We are in an exploration of the recently released Evaluation of Corporate Compliance Programs – Guidance Document (2019 Guidance), which was announced (ECI speech) by Assistant Attorney General Brian Benczkowski at the Ethics and Compliance Initiative (ECI) Impact 2019 Conference. It is an update to the 2017 Evaluation of Corporate Compliance Programs, released in February 2017. This new document is available for download at no charge. It should be mandatory reading for every Chief Compliance Officer (CCO), compliance practitioner and professional or any other person interested in the latest thinking of the Department of Justice (DOJ) on what constitutes a best practices compliance program. This series is reviewing the first substantive section of the 2019 Guidance, regarding what should go into a well-designed compliance program or as it states, “Is the corporation’s compliance program well designed?” This section on well-designed compliance programs included the basics of a risk assessment, the foundation of policies and procedures, effective training and confidential reporting and investigations. Today, I consider reporting and investigations.
On this point, the 2019 Guidance stated, “Another hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct. Prosecutors should assess whether the company’s complaint-handling process includes pro-active measures to create a workplace atmosphere without fear of retaliation, appropriate processes for the submission of complaints, and processes to protect whistleblowers. Prosecutors should also assess the company’s processes for handling investigations of such complaints, including the routing of complaints to proper personnel, timely completion of thorough investigations, and appropriate follow-up and discipline.”
Effectiveness of the Reporting Mechanism – Does the company have an anonymous reporting mechanism, and, if not, why not? How is the reporting mechanism publicized to the company’s employees? Has it been used? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?
Internal reporting mechanisms have become not only more important in the #MeTooera but also more useful in reducing both costs and legal exposure to companies. Moreover, this requirement is more than simply maintaining hotlines. Companies have to make real efforts to listen to employees. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns.
Properly Scoped Investigations by Qualified Personnel – How does the company determine which complaints or red flags merit further investigation? How does the company ensure that investigations are properly scoped? What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented? How does the company determine who should conduct an investigation, and who makes that determination?
Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust scoping or triage system is an important way that a company can determine what resources to bring to bear on a compliance problem. Jonathan Marks, a partner at Baker Tilly Virchow Krause, LLP, has articulated a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. But more than simply scoping the information, you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, consider what will be the types of evidence to consider going forward? Finally, before selecting a triage solution, understand what tools are available, including both forensic and human, to complete the investigation.
Investigation Response – Does the company apply timing metrics to ensure responsiveness? Does the company have a process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations?
Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hotline, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties, once an allegation is made. This allows the compliance team to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.
Resources and Tracking of Results– Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses?
Obviously, the investigation will be critical for you to help understand what remediation your compliance program will need going forward, as an employee or perhaps others may have found a manner to breach your control system. Conversely, are there issues in the overall system of the executive tone, the governance, the compliance program or internal controls, all at a meta level, which failed? You cannot find gaps in your compliance system until you stress test it. Viewed in this light, your compliance failures can be viewed as the ultimate stress test. Your investigation shows where the system broke down. The investigation will raise information to you about the failures of your compliance program that you may not have known existed previously. This requirement mandates that you use the information uncovered in your investigation to not only remediate the issue at hand but to use on a proactive basis going forward.
I hope you are planning to attend the 14th Annual Compliance Week conference this year, held from May 20-22 in Washington, D.C., at the Mayflower Hotel. It is truly one of the top compliance and ethics conferences of the year. It features not only speakers from compliance, but auditors, lawyers, government regulators, and industry leaders. This year, I am leading a pre-conference workshop on Sunday afternoon about handling internal investigations and performing a root cause analysis. Monday will include a keynote address from the always popular Hui Chen, that sets the tone for speakers throughout the event. To review the full agenda, see who is speaking or to review the registration information click on the appropriate link.
Best of all, if you have read this blog, you are eligible for a discount on the conference cost. Enter code “TOM300” at checkout to save $300 from your registration.
If you only attend one compliance conference in 2019, this is the event for you!
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2019