Welcome to a special five-part podcast series, A Conversation with Skillsoft and StoneTurn: From the Code of Conduct to Risk Assessment to Continuous Improvement. This week’s podcast series is jointly sponsored by Skillsoft and StoneTurn Group, LLP. Over the course of this series we have explored the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). Focused on your Code of Conduct and how it is informed by your Risk Assessment, training on your Code of Conduct, performing a Risk Assessment and conclude with how all this ties to continuous monitoring and continuous improvement. Participants in this podcast series include: from Skillsoft, Charlie Voelker, Director, Compliance Products; John Arendes, Vice President and GM of Global Compliance Solutions; from StoneTurn, Toby Ralston, Managing Director, Jamen Tyler, Managing Director and Stephen Martin, Partner. In this fifth and final episode, I conclude with Stephen Martin on continuous monitoring and continuous improvement.
A new focus in the 2020 Update and FCPA Resource Guide, 2nd edition, was the new mandate for continuous monitoring and continuous improvement. But it all begins with your risk assessment. Martin said, “they are the most critical part of your compliance program because they frame what you are supposed to do overall in your compliance regime.” What has changed recently, with the 2020 Update is the emphasis around continuous program improvement and that it should be “guided by your risk assessment, which is something new.” This means that you must look at more than “simply a limited snapshot in time, but using risk assessment, that is based on continuous operational data and information across a number of functions so that you can have real time risk assessment and improvement of your compliance program.”
All of these developments have led to the clear conclusion that your compliance program should be a living breathing document. Martin said, “I think it’s more important today, given the guidance that came out, before you would talk a risk assessment that would be done once a year or once every couple of years, or perhaps you would do a program assessment. Now, what you’re expected to do is continually be evaluating your program and looking at data and information.” From there compliance officers and companies need to gather the data and look at is as an “ongoing review to update your policies, procedures, and controls, and tracking the information to incorporate into their risk assessments.”
The DOJ is looking at whether a company has based its compliance program on this continuous monitoring, which is a relatively new approach. The DOJ, with the 2020 Update, is really putting forward this new emphasis on continuous monitoring and using data driven decision making and testing in your program on an ongoing basis. This emphasizes is the importance of not just proactive and continuous risk assessment, but also ongoing monitoring so that you can have an effective program designed to detect violations. It will be more predictive in issues determined to help your company reduce risks, maximize profitability and performance and still meet government expectations.
Many compliance practitioners focus on the new part of the evaluation of corporate compliance programs around data. This focus on data analytics is a key component going forward, but the DOJ also made clear, it is not simply numbers. It is information; including risk assessments, number of hotline calls, where hotline calls come from. All of which provide information that the compliance practitioner can use to not only continuously monitor, but to actually continually improve your compliance program as well.
Martin said one of the challenges for compliance programs and corporations is that they have “segregated information and data”, meaning the training records are separate from the hotline calls that come in, separate from the audit function and remediation. Collectively, most corporations do not use data in any kind of an effective way. You need to “bring it together to look at what trends or issues that are coming right now.” Put another way, is your compliance program being implemented, is it effective and is it empowered function on a daily basis using the data? For every compliance professional, you must be able to answer the question of whether there is there sufficient access to sources of data to allow for timely and effective monitoring or testing of policies or controls of transactions?
If you enjoyed today’s podcast, I want to let you know about an upcoming webinar Skillsoft and StoneTurn are hosting. The webinar “Evolving Your Compliance Program” will be held on Wednesday Sept 23 and will explore how companies are leveraging data and information to improve and evolve their compliance programs. Information and Registration click here.
For more information on Skillsoft’s compliance offerings, click here.
For more information on the Skillsoft/StoneTurn partnership, click here.
For more information on StoneTurn, click here.