How does your risk assessment lead directly to continuous improvement and continuous monitoring in a best practices compliance program? I recently visited with John Arendes, Customer Market Leader, GM of Global Compliance Solutions at Skillsoft Corporation, and Stephen Martin, Partner at StoneTurn, on these topics and to consider the interconnected nature of these two seemingly disparate components of a best practices compliance program.
Arendes believes that the two recent releases of information in the form of the 2020 Update to the Evaluation of Corporate Compliance Programs (2020 Update) and FCPA Resource Guide, 2nd edition, make clear that companies must assess their risk and manage their risk. Years ago, there was this idea of one size fits all for compliance programs. The government’s thinking on this began moving towards taking into account a number of different risk variables that impact those businesses and what exposes them to areas of risk. This has led to the current environment where it is clear that one size does not fit all.
Arendes said you should begin with the precept “to understand what the goal of your risk assessment is. What are you trying to get out of it? Is it a holistic view? Is it a specific area of risk or are there areas of data risks that we want to look at? The bottom line is to understand what’s your goal of the risk assessment.” Arendes also said an independent perspective should be sought. Using outside firms, having someone come in with an objective view is certainly an important part of your risk assessment.
From there it is critical for a company to recognize its risk and undertake a comprehensive review. He pointed to the area of compliance policies and procedures and their enforcement as a key measure. As you do these assessments, you need to look at the enforcement of your policies as a part of your risk assessment. Your Code of Conduct can be a rich source of information to help assess your risk. Another indicia is your hotline. Here some of the questions might be: Are individuals reporting to the hotline; if not, why not? If you do not give employees a way to report those risks, that can be a risk that needs to be remediated as well.
How can you use the risk assessment process to actually manage risk? Arendes said to begin by looking at your policies and procedures using the example of Covid-19. “Do they take into account, for example, the CDC guidelines, WHO guidelines, state guidelines, and what do we need to do? From your risk assessment, you should know how quickly you are getting your message out and whether employees are getting that information in a timely manner.” Another area where the risk assessment can help you to manage risk is in the area of training. Arendes said that as you identify “various areas that need improvement, how are you handling that? How are you providing communications to your employees who are working remotely?”
Arendes discussed a final risk to consider in today’s environment, which is what “is your organization’s messaging about fraud, waste and abuse. We know that as employees are not supervised, things may happen unintentionally now they are working remotely. So how do we get that training out on this, and then how do you report it? Your risk assessment should be used “to close those holes and make sure they don’t open up again.””
How does this all tie into continuous monitoring and continuous improvement? Martin said that a re-emphasized focus in the 2020 Update and FCPA Resource Guide, 2nd edition, was this mandate for continuous monitoring and continuous improvement. But it all begins with your risk assessment. He said, “they are the most critical part of your compliance program because they frame what you are supposed to do overall in your compliance regime.” What has changed recently with the 2020 Update is the emphasis around continuous program improvement and that it should be “guided by your risk assessment, which is something new.” This means that you must look at more than “simply a limited snapshot in time, but using risk assessment, that is based on continuous operational data and information across a number of functions so that you can have real time risk assessment and improvement of your compliance program.”
All of these developments have led to the clear conclusion that your compliance program should be a living breathing document. Martin said, “I think it’s more important today, given the guidance that came out, before you would perform a risk assessment once a year or once every couple of years, or perhaps you would do a program assessment. Now, what you’re expected to do is continually be evaluating your program and looking at data and information.” From there compliance officers and companies need to gather the data and look at is as an “ongoing review to update your policies, procedures, and controls, and tracking the information to incorporate into their risk assessments.”
The Department of Justice (DOJ) is looking at whether a company has based its compliance program on this continuous monitoring, which is a relatively new approach. The DOJ, with the 2020 Update, is really putting forward this new emphasis on continuous monitoring and using data driven decision making and testing in your program on an ongoing basis. This emphasizes is the importance of not just proactive and continuous risk assessment, but also ongoing monitoring so that you can have an effective program designed to detect violations. It will be more predictive in issues determined to help your company reduce risks, maximize profitability and performance and still meet government expectations.
Many compliance practitioners focus on the new part of the 2020 Update around data. This focus on data analytics is a key component going forward, but the DOJ also made clear, it is not simply numbers. It is information; including risk assessments, number of hotline calls, where hotline calls come from. All of which provide information that the compliance practitioner can use to not only continuously monitor, but to continually improve your compliance program as well.
Martin said one of the challenges for compliance programs and corporations is that they have “segregated information and data”, meaning the training records are separate from the hotline calls that come in, separate from the audit function and remediation. Collectively, most corporations do not use data in any kind of an effective way. You need to “bring it together to look at what trends or issues that are coming right now.” Put another way, is your compliance program being implemented, is it effective and is it an empowered function on a daily basis using the data? For every compliance professional, you must be able to answer the question of whether there is there sufficient access to sources of data to allow for timely and effective monitoring or testing of policies or controls of transactions?
The inter-relationships between each Hallmark of an Effective Compliance Program is critical to see how compliance must move forward in the coming years. By considering how you can use your Code of Conduct development to help your risk assessment and how your risk assessment can then inform your Code of Conduct and, equally importantly, you are training on it; you can begin to move towards continuous monitoring and continuous improvement in your overall compliance program.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2020