I recently had the opportunity to visit with Asha Palmer, Convercent Chief Ethics and Compliance Officer (CECO) and Executive Vice President (EVP) of CONVERGE and Rex Homme, Partner at StoneTurn to consider some of the impacts on corporate compliance programs from the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). I was interested that in the areas of investigations and internal reporting they both say consistency is a key component for every compliance professional.
We began by considering how the 2020 Update emphasized the need for the corporate compliance function to ensure both consistency and fairness not only in monitoring investigations but also in monitoring the resulting discipline. One of the ways the 2020 Update emphasized this was through tracking the investigations and the discipline that may come out of any investigation. Homme noted, “One of the challenges companies have is facts and circumstances are always different in every investigation. This makes it sometimes difficult, but if companies treat employees of one country different in terms of discipline, it does create potential gaps in a compliance program. This can then give certain countries a feeling that they can do what they want, without the risk of punishment from corporate headquarters.” This is why the DOJ re-emphasized monitoring the investigations and ensuring consistent application of discipline as a critical factor in ensuring an effective compliance program.
The FCPA Resource Guide, 2nd edition, added a new hallmark to the previously titled 10 Hallmarks of an Effective Compliance Program (now it is simply the Hallmarks). The Hallmark added was one which has been around for some time and it is Root Cause Analysis (RCA). It is not new because it was subtly considered in the original FCPA Resource Guide and explicitly discussed since at least the original formulation of the Evaluation of Corporate Compliance Programs in February 2017. Homme began by explaining the difference in a RCA from an investigation.
Homme noted, “in my view, the root cause analysis is really driving into what were the gaps in the compliance program, what happened that allowed this behavior to occur. It is certainly a deeper level than just an investigation. Investigation is focused on who, what, when, where, why and how.” A RCA is really then trying to dig into what programs, policies and procedures may have allowed this misconduct to occur. Homme went on to say, “a root cause really digs into the compliance program and all the procedures to understand what was the overriding of controls, or were these gaps in the controls.”
We then turned to how an organization could use a RCA in a different way than you would utilize investigative findings in continuous monitoring/continuous improvement. It allows you to determine the gaps in your compliance program which need remediation. This leads to one of the overlooked uses of the RCA, which is that it is a part of a corporation’s continuous monitoring and continuous improvement.
We concluded with a consideration of why a compliance program should be dynamic and what procedures a company should put in place to keep their compliance program dynamic. Homme believes that one of the fundamental defects in many corporate compliance function is that they do not often “enough look at their program and assess their program to see that it is effective as possible. We all know that even the best compliance program will still have issues. It just happens. My view is the best way to constantly evaluate your program is by doing periodic risk assessments, actually testing transactions. This means not only looking at the policies themselves, but actually testing the transactions to make sure that they are following the procedures that are laid out.”
The 2020 Update required a compliance function to take on a more wide-ranging role around institutional justice and institutional fairness when it mandated that compliance confirm consistency in the way a compliance program is administered. Obviously, this is true in the realm of discipline and incentives but also means fairness in the way investigations are handled and in creating a speak up culture. In Palmer’s mind it comes down to one word, consistency.
Palmer said, “This means compliance professionals have to be consistent in how they treat people, whether it’s in Brazil or in the US because people are watching and they want to know that there is a process that’s fair.” This means a process that is open and transparent. It is not outcome driven; it is process driven. Consistent punishment, consistent corrective actions and disciplinary actions when cases arise.
We then turned to how a Chief Compliance Officer (CCO) can enlist key allies such as Human Resources (HR), the General Counsel (GC), Chief Financial Officer (CFO), head of Internal Audit and other executives co-equal with CCOs as heads of corporate disciplines. Palmer said that cross functional collaboration is critical because “we all look at things a little bit differently. There should be coordination and collaboration among departments.” Yet there should be consistency from this level of senior management.
Palmer sees a speak up culture as critical to corporate culture, because again, “we ask people, if you see it, say it, what are you as a CCO going to do about it? How are you going to protect me? And how are you going to make sure this doesn’t happen again? That’s why people speak up.” They want something different to happen. They want change.” This means it is up the compliance function to demonstrate not simply they will listen but they will affect change.
All of this ties back into consistency as the compliance professional must demonstrate that they focused on that change. It also mandates that the corporate compliance function will be focused on protecting them. Moreover, organizational justice cannot be hierarchal. This means the C-Suite has to be obligated to the same standards as a person on the shop floor. This means that a CCO really does have to be ready and empowered to even investigate the Chief Executive Officer (CEO) if that were necessary.
I found it quite insightful and instructive that both Homme and Palmer focused on consistency as a key element of a best practices compliance program. This consistency forms the basis of both institutional justice and institutional fairness. That in turns, facilitates a speak up culture, which is the role of the compliance department to foster.