Is Your Compliance Team Plugged In? Recent DOJ Guidance Emphasizes Strong Compliance Integration and Communication Procedures

COMPLIANCE
Nina Gross Jeff Harfenist

By Nina Gross and Jeff Harfenist

Nina Gross leads BDO’s Global Forensics practice in Washington, D.C., having 30 years of forensic accounting, investigation and consulting experience working with multinational organizations and their counsel. Ms. Gross has significant experience assisting clients in responding to sensitive investigative matters, as well as advising organizations on compliance, due diligence and anticorruption programs designed to deter and prevent the recurrence of fraud.

Jeff Harfenist leads BDO's Global Forensics Southwest practice and has more than 25 years of forensic accounting experience. He conducts fraud-related investigations involving numerous issues, including alleged violations of national anti-corruption laws (including the FCPA and U.K. Bribery Act), embezzlements, kickbacks, Ponzi schemes, diversion of assets, and financial reporting fraud. He also advises organizations on compliance, due diligence and anticorruption programs for the prevention of fraud.

The U.S. Department of Justice (DOJ) recently released a list of factors that prosecutors should consider when evaluating compliance programs in the context of determining whether to bring criminal charges against, or negotiate agreements with, an offending corporation. The factors, included in the document “ Evaluation of Corporate Compliance Programs,” consist of 119 questions across 11 topic areas:

• Analysis and remediation of underlying misconduct• Senior and middle management• Autonomy and resources• Policies and procedures• Risk assessment• Training and communications• Confidential reporting and investigation• Incentives and disciplinary measures• Continuous improvement, periodic testing and review• Third-party management• Mergers and acquisitions

Much of what the DOJ looks for in a compliance program is apparent from this listing of factors—including performing compliance risk assessments; designing appropriate policies and procedures, ongoing data analytics and other monitoring processes for signs of violations; remediating identified weaknesses; performing due diligence; and conducting thorough investigations.

However, there are two closely-related themes that can be found within all 11 categories and detailed questions—the integration of compliance in certain key aspects of an organization’s activities and the effective communication of all compliance-related matters. In other words, the involvement of compliance personnel and compliance activities in other company functions, as well as effective compliance communications, are at the core of a successful compliance program.

In this article, we will examine the five most important elements of integration and communication emphasized by the DOJ.

1. The Involvement of Compliance at the Strategic Level

Compliance should play an important role in an organization’s strategic and operational decision-making. Too often, compliance is an after-thought, considered only after a company’s strategic direction has already been decided. Just as enterprise risk management is best conducted in a strategy setting, compliance risk assessments should be driven by, and integrated into, strategic decision-making. A key characteristic of compliance risk assessment and risk management is the proactive identification of compliance issues that can only occur if compliance is involved early and at the highest levels.

In its recent guidance, the DOJ indicates that compliance should have the opportunity to engage in meaningful conversations with the board of directors and external auditors without senior management present. This enables compliance to freely communicate any concerns with current strategic or operational decisions that have compliance ramifications or issues that senior management is not properly addressing.

2. The Involvement of Compliance in the Development and Implementation of Company Policies and Procedures

Once an organization’s compliance risks are identified, it is essential that compliance personnel remain involved throughout the preparation and rollout of all related policies and procedures. To do so, compliance should work closely with the individual business units affected by the policies and procedures being developed. By working together, these groups can develop sound and practical policies and procedures that can best address an organization’s compliance risks.

3. The Involvement of Compliance in Training Development

In the guidance, the DOJ devotes five questions to training. Compliance should have significant involvement in both the delivery and the development of training. The training content should be customized based on the company’s compliance risk assessment, as well as the specific policies and procedures developed to address each compliance risk.

Compliance personnel should also work closely with business units to identify which individuals should receive training. If a separate training and development function exists, compliance should involve them in determining the best methods and duration of training, based on the audience and the nature of the content to be delivered.

4. The Involvement of Compliance in Third-Party Due Diligence

The compliance group should provide input into the processes used for screening new vendors and other third parties prior to engagement. Too often, companies learn the hard way that many third parties that become involved in corrupt or fraudulent activity had previously exhibited signs of misconduct—behavior that could, and should have, been identified prior to entering into a relationship. Not all vendor and other third-party due diligence processes are alike. Compliance can play a vital role in customizing the due diligence process based on the compliance risks associated with each relationship.

Due diligence is important not only for vendors, but also for merger and acquisition targets. The DOJ makes two important points in this regard. The first question asks who was involved in reviewing the acquired and merged entities, with the implication that compliance should participate. The second question is even more pointed: “How has the compliance function been integrated into the merger, acquisition, and integration process” of the entities involved in the transaction? The role for compliance extends well past the due diligence phase. Post-merger and post-acquisition integration of compliance programs is key to preventing future issues involving the merged business unit(s).

5. The Involvement of Compliance in the Aftermath of Misconduct

The DOJ’s guidance asks who was involved in analyzing identified misconduct and developing the remediation steps in response. While compliance may or may not be directly involved in the investigation, the team should play a role in analyzing the misconduct and developing the remediation plan. The DOJ guidance explicitly indicates an expectation that compliance should have “full access to reporting and investigative information.”

Analysis of the misconduct should consider whether:

• The design of preventive and detective compliance controls was flawed;• The operation of the controls broke down, due to either the natural erosion of controls that often occurs over time or the care with which individuals carried out their control-related responsibilities; or• An intentional override or circumvention of compliance-related controls took place

The answers to these questions usually determine how individual policies and procedures need to be modified to guard against similar future misconduct.

How an organization handles its communications following a misconduct is equally critical. While companies have differing communication styles and opinions, it is vital that they implement a thoughtfully crafted organization-wide communication plan that informs everyone that the misconduct has been identified and the individuals involved have been disciplined. This sends a valuable message that:

• Compliance and ethics are important to senior management and the board;• Breaches will not be tolerated; and• Whistle-blower calls and other tips are taken seriously and thoroughly investigated (if applicable)

Most noncompliance events result in the identification of weaknesses in the design and/or operation of compliance-related controls. However, remediation must go beyond simply rewriting policies and procedures, and involve additional training led by the compliance team. This training may include educating staff on existing policies and procedures that had not been properly followed.

Conclusions

It can be easy to get lost in the details of the 119 questions in the DOJ’s corporate compliance guidance document; nevertheless, the guidance stresses some key factors for compliance professionals, boards and other stakeholders to focus on. Companies can develop solid compliance programs by integrating compliance into other relevant organizational activities and developing thoughtful compliance-related communications systems in advance. With the ever-increasing myriad of risks in today’s competitive environment, it is important to plug the compliance team in early and keep it plugged in daily.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.