in an exploration of the recently released Evaluation of Corporate Compliance Programs – Guidance Document (2019 Guidance), which was announced (ECI speech) by Assistant Attorney General Brian Benczkowski at the Ethics and Compliance Initiative (ECI) Impact 2019 Conference. It is an update to the 2017 Evaluation of Corporate Compliance Programs, released in February 2017. This new document is available for download at no charge. It should be mandatory reading for every Chief Compliance Officer (CCO), compliance practitioner and professional or any other person interested in the latest thinking of the Department of Justice (DOJ) on what constitutes a best practices compliance program. Today, I consider the first substantive section of the 2019 Guidance, regarding what should go into a well-designed compliance program or as it states, “Is the corporation’s compliance program well designed?” This section on well-designed included the basics of a risk assessment, the foundation of policies and procedures, effective training and confidential reporting and investigations. Today, I consider training and the DOJ’s specific focus on effective training.
On this point, the 2019 Guidance stated, “Prosecutors should assess the steps taken by the company to ensure that policies and procedures have been integrated into the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners. Prosecutors should also assess whether the company has relayed information in a manner tailored to the audience’s size, sophistication, or subject matter expertise. Some companies, for instance, give employees practical advice or case studies to address real-life scenarios, and/or guidance on how to obtain ethics advice on a case-by-case basis as needs arise. Prosecutors should also assess whether the training adequately covers prior compliance incidents and how the company measures the effectiveness of its training curriculum.”
Risk-Based Training – What training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees, including training that addresses risks in the area where the misconduct occurred? Have supervisory employees received different or supplementary training? What analysis has the company undertaken to determine who should be trained and on what subjects?
This requires you to assess your employees for risk to determine the type of training you might need to deliver. This means that you should risk rank your employees. Obviously, the sales force would be the highest risk but there may be others which are deserving of high-risk training as well. From your risk ranking, you need to then develop training tailored for the risks those employees will face. The key going forward is that you have thoughtfully created your compliance training program. Not only in the design but who receives it, all coupled with backend determination of effectiveness.
Form/Content/Effectiveness of Training – Has the training been offered in the form and language appropriate for the audience? Is the training provided online or in-person (or both), and what is the company’s rationale for its choice? Has the training addressed lessons learned from prior compliance incidents? How has the company measured the effectiveness of the training? Have employees been tested on what they have learned? How has the company addressed employees who fail all or a portion of the testing?
One of the key goals of any Foreign Corrupt Practices Act (FCPA) compliance program is to train employees in awareness and understanding of the FCPA; your specific company compliance program and to create and foster a culture of compliance. Beginning in the fall of 2016 through the announcement of the FCPA Enforcement Pilot Program, the DOJ began to talk about whether you have determined the effectiveness of your training. This continued with the 2017 Evaluation where they asked, “How has the company measured the effectiveness of the training?” and has now been brought forward in the 2019 Guidance. It is a key metric for the government in evaluating compliance training.
Here you could look to the example of Shawn Rogers, the Lead Counsel, Compliance Training and Communications at General Motors (GM), who set up a more formalized corporate governance structure to look at required training. He and his peers assigned key players from executive and management roles to function as project heads. This allowed the different disciplines to participate in the course development process. This Charter set in place lists their scope of responsibility. It allowed GM to more fully document its rationale for training.
The bottom line is that it is about (a) training the right people; (b) training them on the right risk; (c) getting to the right level of detail; and (d) training them in the proper language (linguistic and institutional). It also mentions the importance of training frequency and, notably, modelling realistic risk situations for better preparedness.
Communications about Misconduct –What has senior management done to let employees know the company’s position concerning misconduct? What communications have there been generally when an employee is terminated or otherwise disciplined for failure to comply with the company’s policies, procedures, and controls (e.g., anonymized descriptions of the type of misconduct that leads to discipline)?
This requirement is more than simply the ubiquitous “tone-at-the-top,” as it focuses on the communications of senior management. The DOJ wants to see a company’s senior leadership communicating not only about compliance successes but also compliance failures and how they can be used as lessons learned going forward. The DOJ asks if company leadership has, through their words and concrete actions, communicated the right message of doing business ethically and in compliance.
Availability of Guidance – What resources have been available to employees to provide guidance relating to compliance policies? How has the company assessed whether its employees know when to seek advice and whether they would be willing to do so?
Here, I suggest you consider a 360-degree view to compliance communication to incorporate your compliance identity into a holistic approach so that compliance is in touch with and visible to your employees at all times. It is about creating a distinctive brand philosophy of compliance which is centered on your consumers. In other words, it helps a compliance practitioner to anticipate all the aspects of your employees needs around compliance. A 360-degree view of compliance gives you the opportunity to build a new brand image for your compliance program.
Moreover, the 360-degree approach allows you monitor your compliance communication activities by tracking attendance at events, website statistics, open rate of emails, downloads of materials and video hits, in other words, the same techniques that your marketing folks would use to determine their messaging’s effectiveness. The objective is to build trust for the 360-degree process by determining if the goal was achieved. You can utilize surveys or focus groups to assess the impact on your target audience. By focusing on your customers of compliance (i.e., your employees), it allows you to identify gaps and improve the communication process for your compliance program.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2019