Today, I consider what techniques you, as Chief Compliance Officer (CCO), can use to create continuous improvement in your compliance program. As the Department of Justice (DOJ) stated in the 2019 Guidance, “One hallmark of an effective compliance program is its capacity to improve and evolve.” Its implementation should help you to uncover and evaluate areas of risk and opportunities for improvement. Moreover, as your business changes over time, in such areas as the environments in which it operates, the nature of its customers, the laws applicable to it and industry standards. All of this simply means business is dynamic and your compliance regime must be so as well.
Under Hallmark Nine of Ten Hallmarks of an Effective Compliance Program, as articulated in the 2012 FCPA Guidance, it stated:
A good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its chapter 5 Guiding Principles of Enforcement industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.
This insight was carried forward in the DOJ’s 2019 Evaluation, which lists four areas of continuous improvement: 1) internal audit, 2) control testing, 3) evolving updates, and 4) assessing culture. Each category was further refined with multiple attendant questions.
You should keep track of external and internal events which may cause change to business process, policies and procedures. Some examples are new laws applicable to your business organization and internal events which drive changes within a company, i.e., a company reorganization or major acquisition. Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.
The bottom line is that the DOJ will reward efforts to promote improvement and sustainability. This includes incorporating lessons learned into your compliance program, which you might have uncovered through monitoring and auditing and by periodically evaluating the effectiveness of your compliance regime. Proactive efforts will be rewarded in connection with the form of any resolution or prosecution but, more importantly, may avert problems down the line. This is why a “check the box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.
Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional Directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.
What should you do with this information? I would suggest that you have a strategic plan in place ready to implement your findings of continuous improvement, by using the following:
Review the goals of the strategic plan. This requires that you arrange a time for the CCO and team to review the goals of the Strategic Plan, which the CCO should lead to determine how this goal in the Plan measures up to its implementation in your company.
Design an execution plan. The “Keep it Simple Sir” or KISS method is the best to move forward. This would suggest that for each compliance goal, there should be a simple and straight forward plan to ensure that the goal in question is being addressed.
Put accountabilities in place. In any plan of execution, there must be accountabilities attached to them. This requires the CCO or other senior compliance department representatives to put these in place and then mandate a reporting requirement on how the task assigned is being achieved.
Schedule the next review of the plan. There should be a regular review of the process. It allows any problems which may arise to be detected and corrected more quickly than if meetings are held at a less frequent basis.
It is a function of the CCO to reinforce the vision and goals of the compliance function, where assessment and updating are critical to an ongoing best practices compliance program. If you follow this protocol, you will put a mechanism in place to demonstrate your company’s commitment to compliance by following through on intentions as set forth in your Strategic Plan.
Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is constantly evolving. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. As the 2012 FCPA Guidance made clear:
DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.
Three key takeaways:
- Your compliance program should be continually evolving
- Have a mechanism to incorporate lessons learned from oversight into your compliance program
- The DOJ and Securities and Exchange Commission (SEC) will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered
[View source.]