The Evaluation of Corporate Compliance Programs – Guidance Document (2019 Guidance) was very clear about the need for continuous improvement in any compliance program. It stated quite succinctly, “One hallmark of an effective compliance program is its capacity to improve and evolve. The actual implementation of controls in practice will necessarily reveal areas of risk and potential adjustment. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards. Accordingly, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale.”
This concept was originally embodied in Hallmark Nine of Ten Hallmarks of an Effective Compliance Program, as formulated in the 2012 FCPA Guidance, which stated:
Finally, a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.
This was further specified in the DOJ’s 2019 Guidance which listed three types of continuous improvement, each further refined with multiple attendant questions. It also added a new area of inquiry that every compliance practitioner needs to incorporate into their assessment, improvement and management cycles; culture.
Internal Audit – What is the process for determining where and how frequently internal audit will undertake an audit, and what is the rationale behind that process? How are audits carried out? What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often does internal audit conduct assessments in high-risk areas?
Control Testing – Has the company reviewed and audited its compliance program in the area relating to the misconduct? More generally, what testing of controls, collection and analysis of compliance data, and interviews of employees and third-parties does the company undertake? How are the results reported and action items tracked?
Evolving Updates – How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries?
Culture of Compliance – How often and how does the company measure its culture of compliance? Does the company seek input from all levels of employees to determine whether they perceive senior and middle management’s commitment to compliance? What steps has the company taken in response to its measurement of the compliance culture?
You should endeavor to keep track of external and internal events which may cause change to business process, policies and procedures. Some examples are new laws applicable to your business organization and internal events which drive changes within a company (i.e., a company reorganization or major acquisition).
Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. Indeed, two of the seven compliance elements in the U.S. Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.
One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.
Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, however, the two functions are related and operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.
The 2019 Guidance added the specific language around culture, culture assessment, culture review and culture remediation. Should a company should try and perform a self-assessment of its own culture or bring in a truly independent professional to do the assessment? Eric Feldman, SVP at Affiliated Monitors, Inc. has said that both are valid but each has a different focus. The self-assessment is really more akin to ongoing monitoring. In this scenario, a company has the responsibility to monitor its own workforce and culture literally on a day-to-day basis. He stated, “That ongoing monitoring and oversight is critical to being able to manage what is a very normal ebb and flow of the culture in an organization. Cultures are dependent on people and people come and go in companies and that can influence the culture. The market and financial stress can influence the culture and what happens within a company.” These are all things a company should track and monitor.
Here an external independent monitor is able to garner a broader picture of a company’s culture than simply an internal self-assessment. Many employees are more willing to open up to an independent outsider, rather than someone in their own organization. Some of the ways to consider the culture of an organization are employee surveys, conversations, visits to field operations. Surveys can be very important tools and take the temperature of what’s going on in the company, but often there is a wasted opportunity there to put in questions that are specifically targeted toward culture and the ethical culture of the company. These need to be two-way conversations to get a true understanding.
Continuous improvement through continuous monitoring or other similar techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program.
Three key takeaways:
- Your compliance program should be continually evolving.
- Monitoring and auditing are different, yet complimentary tools for continuous improvement.
- Culture assessment and monitoring are also now required as well.