Welcome to a special five-part podcast series, A Conversation with Convercent and StoneTurn: From the Code of Conduct to Risk Assessment to Continuous Improvement. This week’s podcast series is jointly sponsored by Convercent and StoneTurn. Over the course of the series we will explore the impacts on corporate compliance programs from the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). We focus on investigations, data analytics, evaluating compliance programs, internal reporting and corporate culture. Participants in this podcast series include: Asha Palmer, Convercent Chief Ethics and Compliance Officer (CECO) and Executive Vice President (EVP) of CONVERGE; Rex Homme, Michele Edwards, and Stephen Martin, all Partners at StoneTurn. In this first episode, we take a deep dive with Homme into conducting investigations and ensuring consistent outcomes.
We began by considering how the 2020 Update emphasized the need for the corporate compliance function to ensure both consistency and fairness not only in monitoring investigations but also in monitoring the resulting discipline. One of the ways the 2020 Update emphasized this was through tracking the investigations and the discipline that may come out of any investigation. Homme noted, “One of the challenges companies have is facts and circumstances are always different in every investigation. This makes it sometimes difficult, but if companies treat employees of one country different in terms of discipline, it does create potential gaps in a compliance program. This can then give certain countries a feeling that they can do what they want, without the risk of punishment from corporate headquarters.” This is why the DOJ re-emphasized monitoring the investigations and ensuring consistent application of discipline as a critical factor in ensuring an effective compliance program.
We next considered the FCPA Resource Guide, 2nd edition, which added a new hallmark to the previously titled 10 Hallmarks of an Effective Compliance Program, now it is simply the Hallmarks. The Hallmark added was one which has been around for some time and it is Root Cause Analysis (RCA). It is not new because it was subtly considered in the original FCPA Resource Guide and explicitly discussed since at least the original formulation of the Evaluation of Corporate Compliance Programs in February 2017. Homme began by explaining the difference in a RCA from an investigation.
Homme noted, “in my view, the root cause analysis is really driving into what were the gaps in the compliance program, what happened that allowed this behavior to occur. It is certainly a deeper level than just an investigation. Investigation is focused on who, what, when, where, why and how.” A RCA is really then trying to dig into what programs, policies and procedures may have allowed this misconduct to occur. Homme went on to say, “a root cause really digs into the compliance program and all the procedures to understand what was the overriding of controls, or were these gaps in the controls.”
We then turned to how an organization could use a RCA in a different way than you would utilize investigative findings in continuous monitoring/continuous improvement. It allows you to determine the gaps in your compliance program which need remediation. This leads to one of the overlooked uses of the RCA, which is that it is a part of a corporation’s continuous monitoring and continuous improvement.
We concluded with a consideration of why a compliance program should be dynamic and what procedures a company should put in place to keep their compliance program dynamic. Homme believes that one of the fundamental defects in many corporate compliance function is that they do not often “enough look at their program and assess their program to see that it is effective as possible. We all know that even the best compliance program will still have issues. It just happens. My view is the best way to constantly evaluate your program is by doing periodic risk assessments, actually testing transactions. This means not only looking at the policies themselves, but actually testing the transactions to make sure that they are following the procedures that are laid out.”
If there was a compliance failure, even if it did not lead to a legal violation, you must understand what the root cause of the failure was. Based upon that RCA, are there any enhancements you need to make to your compliance program? Are there any adjustments needed to adjust your internal audit programs? Do you need to adjust your third-party due diligence programs? These are all measures that every organization should take to constantly evaluate their compliance program, to make sure it is dynamic and not static. At the end of the day, if your compliance program is static, people will figure it out and people realize where gaps may exist. “If you’re not constantly evolving, constantly changing, you run the risk of having more misconduct occur.”
Join us tomorrow, as Asha Palmer, CECO at Convercent discusses best practices in internal reporting.
To download a copy of the Convercent Interactive Self-Assessment based on the 2020 Update to the Evaluation of Corporate Compliance Programs, click here.