It’s taking business intelligence and putting it into compliance.” – Jonathan Marks

Late Monday, the Department of Justice (DOJ) without fanfare, released an update to its 2019 Evaluation of Corporate Compliance Programs, the 2019 Guidance. For simplicity this new documents will be called the 2020 Update. The 2020 Update is most welcome news for every Chief Compliance Officer (CCO), compliance professional and corporate compliance program in the US and beyond. The reason is simple; it ends, once and for all, the clarion call for paper compliance programs written by lawyers for lawyers. The DOJ has now articulated what both the business and compliance communities have been learning, that being that compliance is a business process and as a process, it can be measured, managed and, most importantly, improved. Over the next several blogs posts, I will be taking a look at the update and see where it takes corporate compliance programs in 2020 and beyond. Today, I want to review the key themes to see if Jonathan Marks is correct, the 2020 Update really does take business intelligence and put it into compliance.

In the introduction, the DOJ now states, “Because a corporate compliance program must be evaluated in the specific context of a criminal investigation, the Criminal Division does not use any rigid formula to assess the effectiveness of corporate compliance programs. We recognize that each company’s risk profile and solutions to reduce its risks warrant particularized evaluation. Accordingly, we make a reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”

This change makes clear that every policy will be evaluated on its own merits. The DOJ lays out some of the factors will it consider but such consideration will be tempered by a reasonableness standard. Borrowing language from the Antitrust Division, the 2020 Update adds that any compliance program under evaluation by the DOJ will be considered both at the time of the offense and at the time of the charging decision and resolution. The significance of this cannot be overstated as now you cannot simply remediate your compliance program and basically ask for forgiveness after the Foreign Corrupt Practices Act (FCPA) violation has occurred. This statement clarifies any confusion generated by the Benczkowski Memo that all you have to do is aggressively remediate and such post-event clean-up will lead to a declination.

Moreover, this point is further driven home by the addition to fundamental question Number 2 that prosecutors are required to ask, “Is the program being applied earnestly and in good faith?“ In other words, is the program adequately resourced and empowered to function effectively? By tying this new language to question Number 2, companies that want to cut back to a paper program and take away the ability of a CCO to effectively do their job will lose the credit going forward as this language clearly references both monetary resources and headcount.

The final addition in the introduction adds the following language, “In any particular case, the topics and questions set forth below may not all be relevant, and others may be more salient given the particular facts at issue and the circumstances of the company.” Here is an important part near and dear to my heart as it clearly equates to Document, Document, and Document. If you make changes to your program; if you lose headcount; if you are not allowed to have the most current tech solution then be prepared to explain why your company cannot do so. The only way to do so is through a clearly articulated business justification, aka a documented. You should plan to take this a step further to document how your solution then fully follows compliance guidance as robust as the 2012 FCPA Guidance, issued by the DOJ and Securities and Exchange Commission (SEC). This section also allows room for creativity and imagination in your compliance program, if you can justify it and there is documentation for it.

From the changes in the tactical information presented in the 2020 Update, it is clear that the DOJ expects a continually evolving compliance program. It once again demonstrates that the days of a paper program are dead. I would parenthetically note, it also separates the DOJ analysis away from the approach in ISO 37001 which is also a paper program approach to compliance. There are multiple references throughout the 2020 Update for using a variety of compliance tools to garner information and then incorporating that information back into your best practices compliance program on an ongoing basis so that your compliance program is a living, breathing program and not a static program dependent on policies and procedures.

Just as a compliance program begins with a risk assessment, your continual improvement continues with your risk assessment, which now needs to move from once every three years to a much more robust time frame. But your risk assessment is much more than simply the starting point of your compliance program. It is the basis of how you design, create, implement and then update your compliance program and also serves as the basis to document the decisions you made and why you made them. The 2020 Update specified, “In short, prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”

But information to update your compliance program comes from more than the risk assessment. You now need to use other information sources to engage in continuous improvement. Your policies should also be a guide to inform your compliance program. Not only should your policies and procedures now be in searchable formats but you must consider which policies are viewed with the most frequency and the attendant questions raised by employees as a part of your information to evolve your compliance regime. The 2020 Update stated, “Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?”

I began with a quote from Marks about the wedding of business intelligence to a best practices compliance program. After going through these key themes found in the 2020 Update, I am even more convinced Marks was correct. As compliance moves into the second half of 2020 and into the third decade of this century, the 2020 Update may well be seen as a key demarcation where the government demonstrated that properly viewed compliance is more than a business process, it is a business program.

Join me tomorrow where I take a deep dive into the 2020 Update to explore it from a tactical perspective.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2020

While it is clear that the government expects companies to have an internal reporting system, there are benefits far beyond putting you in the government’s good graces. Companies with a more robust internal reporting system generated more reports. Dr. Welch found a group of companies he termed “power users”, were high level users of whistleblower reporting systems who had more activity than the average entity. These “power user” companies have several interesting characteristics. First they are typically firms with a higher quality earnings reporting. They are more profitable entities. Finally, these “power user” companies were firms with higher quality governance, as rated by the Entrenchment Index, which is used measure how entrenched management is in a company.

Conversely, companies which were observed to be a more limited user of whistleblower reporting systems are companies that were seen to have poor governance. They are more prone to financial accounting issues, such as discretionary accruals, which could prove problematic. These tend to be smaller and less mature firms. Their overall compliance programs were generally not seen as robust or as effective as those in larger, more mature organizations. Finally, these firms, probably because they were smaller and less mature, are more prone to extreme growth and the problems associated with trying to scale up quickly.

All of this points to one unmistakable conclusion, a robust whistleblower reporting system facilitates a company’s resolution of problems before they become major problems or legal violations bringing the Securities and Exchange Commission (SEC) or DOJ calling.

Three Key Takeaways

  1. Companies with a robust whistleblower and reporting system had greater profitability and workforce productivity as measured by Return on Assets.
  2. There were fewer material lawsuits brought against the company overall and there were lower settlement costs if a lawsuit did occur.
  3. There were fewer external whistleblower reports to regulatory agencies and other authorities.

Ed. Note: Late yesterday afternoon, the Department of Justice (DOJ) released an update to the Evaluation of Corporate Compliance Programs, 2019 Guidance. This 2020 Guidance has been incorporated into this blog post. You can download a copy of the 2020 Guidance here.

What are some best practices regarding an internal reporting system? The 2012 FCPA Guidance stated, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.”

This was expanded in the DOJ’s 2020 Guidance, in the section entitled “D. Confidential Reporting Structure and Investigation Process”, with the following language, “Another hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct. Prosecutors should assess whether the company’s complaint-handling process includes pro-active measures to create a workplace atmosphere without fear of retaliation, appropriate processes for the submission of complaints, and processes to protect whistleblowers.”

Moreover, internal reporting systems are a clear indicia of a working, operationalized compliance program. The 2020 Guidance went on to state, “Confidential reporting mechanisms are highly probative of whether a company has “established corporate governance mechanisms that can effectively detect and prevent misconduct.” (an effectively working compliance program will have in place, and have publicized, “a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation”).”

The 2020 Guidance further refined this basic requirement for a hotline with inquiries into the effectiveness of your corporate hotline, asking “Effectiveness of the Reporting Mechanism – Does the company have an anonymous reporting mechanism and, if not, why not? How is the reporting mechanism publicized to the company’s employees and other third parties? Has it been used? Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?” How would you consider responding to these questions?

Does the company have an anonymous reporting mechanism, and, if not, why not?  This would seem like the most basic inquiry that one could have. For if you are a US public company or rather any company listed on the US stock exchanges, you have been required to have an anonymous whistleblower system in place since the passage of the Sarbanes-Oxley Act (SOX) back in 2002. SOX directs the New York Stock Exchange, Nasdaq and other national securities exchanges to require a listed company’s audit committee to establish formal procedures for addressing complaints relating to accounting and auditing matters. Listed companies were required to have these whistleblower procedures in place by the earlier of (a) their first annual meeting after January 15, 2004 or (b) October 31, 2004.

SOX went on to mandate that companies have reporting systems for receiving, retaining and treating complaints that the company receives from external sources regarding accounting, internal accounting controls or auditing matters, as well as providing a means for confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters. SOX makes it about as clear as possible that any publicly listed company must have a reporting system. Even if you are a private company, is there some reason you would not want to know about illegal conduct in your organization? Or as the government would ask “If not, why not?”

How is the reporting mechanism publicized to the company’s employees? If employees do not know about the hotline, they will not use it. Allocate a portion of your time and budget to promoting the corporate hotline through multiple channels. Put up posters and distribute cards that employees can keep in their wallets or desk drawers. Deliver in-person presentations where possible. And do not think of the promotional initiative as a one-time effort. It is important to remind employees regularly, through 360-degree communications, that this resource is available to them. Some hotlines offer promotional materials to help make the job easier; make sure you ask what type of promotional support may be available through your corporate comms department. Finally, never forget using a creative campaign to publicize and communicate about your internal reporting system. Ronnie Feldman of L&E Creative is one of the best around.

Has it been used? An internal reporting system is obviously of no value if the stakeholders are not aware of it. Even if you have an internal reporting mechanism in place, has every segment of the company been informed. Your internal reporting data can reveal any gaps. You can review data sliced and diced in a variety of ways to test whether the internal reporting system has been used. You can segment your internal reporting by region, department, incident classification, and other criteria. If there is one group, area or some other defined segment which is not using it, it should become obvious in comparison to the rest of the organization.

How has the company assessed the seriousness of the allegations it received? One of the things that I learned from the television series M*A*S*H was the need for triage. In the hospital setting, triage is the process of determining the priority of patients’ treatments based on the severity of their condition. Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way to separate the wheat from the chaff and bring the right number of resources to bear on a compliance problem. One important area is making an initial determination of whether to bring in outside counsel to head up an investigation and the resources that you may want or need to commit to a problem. You literally need to “kick the tires” of any allegations or information so that you know the circumstances in front of you before you make decisions. You can achieve this through a robust triage process.

Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it? (This question was newly added in the 2020 Guidance update). This query involves two components: do your employees know about the hotline and do they feel safe in using it? Retaliation or perceived unfairness to those making hotline complaints will destroy the effectiveness of the internal reporting process and poison the corporate culture. A hotline must be seen to offer the highest levels of protection and anonymity. To encourage employee participation, the hotline should allow them to bring their concerns directly to someone outside their immediate chain of command or workplace environment, especially when the complaint concerns an immediate superior. The hotline should also enable employees to submit a re­port from the privacy of an off-site computer or telephone. It may seem like a small convenience but giving employees the freedom to enter a complaint from a location that is safe can make a huge difference to participation rates.

Has the compliance function had full access to reporting and investigative information? While there will be a desire by your corporate legal department to not give out any information about the investigation until it is complete and there is a final report, the compliance function must resist this at all costs. If the results of the investigation are not made available to you as the Chief Compliance Officer (CCO) or the compliance professional charged with remediating the compliance program, any such remediation will be extremely difficult, because, you’re just going off suppositions and guesses. There must be a solid line of communication between the people who are doing the investigation and the people leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed. Such an approach can also be a recipe for disaster.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2020

The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond. This chapter will provide you with the steps you will need to consider going forward.

This chapter will detail the two parts; internal reporting and investigations. It would seem axiomatic that organizations understand the benefits of having an internal reporting system, whether it is called a hotline, helpline or something else. Just as plainly, a company should understand the need for effective investigations after a report comes in which might lead to a potential violation.

Three key takeaways:

  1. A robust internal reporting system will be one of the key indicia the DOJ considers.
  2. Hotline reporting can bring a visibility to problems.
  3. Hotline reports must be treated fairly and justly.