I was recently having breakfast with a colleague and we were discussing the Department of Justice’s (DOJ) Compliance Counsel Hui Chen and what we believe to be the positive impact she has had on the compliance community, compliance programs and the role of the Chief Compliance Officer (CCO). I told him about some of her public remarks about what constitutes an effective compliance program. 

I. NYU Remarks

In November, 2016 at the New York University Program on Corporate Compliance and Enforcement Chen discussed four primary areas that she indicated she would focus on as DOJ Compliance Counsel.

A. Thoughtful Design of Your Compliance Program

Echoing the FCPA Guidance admonition that “if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately”, Chen believes there should be some significant thought put into a company’s compliance program. She expounded that stakeholders need to be a part of your compliance program design process and have input into the compliance internal controls. If your company has a violation, Chen said she would look at whether your compliance program addressed the wrongful conduct or if there was a gap in compliance coverage. Finally, she added, you need to perform a root cause analysis over your heightened risk.

B. How Operational Is Your Compliance Program?

This point follows number one above in that your compliance program should be tied to the functional unit of a company. This means that Human Resources (HR), Payment, Audit, Vendor Management and all traditional indirect cost functions need to be involved in the operation of your compliance program in their respective areas of influence. The key question she will focus on is how did the compliance program you designed to remediate the conduct that led to the violation work in the operation of your company?

C. How Well Do You Communicate with Your Stakeholders?

Here Chen wants to see evidence that the CCO or compliance practitioner, got out of the office and met with the stakeholders of your compliance program. But this is more than simply in your compliance program design, it includes the compliance program implementation. She suggested evidence to show more than compliance simply had a seat at the table but the compliance was actively involved with operational decision-making.

In a question from the audience Chen further articulated an example around compensation. She said compliance needs to be a part of the discussions around how compensation systems are designed and particularly around discretionary bonus systems. She admitted that compliance’s views on compensation are not always sought but in her mind it is one area that, if utilized, would demonstrate a commitment to compliance by the organization.

It would seem this is an appropriate place and time to remind everyone that the three most important things in Foreign Corrupt Practices Act (FCPA) compliance are DOCUMENT, DOCUMENT, and DOCUMENT. If you cannot document it, the inference is that it never happened so as a CCO or compliance practitioner you need to be prepared to demonstrate your involvement in operational decisions.

D. How Well Are You Resourced?

Chen emphasized that this meant more than monetary resources or even head count. She specified the twin resources of attention and commitment. She will inquire into how often you meet personally with your Chief Executive Officer (CEO), Audit Committee of the Board and the full Board of Directors. She also said she would inquire into the details of these briefings, so, for instance, are the briefings based on employee surveys, quantitative data or is it simply anecdotal information? She said that it is important that compliance have a real dialogue with the C-Suite and not a rote briefing.

However, with regard to CCO compensation, Chen noted there were a couple of areas of inquiry. First is that the amount the CCO is paid could be an issue. For instance, is the CCO compensated at an amount at or near the General Counsel (GC) level? If it is one-half what does that communicate within the organization? She also would inquire into whom in the company sets the CCO compensation and who reviews it.

Interestingly she indicated there was not a DOJ position on where a CCO should sit in an organization, whether in the GC’s office or in a separate department. It depends on what works best for your organization, however it has to be thoughtfully designed but the most important element is that compliance can and is heard from by senior management. Chen’s remarks were quite important because they provide insight into how she and the DOJ will look at your compliance program if you are entangled in a FCPA enforcement action.

II. ECI Interview

In an interview with Laura Jacobus, posted on Ethics and Compliance Initiative (ECI) Connects, Chen provided additional insight into what areas of inquiry she will focus on. She noted that:

• An effective program is one that detects and prevents misconduct, whether that misconduct is corruption or something else. It should be cross-functional, requiring both commitment and collaboration.
• An effective compliance program requires the commitment of the whole company to compliance, especially its leadership and key stakeholders.
• An effective compliance program works only when the ownership and the commitment are shared, and that means the efforts of ensuring compliance gets the right resources and processes must be a shared effort. So, if technology is needed to enhance a compliance process, the IT function needs to be fighting for that resource; if the payment process needs to be strengthened, finance should be responsible for making sure that’s done, etc.
• An effective compliance program requires stakeholder buy-in and accountabilities.

When responding to the question of how to determine a paper program from a real program, Chen said, “It’s not that difficult. It is something that you know, frankly, early on in one’s tenure on the job. The answers are not in the glossy diagrams of a company’s “core values” or their training slides; rather, they are in what happens in real life, in the smallest details that manifest themselves in the company’s daily operations. You look to see not just what the policy and procedures say, but how they are actually incorporated into the operations of the company. It’s one thing to have a policy that requires third-party due diligence; it’s quite another for all the steps of the due diligence to occur and to be actually built into the procurement and accounts payable operations.” Some of the indicia Chen looks for include:

• I look to see how the most front-line workers understand their jobs: Does the clerk in the accounts-payable room understand his job to be processing payments as quickly as he can, or does he understand that he is supposed to keep an eye on certain things and escalate issues he identifies?
• Does the new salesperson understand her job to be making the deal at all costs, or does she understand that there are boundaries?
• I look at empowerment and consequences: Are the compliance and control personnel empowered to identify, escalate, and address problems?
• Are there consequences of non-compliance: Processes continually improved based on lessons learned; people disciplined for non-compliance; or deals rejected and approvals not granted?

III. Pilot Program: Ongoing Remediation

When the DOJ announced its new program around FPCA enforcement, the “Pilot Program”, last April it also released a written document, entitled “The Fraud Section’s Foreign Corrupt Practices Act Enforcement Plan and Guidance” (herein “The Guidance”), more fully laying out the specifics of this Pilot Program and providing more background and information for the compliance practitioner. One requirement under the Pilot Program was that your company engage in ongoing remediation during the pendency of your FCPA investigation. It is believed that this portion of The Guidance was largely authored by the DOJ Compliance Counsel so I believe that they bear noting in this post.

The Guidance states, “an effective compliance program… may vary based on the size and resources of an organization” but should include the following:

• Whether the company has established a culture of compliance, including an awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated;
• Whether the company dedicates sufficient resources to the compliance function;
• The quality and experience of the compliance personnel such that they can understand and identify the transactions identified as posing a potential risk;
• The independence of the compliance function;
• Whether the company’s compliance program has performed an effective risk

assessment and tailored the compliance program based on that assessment;

• How a company’s compliance personnel are compensated and promoted compared to other employees;
• The auditing of the compliance program to assure its effectiveness; and
• The reporting structure of compliance personnel within the company.

While there are some items that have been a part of the discussion of what constitutes an effective compliance program for a long period of time, such as culture of compliance, performing a risk assessment and using that risk assessment to tailor your compliance program, reporting structure of the compliance function and auditing of your compliance program; there are also some new points to consider. If not new, then certainly more detailed and focused consideration of prior points.

This Guidance requires “sufficient resources to the compliance function”, independence of that function, the experience and quality of your compliance personnel and not just the compensation paid to your compliance personnel but how it compares to other employees, together with their promotion within your organization. These are all new foci on the CCO and compliance team. If your compliance team is run on a shoestring, you will likely be downgraded for your overall commitment to doing business in compliance with the FCPA. The same is true for promotions and other opportunities for advancement within an organization. Not many organizations have such a mature compliance function that a CCO is appointed to another senior level position within an organization.

Finally, as noted, the DOJ may now be looking at the quality of your CCO and compliance function. Laying this out is new, even if the DOJ may have informally frowned on sending an untrained or unqualified lawyer or other into run the compliance regime. I think the clear implication is that the DOJ will even look at salaries. Once again if a company tries to get by on the cheap, it may certainly come back to bite them in the end.

There is quite a bit in this area. Every CCO or compliance practitioner needs to read through and thoroughly understand how the Compliance Counsel will consider your program. You should even map out the requirements she has laid out publicly to your existing program. If you see a gap, fill it and think about how you would demonstrate effectiveness under this standard going forward if the DOJ comes knocking.

[View source.]