There is no shortage of best practice advice on the tenets of an effective compliance program, but finding guidance on demonstrating, testing and documenting program effectiveness can be a challenge. Regulatory bodies have largely made clear their requirements for compliance program assurance: they expect compliance officers to test, monitor and continuously refine policy, procedures and programs to reduce margins of error and adapt to shifting operational, geopolitical, regulatory and data landscapes.
The latest Department of Justice Guidance Document on Evaluation of Compliance Programs instructs prosecutors to consider “whether a compliance program is a ‘paper program’ or one implemented, reviewed and revised, as appropriate, in an effective manner.”
The US Sentencing Commission states that an organization should “take reasonable steps…to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct [and]…to evaluate periodically the effectiveness of the organization’s compliance and ethics program.”
The UK Bribery Act’s guidance on “Adequate Procedures” is more specific, requiring organizations to “consider how to monitor and evaluate the effectiveness of their procedures and adapt them where necessary…. Organizations could…consider formal periodic reviews and reports for top-level management… [and] might wish to consider seeking some form of external verification or assurance of the effectiveness of procedures.”
What does this mean in practice?
We’ve seen the compliance function evolve from a traditional tick-box cost center into a key business stakeholder, often tasked with protecting a company’s most precious commodity: its reputation. This responsibility, along with the influx of data sources and technology under a compliance professional’s watchful eye, has shifted compliance assurance from an exercise of outlining program design and intent to a multi-faceted stress test aimed at adding value to overall business operations.
As members of senior management become more engaged with and aware of risk, they look to the compliance function to educate them on their companies’ evolving risk profiles and advise them on the optimal path forward. The litmus test of an effective internal compliance program is whether senior management trusts that risk is being approached responsibly. Demonstrating that your organization can quickly identify and respond to a host of issues—from bribery and corruption risk to fraudulent activity, cyber security, privacy issues and sanctions exposure—establishes that trust and solidifies the compliance function as a strategic pillar of any organization’s strategy.
So much to do
It is common to see compliance programs limited by their ability to only be reactive and by organizations that simply don’t know where to begin to truly transform their compliance functions. To build a demonstrably effective compliance program, companies should consider the following five key areas:
- Take a risk-based approach to your entire compliance program
While many companies may claim to take a risk-based approach to compliance, we advise our clients to expand this prioritizing mechanism, so often used in the application of due diligence, across their entire program. Leverage your company’s enterprise risk management process or develop a model to assess and address your highest-risk operations and begin to invest there. Where is your exposure coming from? Is it country-based? Do you have complex sales and marketing functions prone to improper activity? How exposed is your business to political influence? How secure is your data? Risk profiling will look different for every organization—but developing this programmatic model allows for a level of transparency and C-suite dialogue around compliance investment and effectiveness.
Much like enhancing levels of due diligence, program risk rankings may simply demand new policies and procedures at the lowest category, while your highest risk operations might require more involved investments such as predictive analytics or site visits. Consider the GlaxoSmithKline (GSK) FCPA enforcement: pharmaceuticals and healthcare organizations have long been susceptible to pay-to-prescribe schemes and, China’s largely state-run healthcare system has a high level of risk for corruption and bribery. Taking a risk-based approach, it is likely that GSK would have been advised to invest in analytical transaction monitoring. Anomalies in a high-risk jurisdiction such as China would have triggered an early investigation and site visits around practices within its robust direct and indirect sales pipeline.
- Gain control over your organization’s data
Data can make or break a strong compliance program. This can be a pain point for smaller and midsize organizations that feel like this is an unattainable goal without the same compliance budgets that large multinational organizations have. Control of data is, however, not just a “nice to have;” regulators have sent a clear signal that it is becoming a requirement. We’ve seen a rise in the “mega-investigation” in recent years and, as Director of the UK’s Serious Fraud Office Lisa Osofsky has remarked, “The sheer amount of data available has increased exponentially over recent years. Our intelligence unit is already using more powerful analytic tools to make connections across disparate and diverse datasets to enhance our development of strategic intelligence.” Those same analytical tools can and should be used in proactive measures as what is no longer the ideal, but rather the expectation.
If you are unsure where to start, use the risk-based program approach to prioritize. One indicator for investment can come from regulatory enforcements in your industry or countries of operation. Look at the root cause of regulatory sanctions and determine whether your organization is vulnerable to a similar issue.
As an example: the Och-Ziff Capital Management Group agreed to a settlement with the FCPA following an investigation which found that deficient internal controls aided in covering up payments made to intermediaries, agents and business partners in order to pay bribes to high-level government officials of countries in Africa. If Och-Ziff had leveraged internal audit findings to craft ongoing analyses of payment data, it potentially would have spotted the red flags prior to regulatory intervention. Although hindsight bias is disputable, this example nevertheless shows the potential power of data being collectively analyzed and reviewed through a compliance framework.
- Identify root causes and openly address your flaws
In some cases, the root cause of an issue and its required countermeasure may be obvious. For example, an isolated incident of an employee not following policy would require additional education to ensure compliance. In other cases, such as conflicts of interest, the root cause is not so obvious or raises broader concerns about culture, which are more challenging to effectively remediate. When monitoring and auditing your organization’s program, scrutinize issues in the aggregate to ensure that patterns of systemic risk are being addressed and wider issues are not being ignored in favor of a quick fix. Policy may be misunderstood in some regions—or perhaps there is a widespread issue of corruption within your supply chain. Either way, you must analyze the root cause in order to properly remediate the issue. Root cause analysis also facilitates the ability to be transparent with the business and employees about ongoing compliance challenges.
Nothing brings better awareness to an issue like real-life examples. The compliance programs we see working the best are the ones that are open and honest. Communicating instances of misconduct—or, more generally, compliance issues that have been identified and how they have been remediated—sends a clear signal that your program is being actively monitored, gives employees insight into what is being monitored and creates a dialogue around compliant and ethical behavior.
- Get local
It cannot be stressed enough that effective programs need to be rolled out locally with training, procedures and monitoring all tailored to the local operating environment. Cultural nuances, accepted business practices, geopolitical circumstances and human rights issues from country to country should be factored into program design and implementation. The local appetite for compliance and ethics, as they relate to the risk tolerance of the corporate headquarters, will influence resource allocation—some programs will only require light-touch monitoring and training and others will require site visits and a more hands-on approach to ensuring the business has the understanding, resources and tools necessary to ensure ongoing compliance.
For example, labor welfare risk for major construction projects in the countries of the Gulf Cooperation Council (GCC), where local labor laws and regulations are not always fully understood or adhered to, presents a significant challenge for compliance programs in the region that doesn’t necessarily exist for operations in other parts of the world. The region is no stranger to controversy surrounding the treatment of construction workers and laborers, and international companies expose themselves to significant reputational risks by not paying close enough attention to the treatment of both their own workers and those in their supply chain—and not monitoring, through a local compliance program, what is actually happening on the ground. Companies should embed specific policies and processes to address labor welfare risks, which are then regularly monitored, to ensure compliance with local requirements.
- Incentivize compliance
Effective compliance programs must be completely integrated into an organization’s operations and ethos. One way to ensure this is by thinking creatively about ways to incentivize compliance and the backing of compliance programs. Although zero tolerance of unethical conduct should continue, balancing discipline with encouragement of compliant behavior is a useful approach. Building incentives means doing more than rewarding the avoidance of compliance mishaps. There has been increasing movement to recognize contribution to compliance and ethics as part of senior managers’ performance reviews and bonus targets—including for example, tracking the training completion of subordinates, driving thought leadership and messaging efforts to promote compliance, and achieving success in compliance audits. Incentivizing compliance in this way encourages compliance ethics to be part of a continuous dialogue both locally and at headquarters. As senior leaders develop their own compliance scorecards for their areas of oversight, you will begin to see a shift from tick-box approaches to real value creation that can be demonstrated and carried forward.
Closing the loop
Closing the loop on your organization’s compliance program by demonstrating effectiveness is achievable. As risk and its impact on an organization’s bottom line continue to intensify, senior leaders often look to the compliance program as a first line of defense. Those senior leaders—as well as regulators—are expecting you to be able to defend and demonstrate your program’s intent and strategic direction. Can you identify and respond to risks in a timely manner and keep a detailed view of the entirety of business operations? Where resources are limited, take a risk-based approach to investment, ensure business partners are incentivized to be program champions and properly tailor corporate policy to meet regional needs. In demonstrating effectiveness, data will be your biggest challenge and your greatest strength. As regulators continue to demonstrate the power of data in investigations, organizations should take note and mirror those techniques in proactive, rather than reactive, measures.
About the Author:
Michele Wiener is a Senior Partner within Control Risks’ Compliance, Investigations and Technology practice in the Americas region. She has significant experience in fraud and corporate compliance matters in the US and abroad. Working on behalf of legal counsel, boards of directors and senior management of public and private corporations, Michele specializes in conducting complex corporate investigations and forensic accounting engagements involving allegations of corruption, financial reporting fraud, internal controls and books and record-keeping violations under both the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. She has led engagements in more than 30 countries, including the US, Latin America, Europe, the Middle East, Africa and Asia. Michele has also helped companies design, evaluate and improve anti-corruption and anti-fraud compliance programs. In 2019, Michele and her team were named Compliance Consulting Team of the Year at the C5 Women in Compliance Awards.
Oliver Martin-Robinson is a Client Services Manager within Control Risks’ VANTAGE practice focusing on the Americas. He has responsibility for managing clients in the region’s VANTAGE engagements, and ensuring that we exceed the client’s expectations with the overall quality of service from Control Risks. Having been at the company for over six years, he has gained extensive experience across multiple services in both the Middle East and Americas. Before moving to New York in 2018, Oliver spent five years in Dubai, where he managed compliance and sanctions due diligence, business intelligence and investigatory engagements. He has also focused on regulatory risk and investigations more recently in the Americas, including in complex post-settlement monitorships.