Evolution and change happen: sometimes slowly, sometimes rapidly. In the context of compliance and ethics programs, we are seeing a significant and rapid evolution of what is expected of organizations. Organizations are required to have structured and functional compliance and ethics program that monitors compliance continuously in the context of operations, transactions, and people. A program that is no longer bound by manual processes and point in time evaluations, but one that is built on a common strategy, process, and technology architecture to deliver 360° contextual and situational awareness of compliance and ethics.
This is evident in, and being driven forward, by the recent United States Department of Justice (DoJ) guidance on the Evaluation of Corporate Compliance Programs. The DoJ has regularly provided guidance on what is expected of compliance programs. They released guidance in 2017, then again in 2019, and now the latest in June 2020. They have also released previous guidance in specific compliance areas such as anti-bribery and corruption with expectations in the context of the U.S. Foreign Corrupt Practices Act.
The DoJ guidance governs criminal compliance actions against organizations. But do not let this limit your understanding and the influence of this guidance. The influence of this guidance is broad and applies across industries, across organizations of various size and scale, and has a cascading impact on other jurisdictions, enforcement agencies, and regulators globally. The DoJ guidance has a symbiotic impact and influence that integrates with the U.S. Sentencing Commission Organization Sentencing Guidelines, and influences and filters into the guidance and exams of regulators. It has a global impact as it sets the benchmark and requirements of firms that operate in the U.S. but have to structure compliance programs around the world.
This latest guidance, in a nutshell, requires that organizations have a cohesive compliance strategy, process, and particularly technology architecture. The strategy and process requirements are spelled out in the document with one of the most significant changes being to the revisions made to the second of three key questions that frame the evaluation of compliance programs:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
The second key question specifically added the words ‘adequately resourced and empowered.’ Organizations cannot get by with a token compliance and ethics program, they have to demonstrate they have a commitment to compliance where proper funding, resources, and staff are given to ensure that the organizations stays within the boundaries of law and regulations.
What is very apparent throughout the document is that this empowerment of compliance programs can no longer be served by manual processes with documents, spreadsheets, and emails. Organizations need a compliance technology architecture that delivers real-time visibility into compliance in context of operations and transactions. Point-in-time assessments are not good enough. A thorough and defensible audit trail and system of record is also needed for compliance, something that documents, spreadsheets, and emails fail to provide as they do not have a strong audit trail that is defensible in court. It is too easy to manufacture evidence of compliance in documents, spreadsheets, and emails and regulators and enforcement agencies are honing in on this.
The guidance specifically points out that prosecutors are to examine “the comprehensiveness of the compliance program” to ensure the program is:
- Well-integrated into the company’s operations and workforce
- Based upon continuous access to operational data and information across functions (as opposed to point-in-time assessments that only provide a periodic review limited to a snapshot in time)
- Operationally integrated with policies in the context of employees roles/functions and the internal control systems
- Governed with third-party management that is risk-based and integrated
- Effectively implemented, reviewed, and revised, as appropriate, in an effective manner and is not simply a “paper [document] program”
Some key components to an effective compliance program that the guidance is looking for are:
- Policy management. The words ‘policies’ or ‘policy’ are mentioned 31 times in the 20 pages of the document. Organizations need to have defined policy management processes that have strong technology to manage policies and engage employees on policies. There is a whole section in the document on policies, but the reference to policies is throughout the document. Policies are the backbone of a compliance and ethics program and need to be managed, communicated, and maintained in organizations. Without policies, the entire compliance and ethics program falls apart. It is the foundation everything is built upon and intersects and supports other parts of the compliance program such as third parties, hotlines/reporting, cases/investigations . . . it all comes back to what are the policies. Specifically, the guidance requires:
- Policies are properly designed and maintained
- Policies are comprehensive and monitored
- Polices are accessible and in a searchable format [in a portal]
- Policies are operationally integrated
- Policies have an evidence trail of who interacted with them, not just attested to. The guidance wants to know if the organization can show how often and by whom policies were accessed on a portal. A documented evidence trail of interaction on policies. I was talking to a global organization (100,000 employees) earlier this week on this. They feel the DoJ guidance requires that they move from their Sharepoint portals for policy to a defined policy management system with a structured process and reporting to meet these requirements.
- Compliance risk management. The guidance requires organizations have a structured approach to managing compliance risks with risk identification, assessment, and maintenance of defined compliance risk profiles. Prosecutors are to consider the “effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on risk assessment.” My particular favorite compliance risk assessment methodology is a bow-tie risk assessment. It requires that organizations have a:
- Structured compliance risk management process
- Risk-tailored resource allocation to focus on the most significant compliance risks
- Regular updates and revision to compliance risk assessments
- Lessons learned processes to minimize risk from the company’s own experience as well as from peers.
- Training and communication. Individuals not only need to be aware of policies, but they also need to be properly trained on policies. Note the whole section on training and communication centers on policies. It boggles my mind why so many organizations have separate policy portals and training portals. Training, from a compliance and ethics perspective, is on policies. This means organizations should have a portal that brings policies and training together in the same portal. Policies drive the training, not the other way around. Training needs to be risk-based so that high-risk policies, in context with high-risk roles/functions, are properly trained in the context of the compliance risk exposure and policies.
- Third-party management. The guidance is fully aware that the modern organization is not defined by brick and mortar walls and traditional employees. The modern organization is the extended enterprise in which there are nested relationships of vendors, suppliers, contractors, outsourcers, service providers, consultants, temporary workers, contractors, brokers, agents, dealers, and intermediaries. The guidance specifically focuses on whether due diligence and third-party monitoring are done just during onboarding or throughout the lifecycle of the relationship. Organizations need to be able to manage and monitor compliance risk in third party relationships throughout the relationship. The guidance also looks at whether compliance knows the rationale and purpose of the relationship, in addition to the risk of the relationship. Organizations need “ongoing monitoring of the third-party relationships, be it through updated due diligence, audits, and/or annual compliance certifications by the third party.” This process needs to be risk-based and integrated, have appropriate functioning controls in the relationship, properly managed and monitored, and demonstrate real actions and consequences when issues arise in third-party relationships.
These are some highlights, other areas that the document goes into include:
- Hotlines and reporting – confidential reporting structures and investigation process
- Compliance in the context of mergers and acquisitions
- Compliance commitment by senior and middle management
- The autonomy of the compliance function
- Incentives and disciplinary measures
- Does the compliance program work in practice
- Continuous improvement, periodic testing, and review
- Role of internal audit
- Investigations of misconduct
- Analysis and remediation of any underlying misconduct with a root cause analysis
Is your compliance and ethics program up to the task to meet the DoJ evaluation guidance? Do you have the strategy, process, and technology to deliver and operationally integrate compliance in your organization?
I am seeing a huge focus right now in response to this guidance and other compliance demands that is causing a rapid evolution and maturity in compliance strategy, process, and particularly a comprehensive technology architecture that can deliver a 360° contextual and situational awareness of compliance and ethics.