How does your risk assessment lead directly to continuous improvement in a best practices compliance program? I recently visited with John Arendes, Vice President and GM of Global Compliance Solutions at Skillsoft and Stephen Martin, Partner at StoneTurn on these topics and to consider interconnected nature of these two seemingly disparate components of a best practices compliance program.
Assessing Your Risk
Arendes believes that the two recent releases of information in the form of the 2020 Update and FCPA Resource Guide, 2nd edition, make clear that companies must assess their risk and manage their risk. Years ago, there was this idea of one size fits all for compliance programs. The government’s thinking on this began moving towards taking into account a number of different risk variables that impact those businesses and what exposes them to areas of risk. This has led to the current environment where it is clear that one size does not fit all.
Arendes said you should begin with the precept “to understand what the goal is of that risk assessment. What are you trying to get out of it? Is it a holistic view? Is it a specific area of risk or are there areas of data risks that we want to look at? The bottom line is to understand what’s your goal of the risk assessment.” Arendes also said an independent perspective should be sought. Using outside firms, having someone come in with an objective view is certainly an important part of your risk assessment.
From there it is critical for a company to recognize its risk and undertake a comprehensive review. He pointed to the area of company compliance policies and procedures and their enforcement as a key measure. As you do these assessments, you need to look at the enforcement of your policies as a part of your risk assessment. As Volker noted, your Code of Conduct can be a rich source to help assess your risk. Another indicia is your hotline. Here some of the questions might be: are individuals reporting to the hotline; if not, why not? If you do not give employees a way to report those risks, that can be a risk that needs to be remediated as well.
We then turned to performing a risk assessment in the age of Coronavirus. Typically, a risk assessment has been done onsite. This means that compliance professionals have to look at the interactions or transactions remotely. How can you do so remotely? Clearly this means using technology to meet virtually and it also means transitioning to a much more data review basis using technologies to log in remotely and help you identify risks. This will require compliance professionals to understand the platform, embrace technology and to use it going forward. How does your platform allow you to get to this data to extract and then analyze it?
How can you use the risk assessment process to actually manage risk? Arendes said to begin by looking at your policies and procedures using the example of Covid-19. “Do they take into account, for example, the CDC guidelines, WHO guidelines, state guidelines, and what do we need to do? From your risk assessment, you should know how quickly you are getting your message out and whether employees are getting that information in a timely manner.” Another area where the risk assessment can help you to manage risk is in the area of training. Arendes said that as you identify “various areas that need improvement, how are you handling that? How are you providing communications to your employees who are working remotely?
Arendes discussed a final risk to consider in today’s environment, “is your organization messaging about fraud, waste and abuse. We know that as employees are not supervised, things may happen unintentionally that they weren’t aware they could not do now they are working remotely. So how do we get that training out on this, and then how do you report it? Your risk assessment should be used “to close those holes and make sure they don’t open up again.””
Continuous Monitoring and Continuous Improvement
How does this all tie into continuous monitoring and continuous improvement? Martin said that a re-emphasized focus in the 2020 Update and FCPA Resource Guide, 2nd edition, was this mandate for continuous monitoring and continuous improvement. But it all begins with your risk assessment. Martin said, “they are the most critical part of your compliance program because they frame what you are supposed to do overall in your compliance regime.” What has changed recently, with the 2020 Update is the emphasis around continuous program improvement and that it should be “guided by your risk assessment, which is something new.” This means that you must look at more than “simply a limited snapshot in time, but using risk assessment, that is based on continuous operational data and information across a number of functions so that you can have real time risk assessment and improvement of your compliance program.”
All of these developments have led to the clear conclusion that your compliance program should be a living breathing document. Martin said, “I think it’s more important today, given the guidance that came out, before you would talk a risk assessment that would be done once a year or once every couple of years, or perhaps you would do a program assessment. Now, what you’re expected to do is continually be evaluating your program and looking at data and information.” From there compliance officers and companies need to gather the data and look at is as an “ongoing review to update your policies, procedures, and controls, and tracking the information to incorporate into their risk assessments.”
The DOJ is looking at whether a company has based its compliance program on this continuous monitoring, which is a relatively new approach. The DOJ, with the 2020 Update, is really putting forward this new emphasis on continuous monitoring and using data driven decision making and testing in your program on an ongoing basis. This emphasizes is the importance of not just proactive and continuous risk assessment, but also ongoing monitoring so that you can have an effective program designed to detect violations. It will be more predictive in issues determined to help your company reduce risks, maximize profitability and performance and still meet government expectations.
Many compliance practitioners focus on the new part of the evaluation of corporate compliance programs around data. This focus on data analytics is a key component going forward, but the DOJ also made clear, it is not simply numbers. It is information; including risk assessments, number of hotline calls, where hotline calls come from. All of which provide information that the compliance practitioner can use to not only continuously monitor, but to actually continually improve your compliance program as well.
Martin said one of the challenges for compliance programs and corporations is that they have “segregated information and data”, meaning the training records are separate from the hotline calls that come in, separate from the audit function and remediation. Collectively, most corporations do not use data in any kind of an effective way. You need to “bring it together to look at what trends or issues that are coming right now.” Put another way, is your compliance program being implemented, is it effective and is it empowered function on a daily basis using the data? For every compliance professional, you must be able to answer the question of whether there is there sufficient access to sources of data to allow for timely and effective monitoring or testing of policies or controls of transactions?
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2020