Welcome to a special five-part podcast series, A Conversation with Convercent and StoneTurn: From the Code of Conduct to Risk Assessment to Continuous Improvement. This week’s podcast series is jointly sponsored by Convercent and StoneTurn. Over the course of the series we will explore the impacts on corporate compliance programs from the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). We focus on investigations, data analytics, evaluating compliance programs, internal reporting and corporate culture. Participants in this podcast series include: Asha Palmer, Convercent Chief Ethics and Compliance Officer (CECO) and Executive Vice President (EVP) of CONVERGE; Rex Homme, Michele Edwards, and Stephen Martin, all Partners at StoneTurn. In this third episode, Edwards and I discuss how a compliance professional can create an inventory of metrics by which to monitor and then improve a compliance program.
The 2020 Update not only continued to emphasize the importance of monitoring and testing the effectiveness of a compliance program, but it spoke more about a Chief Compliance Officer (CCO) and compliance function utilizing data to engage in both continuous monitoring and continuous improvement. The DOJ for some time now has stressed the importance of leveraging data in order to have objective evidence around whether or not a compliance program is working effectively. Yet as many CCOs are legally trained they are unsure about what some of the specific areas to be considered are in establishing quantifiable metrics to monitor for effectiveness.
Edwards said the first thing that companies need to do is to establish quantifiable metrics, to measure and monitor the effectiveness of their compliance programs. This is accomplished by creating an inventory of metrics. You can do so by looking at the 2020 Update and taking it section by section to understand where there might be opportunities for a company to begin defining these metrics and assessing the data sources to to measure these key metrics. From there, a compliance program can move to developing a process to regularly report on their progress of a compliance program and an assessment of the effectiveness of the compliance program to key stakeholders, such as a Board of Directors, Audit Committee or Compliance Committee.
Edwards sees a number of areas where companies can begin to establish those metrics. Obviously, third-party management is still on the forefront of every compliance program. This means the DOJ continues to communicate its guidance around aspects of a third-party management program that are critical for an effective compliance program. There are multiple metrics that a company can consider as they think about the processes in place in order to manage the relationships with their third parties. It all begins with the five-step process of the lifecycle of third-party management. Yet in many ways a compliance professionals work begins after the contract is signed and in the assessment of how those relationships are going.
One of the most straight-forward ways a company can measure the effectiveness of that process, is to assess how many third parties were actually suspended, terminated or audited for compliance issues throughout the course of the third-party relationship. This creates a quantifiable metric which the company can periodically report as a result of its due diligence and ongoing diligence procedures related to its relationships to key stakeholders.
Edwards pointed to another area ripe for an inventory of compliance metrics; in conjunction with mergers and acquisitions (M&A). When it comes to M&A due diligence, oftentimes companies before entering into a merger or acquisition with a company will undertake a similar due diligence process where they are looking at the business relationships an acquisition target has. Of course, compliance professionals are assessing those relationships and doing due diligence on them to identify potential risks. Very similarly a company can also look at the number of third parties re-evaluated under the acquirer’s new standards and policies. This could be another key metric to apply very similarly to the lifecycle of third-party management.
Edwards, a CPA by professional training, said that a methodical review of the 2020 Update to identify the different areas where a company could potentially establish and quantify metrics to assess effectiveness is the place to start. Many companies have what Edwards called “metrics on the basics” and noted they “have in place processes whereby their employees review the Code of Conduct and confirm they are in compliance with it either when they first onboard with the company and then periodically on an annual basis, companies are doing just fine at reporting.” But is now the barest minimum of what compliance professionals must do. For instance, they could consider the lifecycles of Quote To Cash (QTC) or Procure To Pay (P2P). The key is to start with a documented process which can be audited and build out from there.
Join us tomorrow, as Asha Palmer, CECO at Convercent, discusses corporate culture itself to better monitor and improve your compliance program.
To download a copy of the Convercent Interactive Self-Assessment based on the 2020 Update to the Evaluation of Corporate Compliance Programs, click here.