The DOJ updated their guidelines increasing expectations
In June 2020, the U.S. Department of Justice (DOJ) published an updated version of a guidance document called, “Evaluation of Corporate Compliance Programs” authored to direct companies on key compliance evaluation topics when determining the effectiveness of a company’s compliance programme.
Learning about what the government wants out of a compliance programme can be derived from these guidelines and others such as The FCPA Guide, information included with enforcement actions (that increased or decreased the penalty) or from reading the Federal Sentencing Guidelines. However, in looking at these other materials, the precise how-to for building or rebuilding a compliance programme is sometimes left open for interpretation. Companies should be keen to update their programmes when the government does show a focus in new or existing areas.
Updates to these guidelines are becoming an annual tradition for the DOJ as these were last updated in April 2019. Similar to when those changes were made, a dive into even subtle changes can and should shift resources and focus.
In the newest revisions, the start of the guidelines waste no time explaining how prosecutors should consider "the effectiveness of the company's risk assessment and the manner in which the company's compliance programme has been tailored based on that risk assessment." It goes on by stating that “prosecutors may credit the quality and effectiveness of a risk-based compliance programme that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction.” This sentence used to end with “in a low risk area” but it was removed.
Clearly the US Government is spotlighting that in the existing business climate, more focus on compliance detail is warranted but more importantly that “attention and resources” are in place to operationally manage and perform the duties needed to maintain a law-abiding compliance programme. The removal of “a low risk area” indicates that such credit can be given even if the infraction isn’t in a low risk area and more broadly rewards a company for a risk-based compliance programme.
The idea of a risk-based approach shouldn’t be new to compliance practitioners, but this further emphasises the ability to base a compliance programme on such an approach. It is worthwhile to note this change too in the evolving global economy and the impact of COVID-19 where some departments will need to do the same (or more) tasks with the same (or less) resources. When allocating dollars and time, the tradition of a focus on high-risk entities holds true.
The Red Flag Group® studies the guidelines and identified five (5) areas that you might want to consider actioning:
- Third-party management - One of the biggest areas of change highlighted in the June 2020 guidelines is that companies need to do more to flag and manage risks from third parties. New passage on the need to engage in risk management throughout the lifespan of the relationship. This means the DOJ wants companies to do refreshes of risk evaluations (and possibly due diligence) as well as on-going monitoring. Additional emphasis is placed on knowing the risks posed by the third parties and not just the business rationale for using them. There is also more of an emphasis on third-party risk management; not just doing due diligence during onboarding.
- Hotlines – The DOJ added language that the hotline should be available to third parties as well as employees. Additionally, companies should measure if employees feel comfortable using the hotline.
- Compliance resources – More language on the need to have the compliance function adequately staffed with qualified individuals. Interesting to include this while the trend has been for compliance professionals to do more with less; this is amplified by the impact of COVID-19. Gatekeepers must have the necessary approval authority to monitor and maintain the programme’s success with certified resources following the updated guidelines.
- Operational integration – Is in place to ensure that the employees understand the policies and the procedures in place to reinforce them. The Red Flag Group® often notices that documentation and follow through of not only systems, but also auditable documentation is not in order.
- Training – Emphasises the fact that companies are moving to shorter, more targeted training modules. Let’s face it; nobody wants to sit through a 2-hour training course. Such an exercise might look good on paper but is just one piece of a holistic compliance programme.
Companies are being asked about if they “engage in risk management throughout the lifespan of the relationship.” In short, this means that risk management needs to take place not just at the onset of the relationship with the third party, but continuously.
There have been instances where a third party could be low risk and free of watchlist and media hits during the onboarding process but months or years later they are subject to investigations or sanctions. These third parties are not static, and companies need real-time updates to new risks presented as much as possible. Ongoing monitoring is also vital to make sure that companies are automatically notified of any new hits. It can be overwhelming managing all of your third-party relationships. It is recommended that an automated screening take place to run at all times where new hits are sent to compliance professionals to review, analyse and clear or escalate. Your existing programme may not be built to scale or flexible enough to manage during the lifespan of your relationships.
With The Red Flag Group®’s IntegraCheck® | Business Risk Analysis & Ratings, companies can better align to the updated DOJ guidelines using research and intelligence that allows you to meet your compliance, business and legal due diligence requirements. Likewise, using the IntegraWatch® | Compliance Screening database companies obtain the ability to perform real-time screening of entities and individuals with expert curated data on sanctions, watchlists and comprehensive adverse media.
Given the boom in calls coming into hotlines, clearly more focus on hotline effectiveness is a priority. In a recent webinar from The Red Flag Group®, it was found that lately, 84% of respondents had the same or more compliance issues. While the guidelines specifically focus on making sure the hotline is available to third parties, it also needs to be measured on how effective it is performing based on the comfort of the participants using it.
The majority of reports that come into the hotline will typically be from employees but increasing the awareness and availability of the hotline to third parties increases the likelihood of discovering a potentially problematic situation. Companies can also require third parties to have hotline systems of their own, or make their own available to employees.
IntegraCall®, an AI-driven whistleblower platform allows employees, suppliers, customers, and partners to report safely via anonymous platform straight from their mobile devices or via online portal. Included in the IntegraCall® solution is an advanced case-management tool to manage incidents from beginning to end, from case triage to conducting investigations and implementing remedial actions.
The DOJ guidelines specifically calls out that “prosecutors should determine whether the corporation has provided for a staff sufficient to audit, document, analyse, and utilise the results of the corporation’s compliance efforts”. Employees are needed to be adequately informed about the compliance programme and that sufficient resources are committed to it. Again, from a recent webinar, The Red Flag Group® identified from respondents a decided lack in a resource expansion due to the COVID pandemic. 95% of respondents said that they have about the same or less resources. This can make for an overwork compliance department or one that is stretched too thin where issues fall through the cracks.
As compliance programmes are being asked to do more with less, while requirements for compliance effectiveness is up, using The Red Flag Group®’s Managed Services can help. Running a third-party compliance programme is challenging and requires considerable administration and oversight. We offer dedicated resources to handle all phases of your compliance programme – including implementation, administration, measuring and monitoring, reporting and improvement.
Managed Screening of third parties is a service provided whereby third-party names are screened against the IntegraWatch® | Compliance Screening database and a ‘Managed Screening Findings Report’ is created detailing the results. Our report lists all third parties screened, which third parties elicited hits against IntegraWatch®, and summaries of any identified hits.
Our screening model is simple – clients send us a list of third parties they want us to screen, along with some other minimum data points (such as country of the third party and role), and our team will screen these third parties and create a findings report.
Your programme’s maturity level is often measured by its operational integration. Effectiveness in policy rollout, procedural integration, and the systems needed to perform the duties of compliance should be in place.
An effective compliance programme is one that grows and changes over time. The DOJ now asks the question “Does the company review and adapt its compliance programme based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?” Meaning that good industry standards (and for that matter best practices) have changed in the last five years. These changes should correspond to changes in the business and the new focus on the company either by product, market, region or via mergers, divestitures, or acquisition.
The Red Flag Group® has worked with hundreds of global clients and noticed that employees are not always adequately informed. Likewise, employees often lack an understanding of the systems in place for compliance management. The Red Flag Group® has made significant investments in developing AI and machine learning tools to conduct research to ensure that our research is deep and defensible. The goal is to make your processes smarter, more productive, and faster than ever before. Building a defensible system means having resources dedicated and trained to perform the ongoing management of your compliance programme.
The DOJ specifically called out “shorter, more targeted training sessions”. With the raise in social media and the 2-mintue clip, companies are keeping pace with the way that employees want to be communicated with. While a long course with an extensive table to content might comprehensive, learners could quickly tune out and mindless press buttons or day-dream for the remainder of the course.
The key takeaway is that people want and need training that is relevant to them.
Again, we can help as The Red Flag Group® has experts in compliance and what it takes to manage and measure the effectiveness of your programme. The DOJ guidance document updated in June 2020 placed a lot of focus on the training and communications of your compliance programme. Prosecutors will be looking at the steps taken by your company to ensure that policies and procedures are in place with periodic and documented training, certified for all directors, officers, and relevant employees. One primary focus is on your company’s business partners. Incidents now span to those partners which makes your organisation liable for defending if proper training, systems, and documentation were not in place.
Training by the guidance update highlight the following.
- Risk-based training – The guidelines specifically looks at the control functions in place and what training the employees have received. Is the tailored training for high-risk in place in the area where the misconduct occurred? What variations in training have been implemented across those responsible? What analysis has the company taken to determine who should be trained on the subjects?
- Form/content/effectiveness of Training – Is there multi-lingual training available across your organisation? Is the training provided online or in person? Is there a process where employees can ask questions and are measurements in place to determine the effectiveness of the training?
- Communications about misconduct – Here the guidelines focus on the steps that senior management took to let the employees know of the company’s position concerning the misconduct. Keeping track of company communications or steps to discipline for failure to comply with the company’s policies, procedures, and controls needs to be in place.
- Availability of guidance – The DOJ guidelines are specific in looking at what resources have been made available to employees to provide guidance relating to compliance policies. Additional scrutiny measures how the company assessed whether its employees know when to seek advice and whether they would be willing to do so.
When you step back and evaluate your compliance programme, you should feel confident that is was built on a solid foundation. A foundation of confidence in adherence to the DOJ’s updated guidelines and the need to create a defensible position if challenged. Ideally, a compliance programme should be in place to create a competitive advantage where a company knows that it is taking calculated risks that result in greater business, larger bottom lines and less interruptions. While these interruptions can take the form of a government investigation and media headlines, it can also mean selecting a bad third party that disrupts operations or causes more trouble than they are worth.
The Red Flag Group® blends experts in the field plus over a decade of curated data and current technologies to help protect your organisation from blind spots that may keep your programme from holding up in a court of law.