Evaluation of Corporate Compliance Programs -2020 Update Review – Key Themes
In June, the Department of Justice (DOJ) without fanfare, released an update to its 2019 Evaluation of Corporate Compliance Programs, the 2019 Guidance. For simplicity this new documents will be called the 2020 Update.
The 2020 Update is most welcome news for every Chief Compliance Officer (CCO), compliance professional and corporate compliance program in the US and beyond.
The reason is simple; it ends, once and for all, the clarion call for paper compliance programs written by lawyers for lawyers.
The DOJ has now articulated what both the business and compliance communities have been learning, that being that compliance is a business process and as a process, it can be measured, managed and, most importantly, improved. This White Paper will explore the key themes from the 2020 Update.
The concepts around risk assessments are one of the biggest changes found in the 2020 Update. The question-by-question analysis begins with
“Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions?”
Do you have access to continuous and real time transactional data at your organization?
How about across silos within your organization. Most likely the answer to both is “no”. This means you no longer have a best practices compliance program at this point in time.
How can you garner such information?
You can begin by pulling compliance related data from each one of data points and update your risk assessment. The next question found in Updates and Revisions subsection ties into the sole question found in the Lessons Learned subsection. They both relate to the single inquiry of how you used the data. Did you incorporate your findings into updating your compliance program?
Continuous Monitoring and Continuous Updating
The final area in the 2020 Update for consideration is appropriate called Continuous Improvement, Periodic Testing and Review and is found in the subsection monikered Evolving Updates. It reads
Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?
Similar to the language under Risk Assessment, this compound question considers the adaptation of a compliance program from your own lessons learned but also from other companies. The distinction now is that phrase is “other companies facing similar risks”? Think about how this language would apply to any company operating in China, West Africa or any other high-risk region in the globe.
I would interpret this to mean every CCO and compliance practitioner needs to stay abreast of international anti-corruption enforcement actions where your company may be doing business.
Mergers and Acquisitions
Under M&A, the 2020 Update stated: (all changes in italics)
“F. Mergers and Acquisitions (M&A) A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.
Pre-M&A due diligence, where possible, enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.”
The clear emphasis of the DOJ is around the pre-acquisition phase in M&A work.
Were you prevented from engaging in pre-acquisition due diligence because of some rule or regulation?
If so, what did you do about it?
Did you take the approach of Halliburton, as it did in the resulting Opinion Release 08-02 and seek DOJ input?
Was your post-acquisition integration protocol more robust?
If so, how? Also, after closure, did you perform a full audit of the acquired entity?
For the sake of your compliance program, I hope you did. Yet the clear emphasis here was on the pre-acquisition phase.
Even in 2020, third parties still represent the highest risk under the FCPA. Here the DOJ noted, “Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials…In sum, a company’s third-party management practices are a factor that prosecutors should assess to determine whether a compliance program is in fact able to “detect the particular types of misconduct most likely to occur in a particular corporation’s line of business.”
It is the new final question, coupled with the new language in the preamble to the section on third parties which is so significant. It makes clear that management of third parties is a process and one that must continue on an ongoing basis throughout the lifetime of the relationship with your organization. This also re-emphasizes the importance of managing the relationship after the contract is executed from the compliance perspective.
Your role in the compliance function is not simply to review due diligence and add compliance terms and conditions to the contact. Your role is to oversee the relationship which the business sponsor manages on the ground. This is fully operationalizing your compliance regime.
Quality of CCO and Compliance
Under Part II, the changes started with the title of the section which was amended to read
“II. Is the Corporation’s Compliance Program Adequately Resourced and Empowered to Function Effectively?
This change was then driven home immediately in the introductory paragraph.
Even a well-designed compliance program may be unsuccessful in practice if implementation is lax, under-resourced, or otherwise ineffective.
The introduction also added language from the US Sentencing Guidelines which reads, “(those with “day-to-day operational responsibility” shall have “adequate resources, appropriate authority and direct access to the governing authority or an appropriate subgroup of the governing authority”).”
In experience and qualification, clearly there must be ongoing professional development for the CCO, the compliance team members and also the other control personnel in the company. This means that as a leader every CCO should work with their compliance team to set up a clear path for career develop and more importantly specific compliance subject matter expertise. This includes in the latest developments in compliance and evolving best practices. It also means as a CCO you have to do the same.
What about the phrase “other control personnel” and who is this group?
I have long advocated use of non-compliance function gatekeepers in any best practices compliance program. Should personnel include the legal department, compliance function, Supply Chain, Human Resources, payroll or Internal Audit. It is basically any person in your company who makes the decisions regarding compliance issues.
Data, Data, Data
The second area of inquiry is the access to and use of data, data analytics and transaction monitoring by the compliance function. These queries are not simply phrased in the negative but it requires a company to work to make such data available to the CCO and compliance function. This is a much more stringent requirement than the CCO calling up IT to find out what data might be available to monitor on an ongoing basis. These questions require every company to take affirmative steps to make the data available and get to it the compliance in some type of usable format.
Institutional Justice and Fairness
The 2020 Update posed the following questions
“Does the compliance function monitor its investigations and resulting discipline to ensure consistency?”
This mandate monitoring to ensure consistency because inconsistency, showing favoritism to those who violate the compliance program, or do not implement it undermines the entire idea of compliance, and those responsible for making it happen. This speaks to institutional justice and institutional fairness. These are not simply to cornerstones of a compliance program, but they are the cornerstones of companies.
If there is no fairness and justice, what is the point of working for a company. I recognize this is an evolutionary step but the CCO and compliance function must lead this dialogue in an organization. If the ubiquitous control-overrider and compliance corner-cutter becomes the highest grossing salesperson, receives the biggest bonus and most promotion; this all speaks lack of fairness and justice in an organization. It is more than just fairness at the point in time. If such situations exist, employees will correctly conclude that there are no consequences to such action or more invidiously, the only way to get ahead in an organization is to lie, cheat and steal. This is even more so if the top management actively or tacitly encourages such behavior.
As compliance moves into the second half of 2020 and into the third decade of this century, the 2020 Update may well be seen as a key demarcation where the government demonstrated that properly viewed compliance is more than a business process, it is a business program.