Last week, the Department of Justice (DOJ), without fanfare, released an update to its 2019 Evaluation of Corporate Compliance Programs, the 2019 Guidance. For simplicity this new document will be called the 2020 Update. The 2020 Update is most welcome news for every Chief Compliance Officer (CCO), compliance professional and corporate compliance program in the US and beyond. The reason is simple; it ends, once and for all, the dysfunctional reliance on paper compliance programs written by lawyers for lawyers and those who advocate for them. The DOJ has now articulated what both the business and compliance communities have learned that compliance is a business process and as a process, it can be measured, managed and, most importantly, improved. I have looked at some key big picture themes and the specific tactical steps of moving towards both continuous monitoring and continuous improvement of your compliance program, 3^rd parties and a renewed emphasis on the need for robust due diligence and compliance involvement in the pre-acquisition phase of your mergers and acquisition program. Today, I want to consider the emphasis on the CCO and the compliance function, the two clear winners in this 2020 Update.

Quality of CCO and Compliance

Under Part II, the changes started with the title of the section which was amended to read “II. Is the Corporation’s Compliance Program Adequately Resourced and Empowered to Function Effectively?This change was then driven home immediately in the introductory paragraph (all changes noted in Italics). Even a well-designed compliance program may be unsuccessful in practice if implementation is lax, under-resourced, or otherwise ineffective. The introduction also added language from the US Sentencing Guidelines which reads, “(those with “day-to-day operational responsibility” shall have “adequate resources, appropriate authority and direct access to the governing authority or an appropriate subgroup of the governing authority”).”

This builds upon the changes started in the DOJ’s 2016 FCPA Pilot Program and the 2017 FCPA Corporate Enforcement Policy around the quality of your CCO and compliance function. It begins with questions such as what is the overall corporate investment in compliance? Is your spend in line with similarly situated organizations? What about the salaries of your CCO and compliance personnel? Does your organization skimp on them to save money? One major company in Houston has laid off their entire compliance staff; how will that be received by the government two, three or five years down the road?

The new queries posed by the 2020 Update in this area are:

• Experience and Qualifications – Do compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities? Has the level of experience and qualifications in these roles changed over time? How does the company invest in further training and development of the compliance and other control personnel? Who reviews the performance of the compliance function and what is the review process?

In experience and qualification, clearly there must be ongoing professional development for the CCO, the compliance team members and also the other control personnel in the company. This means that as a leader every CCO should work with their compliance team to set up a clear path for career develop and, more importantly, specific compliance subject matter expertise (SME). This includes the latest developments in compliance and evolving best practices. It also means as a CCO you have to do the same.

What about the phrase “other control personnel” and who is this group? I have long advocated use of non-compliance function gatekeepers in any best practices compliance program. Personnel should include the legal department, compliance function, Supply Chain, Human Resources, payroll and/or Internal Audit. It is basically any person in your company who makes decisions regarding compliance issues.

Look beyond paper line reporting and assess lines of communications and information reporting structures to ascertain how decisions and actions are taken regarding compliance issues. When it comes to budget and spend, for example, it is important to understand who authorizes compliance expenditures; the CCO, the Board or Audit Committee or the Chief Executive Officer (CEO) or perhaps other(s).

Here you need to tread carefully because if gatekeepers believe they understand compliance yet have very little appreciation of best practices, doing compliance or the operationalization of compliance and are entrenched in their uninformed views, it may be difficult process to move the company to a point which meets the DOJ requirements. You will need to determine if these gatekeepers will defer to the CCO and compliance SME or outside consultants as SMEs. The optimal situation is where the gatekeepers are highly knowledgeable but are willing to defer to the CCO as the compliance SME.

Data, Data, Data

The second area of inquiry is the access to and use of data, data analytics and transaction monitoring by the compliance function.

• Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?

This set of queries is not simply phrased in the negative but it requires a company to work to make such data available to the CCO and compliance function. This is a much more stringent requirement than the CCO calling up IT to find out what data might be available to monitor on an ongoing basis. These questions require every company to take affirmative steps to make the data available and get to it the compliance in some type of usable format.

Finally, this inquiry ties back to the part of the title of Part II referenced above, which requires that a CCO and compliance function “be empowered to function effectively”. The requirement for accessibility to siloed data and its use by compliance will be critical in the business world moving forward. Compliance is truly at an inflection point and the forces of the Coronavirus health crisis, the economic dislocation and now 2020 Update will drive compliance functions towards more and greater use of data in compliance going forward.

Join me tomorrow where I conclude my look into the 2020 Update with some final thoughts on where the compliance function is going.

[View source.]