Operationalizing your compliance program can take many shapes and forms. Using the entire risk management process to embed your compliance program within the contours of your organization is an important key step that will allow you to have full visibility of your compliance risks through a longer life cycle. Forecasting allows you to consider your business strategy and wed the risks you can foresee. Risk assessments allow you to evaluate and measure known risks. Risk-based monitoring allows you to monitor both the compliance risks you know about and detect those you do not know, on an ongoing basis.
To accomplish all of this, the Evaluation of Corporate Compliance Programs – Guidance Document (2019 Guidance) sets out three broad standards:
Risk Management Process – What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?
The use of the phrase “risk management process” emphasizes it is not a one-off exercise but truly a process. Moreover, the DOJ has specifically focused on the metrics component of every risk assessment. Finally, you must be able to substantiate and justify the methodology of your risk assessment.
Risk-Tailored Resource Allocation – Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than more modest and routine hospitality and entertainment?
This section focuses more intently on the true risks that each company faces and how you allocate your risk management resources to those risks. It mandates you to not only focus on your risks, but more importantly, not to waste time and resources on low risk areas. You should focus on the high risk to your company. If you use third parties in the sales cycle, that may well be your highest risk. Conversely if your sales strategy is based on employees, then that may be your highest risk. The document also points out the explicit risks in specific transactions and with specific customers “large-dollar contract with a government agency in a high-risk country”. This came from several enforcement actions where the customer itself was not only in on the bribery scheme but facilitated the illegal transactions.
Updates and Revisions – Is the risk assessment current and subject to periodic review? Have there been any updates to policies and procedures in light of lessons learned? Do these updates account for risks discovered through misconduct or other problems with the compliance program?
This section mandates the nature of not only risk assessments but the continuous feedback loop of information both to and from your compliance program. Did you incorporate the information learned in the field into your next risk assessment? Did you then update your policies, procedures and controls around the information garnered from your updated risk assessment? The OODA loop in action. [Observe, Orient, Decide, Act]
Properly seen, corporate compliance programs are a business process. All of these three strategies from the 2019 Guidance tie directly into process management and process improvement. There is a balance between what is actually important for your business or for proper execution; versus the practical aspects of the whole process. Ben Locwin, international business consultant and former pharmaceutical executive, stated, “If you are not measuring at a high enough resolution, then you are not capturing a lot of the environmental, market forces and external factors that probably are of high leverage to your operations in business that you simply do not know about.”
For example, if there is a one-in-three chance of a compliance failure occurring, which a company knew about in advance; the Executive Committee would, most probably, stop the activity before there was a compliance failure and possible legal violation. This is how the risk management process can work to fulfill the three prongs of a compliance program, prevent, detect and remediate. You are using your risk forecast and you have a contingency in place, which you execute upon. In other words, it comes down to execution. This means you have to use the risk management tools available to you and when a situation arises, you remediate when required. This is not only where the rubber hits the road but the information and data you garner in the execution phase should be fed back into a process loop. From this, you will develop continuous feedback and continuous improvement.
By using these techniques, the CCO or compliance practitioner makes the business run more efficiently and at the end of the day, more profitably. The more you can bring these types of insight to a Chief Executive, the more you demonstrate how more effective compliance equates to more efficient business process, all leading to greater profitability and is not simply a cost center.
Three key takeaways:
- The risk management process is an important backbone of operationalizing compliance.
- You should be able monitor and measure both known and unknown risks.
- All of these steps help a business to run more efficiently and more profitably.