Effective compliance programme
The easy way to monitor in your compliance programme
The FCPA Guidance specifies that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry.”
Therefore compliance programmes that do not just exist on paper, but are followed in practice, will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programmes and not allow them to become stale.
The three components of an effective compliance programme
Continuous improvement requires you not only audit but also monitor whether employees are staying with the compliance programme. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three components are what enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programmes.
Monitoring vs auditing
One activity that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing.
Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your programme on a regular and consistent basis across a wide spectrum of data and information.
Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust programme should include separate functions for auditing and monitoring. Although unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.
Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. Many compliance practitioners understand you should be checking in routinely with local Finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.
An ongoing monitoring approach
Ongoing monitoring is not limited to the financial component of compliance. The Red Flag Group® have developed an ongoing monitoring approach for the human part of the compliance equation. This is through a cost-effective approach to email review through email sweeps. The concept is straightforward; at regular intervals you can sweep through your company email database for identified key words that can be flagged for further investigation, if required. The beauty of this approach is that does not require an extensive eDiscovery software tool or license purchase. It can be accomplished generally in two days or less. Also it is not limited to anti-corruption compliance but any of the risk factors identified for your company – and you are only paying for the services when you need them and as they are delivered.
The objective of this approach is to ‘find the smoke’ which may be the evidence of a compliance breakdown (and related fire) by sweeping through emails to uncover those that may contain real issues. From this starting point, you can assess and prioritise, by checking and verifying that there are issues worth investigating. From here you can identify the issues you want to investigate first. Further, and if warranted, you can invoke your investigation protocol, with all the requisite protections and securities.
Finally, as the regulators continue to evolve in their understandings and appreciation of a best practice compliance programme, you will evolve your compliance programme to a new level of detection that could allow you to have more robust prevention. When your compliance programme has a strong prevention arm it can be an effective way to stave off issues from Foreign Corrupt Practices Act (FCPA) violations.
How to show continuous improvement
Continuous improvement through continuous monitoring will help keep your compliance programme abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance programme is a continuously evolving organism, just as your company is continually improving its business processes. The FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance programme if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organisation, the idea behind such efforts is the same: continuous improvement and sustainability.”
A GUIDE TO AN EFFECTIVE COMPLIANCE PROGRAMME
Making an effective compliance programme?
An effective compliance programme can protect a business by putting controls in place to prevent it from operating outside its legal and ethical obligations. It does this by having the policies and procedures in place to detect and prevent improper conduct or practices, which may result in any part or individual within the business acting illegally, either intentionally or accidentally damaging its reputation.
The key to a successful compliance programme is establishing a culture of compliance.
If the management encourages employees to report incidents of non-compliance without the fear of retaliation and even rewards compliant behaviour, the business will also benefit and flourish.
Failure to achieve compliance can result in civil or criminal penalties, loss of reputation and, in extreme cases, the business may cease trading. With such high risk involved it is essential that everyone is on board, from the shareholders downwards.
A guide to effective compliance
The idea of creating an effective compliance programme may appear daunting, but it doesn’t have to be if it is broken down into small steps. Here they are:
1. Create and establish written policies, procedures and codes of conduct.
These should outline the compliance expectations within each department and operation. Determine and define who will be responsible for supervising, monitoring and enforcing the compliance programme, including covering for leave and sickness. All employees should be made aware of who is responsible for compliance and how to contact them.
2. Educate and train employees about compliance.
Employees, at every business level, need to understand what conduct is expected of them and how to achieve these standards in order to be compliant. The training programme should communicate the business’s compliance programme and what it is striving to achieve. Regular refreshers should highlight the importance of compliance and any changes to policies and procedures.
3. Establish open communication and encourage employees to proactively report compliance issues or questions in a timely manner.
4. Introduce a monitoring and auditing system to assess the effectiveness of your corporate compliance programme and to identify risks.
5. Create a plan to enforce standards of conduct in a timely manner, outlining appropriate disciplinary measures for employees who fail to comply with the programme requirements.
6. If violations or vulnerabilities are identifiedby means of the monitoring and auditing process, corrective actions should be predefined and undertaken in a timely manner.
If the idea of creating policies, procedures and processes to promote compliance in all of your business activities is overwhelming, it may be time to call in a compliance expert. They can support you to review your existing documentation and compile new documents to achieve compliance.
A compliance expert will analyse your organisation, set up the necessary processes and check to establish a compliance programme based on your specific needs. Once in place, they can continue to offer training and support, leaving you to concentrate on other areas of the business.