Late Monday, the Department of Justice (DOJ), without fanfare, released an update to its 2019 Evaluation of Corporate Compliance Programs, the 2019 Guidance. For simplicity this new document will be called the 2020 Update. The 2020 Update is most welcome news for every Chief Compliance Officer (CCO), compliance professional and corporate compliance program in the US and beyond. The reason is simple; it ends, once and for all, the dysfunctional reliance on paper compliance programs written by lawyers for lawyers and those who advocate for them. The DOJ has now articulated what both the business and compliance communities have learned that compliance is a business process and as a process, it can be measured, managed and, most importantly, improved. Yesterday, I looked at some key big picture themes. Today, I want to focus specifically on the tactical steps of moving towards both continuous monitoring and continuous improvement of your compliance program.
These twin concepts are perhaps the biggest modifications in the 2020 Update. The changes began in Section 1 – Risk Assessments which stated (all changes noted in italics):
- Updates and Revisions – Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?
- Lessons Learned – Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?
The question-by-question analysis begins with “Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions?” Do you have access to continuous and real time transactional data at your organization? How about across silos within your organization? Most likely the answer to both is “no”. This means you no longer have a best practices compliance program at this point in time. How can you garner such information?
If you find yourself in this situation how you begin to address it? My suggestion would be to begin with your highest risk activity, most like sales. Go to each point in the sales cycle: (1) Prospecting, (2) Contacting, (3) Qualifying for Tender Process, (4) RFQ and RFP, (5) Contract Negotiation and (6) Contract Execution. Pull compliance related data from each one of these data points and begin your updated risk assessment there. The next question found in the Updates and Revisions subsection ties into the sole question found in the Lessons Learned subsection. They both relate to the single inquiry of how you used the data. Did you incorporate your findings into updating your compliance program?
While there is only one question in the Lessons Learned section, it is a compound question. It not only enquiries about data you may have obtained through your own work but also from other company’s in your industry operating in the same geo-region. Without commenting on the potential anti-trust aspects of this issue, if there is public source information available to you (and there always is), how are you using this information in your compliance regime? But this can be simply having your fully operationalized employee base keeping their eyes and ears open at trade shows or any other gatherings of industry employees.
Also embedded in these two questions is another old theme in compliance; is there sufficient documentation in your compliance program? But here the question is about the documentation of the data garnered and how you utilized that data. I have long preached the mantra of Document, Document, and Document and this mantra is as important now as it has ever been. It is not simply that if it not documented, it never happened in the government’s eyes. It is that if you documented the basis for your decision, then you can explain your decision-making calculus. Remember, no compliance professional, compliance program or even a company under Foreign Corrupt Practices Act (FCPA) investigation or scrutiny has ever been punished for making an incorrect decision where a sufficient and documented business justification was in place. Such entities and persons have been sanctioned when there was no documentation in place.
The next area for continuous monitoring and continuous improvement was in an area of compliance which is not normally associated with those concepts, Policies and Procedures. Here the 2020 Update stated:
- Design – What is the company’s process for designing and implementing new policies and procedures and updating existing policies and procedures, and has that process changed over time? Who has been involved in the design of policies and procedures? Have business units been consulted prior to rolling them out?
- Accessibility – How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access? Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?
When was the last time your policies and procedures were updated? Perhaps, more importantly under the 2020 Update, what was your process for doing so? Was there any rigor around your process? Did that rigor include incorporating information and data collected through continuous monitoring, real-time monitoring or continuous access to operational data and information across functions? Novelly, the 2020 Update asks if you have tracked who is looking at your policies and procedures and where they are located as data points for you to consider in updating your compliance program.
The final area in the 2020 Update for consideration is appropriately called Continuous Improvement, Periodic Testing and Review and is found in the subsection monikered Evolving Updates. It reads:
- How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?
Similar to the language under Risk Assessment, this compound question considers the adaptation of a compliance program from your own lessons learned but also from other companies. The distinction now is the phrase are “other companies facing similar risks”? Think about how this language would apply to any company operating in China, West Africa or any other high-risk region in the globe. I would interpret this to mean every CCO and compliance practitioner needs to stay abreast of international anti-corruption enforcement actions where your company may be doing business.
Join me tomorrow where I take a deep dive into the 2020 Update to explore it from another tactical perspective.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2020