In today’s edition of Sunday Book Review:
Obviously, in every compliance program, the ethical tone of a company and accountability all starts at the top and, most specifically, senior management. The 2020 Guidance stated, “Beyond compliance structures, policies, and procedures, it is important for a company to create and foster a culture of ethics and compliance with the law at all levels of the company. The effectiveness of a compliance program requires a high-level commitment by company leadership to implement a culture of compliance from the middle and the top.” This requirement is more than simply the ubiquitous “tone-at-the-top,” as it focuses on the conduct of senior management. The DOJ wants to see a company’s senior leadership actually doing compliance. The DOJ asks if company leadership has, through their words and concrete actions, brought the right message of doing business ethically and in compliance to the organization. How does senior management model its behavior on a company’s values and finally, how is such conduct monitored in an organization?
Senior management must share these same values through operationalizing compliance going forward. Lynn Paine, in her seminal article “Managing for Organizational Integrity”, laid out five factors, which can be used as guideposts to not only to set the right tone from senior management on doing business ethically and in compliance, it can lay the groundwork for senior management to model appropriate behavior and then have it monitored by the company going forward.
I once had a Chief Executive Officer (CEO), observe the following, “You want me to be the ambassador for compliance.” I immediately said yes, that is exactly what I need you to do. A CEO, as an “Ambassador of Compliance”, can fully model the conduct that senior management engage in going forward. Another area a CEO can forcefully engage an entire company is through a powerful video message about doing business the right way and in compliance. A great example was a CenterPoint Energy video put out in 2015 after the Volkswagen (VW) emissions-testing scandal became public. The video featured Scott Prochazka, CenterPoint Energy President and CEO. He used the VW scandal to proactively address culture and values at the company and used the entire scenario as an opportunity to promote integrity in the workplace. But more than simply a one-time video, the company followed up with an additional resource, entitled “Manager’s Toolkit – What does Integrity mean to you?”, which managers used to facilitate discussions and ongoing communications with employees around the company’s ethics and compliance programs. Finally, the cost for the video was quite reasonable as it was produced internally.
Three key takeaways:
I want to next focus specifically on the tactical steps of moving towards both continuous monitoring and continuous improvement of your compliance program. These twin concepts are perhaps the biggest modifications in the 2020 Update. The changes began in Section 1- Risk Assessments. The question-by-question analysis begins with “Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions?” Do you have access to continuous and real time transactional data at your organization? How about across silos within your organization. Most likely the answer to both is “no”. This means you no longer have a best practices compliance program at this point in time. How can you garner such information?
While there is only one question in the Lessons Learned section, it is a compound question. It not only inquiries about data you may have obtained through your own work but also from other company’s in your industry operating in the same geo-region. Without commenting on the potential anti-trust aspects of this issue, if there is public source information available to you (and there always is), how are you using this information in your compliance regime. But this can be simply having your fully operationalized employee base keeping their eyes and ears open at trade show or any other gatherings of industry employee.
The next area for continuous monitoring and continuous improvement was in an area of compliance which is not normally associated with those concepts, Policies and Procedures. The final area in the 2020 Update for consideration is appropriate called Continuous Improvement, Periodic Testing and Review and is found in the subsection monikered Evolving Updates. It reads:
How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?
Similar to the language under Risk Assessment, this compound question considers the adaptation of a compliance program from your own lessons learned but also from other companies. The distinction now is that phrase is “other companies facing similar risks”? Think about how this language would apply to any company operating in China, West Africa or any other high-risk region in the globe. I would interpret this to mean every Chief Compliance Officer (CCO) and compliance practitioner needs to stay abreast of international anti-corruption enforcement actions where your company may be doing business.
Three key takeaways:
2020 was a very significant year for every compliance practitioner and compliance program. Not only was it the year with the single highest anti-bribery fine ever but there were significant enforcement actions, fines and penalties assessed against corporations coupled with a large number of individual prosecutions. Yet, perhaps most significantly, there were two noteworthy releases of information by the federal government which directly impacted compliance professionals. In June, the Department of Justice (DOJ) released its 2020 Update to the Evaluation of Corporate Compliance Programs – Guidance Document (2020 Evaluation) was released. It should be mandatory reading for every Chief Compliance Officer (CCO), compliance practitioner and professional or any other person interested in the latest thinking of the DOJ on what constitutes a best practices compliance program.
The second release was the DOJ and Securities and Exchange Commission (SEC) released the updated A RESOURCE GUIDE TO THE U.S. FOREIGN CORRUPT PRACTICES ACT SECOND EDITION (2020 FCPA Resource Guide). This was a most welcomed update to the seminal and original FCPA Resource Guide, released in 2012 and widely recognized as the single best volume on the FCPA. Some of the key changes for the compliance professional include the following.
This clearly mandates that once an allegation or even suspicion comes to the attention of compliance, it must be properly triaged, your investigation protocol should kick in with a detailed and effective investigation that is completed in a reasonable time and provide a response to the investigative findings. Moreover, an investigation is not the ending point and should be followed with a robust root cause analysis.
The 2020 Resource Guide is a most welcomed document from the DOJ and SEC. It brings forward the top FCPA and compliance resource from the past decade into this decade. The 2020 Update continues the DOJ communication to the compliance community about its expectations for a best practices compliance program.
Three Key Takeaways
Today I have a special year end episode where I am interviewed by Kevin Foster for his show Everything Ethics, which he has graciously allowed me to cross-post. It is a free flowing conversation about ethics with some compliance thrown in. It was a ton of fun to visit with Kevin. You can check out more about Kevin and his ethics trainings on the Resources below.
Resources
J. Kevin Foster LinkedIn Profile
Business Ethics Advisors
In this episode Jay Rosen, VP of Business Development for Affiliated Monitors, Inc. begins a five-part exploration of corporate culture. Corporate culture exists in the space between what an organization professes and what it does. It is important to pay attention to corporate culture as disconnects in this reality can be quite costly. Today, we consider what is ethical culture and why does it matter.
Highlights include:
For more information see Jay’s blog post What is Ethical Culture and Why Does it Matter? on Corporate Compliance Insights.
For more information on Affiliated Monitors, Inc. check out their website here.
Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Today we consider the question of who in an organization should oversee a hotline. Once that decision is made, who should manage the hotline. Some of the issues we consider are:
Resources
For more information see Matt’s blog post in Radical Compliance:
Who Should Run the Hotline?
