Tag: 2023 ECCP

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 12 – Your Code of Conduct

What is the value of having a Code of Conduct? In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in a regulator’s face during an enforcement action as proof of ethical overall behavior. Is such a legalistic code effective? Is a Code of Conduct more than simply your company’s internal law? What should be the goal of the creation of your company’s Code of Conduct?

How important is the Code of Conduct? Consider the 2016 SEC enforcement action involving United Airlines, Inc., which turned on a violation of the company’s Code of Conduct. The breach of the Code of Conduct was determined to be an FCPA internal control violation. It involved a clear quid pro quo benefit paid out by United to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity that has authority over, among other things, United’s operations at the company’s huge east coast hub in Newark, NJ.

Three key takeaways:

1. A Code of Conduct is a foundational document in any compliance regime.

2. The substance of your Code of Conduct should be tailored to the company’s culture, to its industry, and to its corporate identity.

3. “Document, Document, and Document” your training and communication efforts regarding your Code of Conduct.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 11 – Moving Compliance Tone Down Through an Organization

The 2023 ECCP made it clear that a company must have more than simply good ‘Tone-at-the-Top’; it must move down through the organization from senior management to middle management and into its lower ranks. It stated, “Beyond compliance structures, policies, and procedures, it is important for a company to create and foster a culture of ethics and compliance with the law at all levels of the company. The effectiveness of a compliance program requires a high-level commitment by company leadership to implement a culture of compliance from the middle and the top.”

Employees often look to their direct supervisor to determine what the tone of an organization is and will be going forward. Many employees of large, multi-national organizations may never have direct contact with the CEO or even senior management. By moving the values of compliance through an organization into the middle, you will be in a much better position to inculcate these values and operationalize compliance with them.

Three key takeaways:

1. Tone at the top—direct supervisors become the most important influence on people in the company

2. Give your middle managers a toolkit around compliance so they can fully operationalize compliance

3. Organizational justice is an additional way to help operationalize compliance

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 10 – Leadership’s Conduct at The Top

The 2022 Monaco Memo emphasized the basic point that the key to every company is culture. The bottom line is that corporate culture matters, and corporate culture that fails to hold individuals accountable or fails to invest in compliance—or worse, that thumbs its nose at compliance—leads to bad results.

To assist companies in understanding this requirement, the 2023 ECCP sets out inquiries demonstrating that DOJ requirements are more than simply the ubiquitous “tone-at-the-top,” as they focus on the conduct of senior management. The DOJ wants to see a company’s senior leadership actually doing compliance. The DOJ asks if company leadership has, through their words and concrete actions, brought the right message of doing business ethically and in compliance to the organization. How does senior management model its behavior based on a company’s values and finally, how is such conduct monitored in an organization?

Three key takeaways:

1. Senior management must actually do compliance—not simply talk the talk of compliance but also walk the walk.

2. The DOJ is now actively assessing corporate culture during investigations.

3. Your CEO is a Compliance Ambassador.

 

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 9 – Continuous Monitoring and Continuous Improvement

Continuous monitoring and continuous improvement are two of the most important phrases for any compliance program. These twin concepts were further enshrined in the 2023 Update to the Evaluation of Corporate Compliance Programs (2023 ECCP). In 2023, all companies’ risks changed as we moved from Working From Home to Return To Office and, now, a hybrid model. In addition to this straight-forward change in risk due to working locations, new risks in the form of geopolitical, supply chain, and export control, as well as increased risk due to social media, continue to impact compliance programs.  Your compliance program must be ready to respond to whatever those risks might be going forward.

Continuous improvement runs the gamut in a best practices compliance program, from risk assessments to policies and procedures to periodic testing and review.

Three key takeaways:

1. How have your company’s risks changed over the past year, and how will they change in 2024?

2. What is your process for continuous monitoring and improvement?

3. What sources of information do you use that come from outside your organization?

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 8 – Operationalizing Compliance Through Payroll

One of the areas articulated in the 2023 ECCP was around payments and payroll. For both the compliance professional and the corporate payroll function, there is a significant role to play in the operationalization of a corporate compliance program. The 2023 ECCP was replete with references to payment and its critical nature to any best practices compliance program. This includes references to payments to foreign officials, payments to third parties, and hiding bribes in payments to distributors. The 2023 ECCP begins with an admonition to stop wasting time on low-hanging fruit when there are much higher risks in your business operations.

The role of payroll in compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes must come from somewhere. Unfortunately, one of those places is out of payroll. All CCOs need to sit down with their head of payroll, have them explain the role of payroll, and then review the internal controls in place to see how they facilitate compliance goals. From that review, you can then determine how to use payroll to help operationalize your compliance program.

The DOJ has now provided its clearest statement on how it expects a company to actually comply going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from compliance violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process that should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well-suited corporate discipline to provide this first level of oversight and control.

Three key takeaways:

  1. Payroll can be a key to preventing and detecting control
  2. The 2020 Update specified the tie between the corporate compliance function and the corporate payroll function.
  3. Offshore payments remain a key indicator of a red flag.
Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 2 – 2023 Evaluation of Compliance Programs: Incentives and Consequences

The 2023 ECCP had significant changes regarding compliance-based incentives, both financial and non-financial; consequence management; messaging apps; and ancillary matters.

I.    Incentives

This section begins with a new introduction that makes clear the seriousness in which the DOJ views incentives, both financial and other types of incentives. The ECCP states, “The design and implementation of compensation schemes play an important role in fostering a compliance culture.”

The ECCP also added a new section on financial incentives, which directs prosecutors to specifically evaluate how a company designs and applies financial incentives. These four questions basically breakdown into the following continuum: (1) Assessment, (2) Analysis, (3) Implementation; and (4) Monitoring.

II.   Consequence Management

The DOJ has been talking about clawbacks for some time now. However, the revised language of the ECCP puts more rigor into what the DOJ is now mandating.

 a.   Clawbacks

The DOJ has made it clear that companies need to seek to recover amounts paid out to executives that were illegally received as corporate compensation. This could include both salary, stock options, similar payments, or discretionary bonuses. All of this means every compliance program will need to analyze each of these components as set out.

b.    Consequence Management

The DOJ also mandated that compliance programs take a deeper dive into their entire financial incentive program—both incentives and disincentives. While there is some overlap with the clawback language, there is quite a bit of newness in these areas. The DOJ’s hotline and speak-up reports directly relate to a company’s culture of compliance.

Three key takeaways:

1. The 2023 ECCP brought significant changes to both financial incentives and negative consequences as well.

2. The new financial incentive analysis is: (1) Assessment; (2) Analysis, (3) Implementation; and (4) Monitoring.

3. Clawbacks and Consequence Management are related but separate parts of a best practices compliance program.

Categories
Blog

What 2023 Brought to Compliance – The 2023 ECCP

January 2023 saw the release of the 2023 U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs (ECCP). It brought forward several new initiatives laid out in the 2020 Update to the Evaluation of Corporate Compliance Programs, include additions and deletions. It also incorporated many of the concepts from the 2022 Monaco Memo. It contained new incentives, both financial and non-financial; consequence management; messaging apps and provide a summary for the compliance professional.

Incentives

This section begins with a new introduction which makes clear the seriousness in which the Department of Justice (DOJ) views incentives, both financial and other types of incentives. The ECCP states, “The design and implementation of compensation schemes play an important role in fostering a compliance culture. Prosecutors may consider whether a company has incentivized compliance by designing compensation systems that defer or escrow certain compensation tied to conduct consistent with company values and policies. Some companies have also enforced contract provisions that permit the company to recoup previously awarded compensation if the recipient of such compensation is found to have engaged in or to be otherwise responsible for corporate wrongdoing. Finally, prosecutors may consider whether provisions for recoupment or reduction of compensation due to compliance violations or misconduct are maintained and enforced in accordance with company policy and applicable laws. Compensation structures that clearly and effectively impose financial penalties for misconduct can deter risky behavior and foster a culture of compliance.”

The ECCP also added a new section on financial incentives which directs prosecutors to specifically evaluate how a company designs and applies financial incentives. These four questions basically breakdown into the following continuum: (1) Assessment, (2) Analysis, (3) Implementation; and (4) Monitoring.

Incentive program assessment. Here you need to review your corporate incentive program for all employees, most particularly the discretionary bonus program but also your non-financial incentives such as promotion.

Incentive program analysis. Here you need to see what perverse incentives may exist in your organization.

Incentive program implementation. After implementation of the incentive program, it must be monitored.

Incentive program monitoring. Here there needs to be ongoing monitoring of the incentive program, including has the company ensured effective management of the incentive program? 

Consequence Management

The DOJ has been talking about clawbacks for some time now. However, the revised language of the ECCP puts more rigor around what the DOJ is now mandating. This section begins by noting that financial penalties as well as financial incentives can influence employee behavior and that prosecutors are now required to consider both aspects. It states:

By way of example, prosecutors may consider whether a company has publicized disciplinary actions internally, where appropriate and possible, which can have valuable deterrent effects. Prosecutors may also consider whether a company is tracking data relating to disciplinary actions to measure effectiveness of the investigation and consequence management functions.

Clawbacks

The DOJ has made clear that companies need to seek to recover amounts paid out to executives which were illegally received as corporate compensation. This could include both salary, stock options or similar payments or discretionary bonuses. All of this means every compliance program will need to analyze each of these components as set out. It will also require a review of executive contracts to determine if there are clawback provisions set out in each employment contract. If there are no such provisions, they will need to be inserted. Finally, what “specific examples of actions taken” does a company have to show to the DOJ should they come knocking?

Consequence Management

The DOJ also mandated that compliance programs take a deeper dive into their entire financial incentive program; both incentives and dis-incentives. While there is some overlap with the clawback language but there is quite a bit new in these area. The DOJ ties hotline and speak up reports directly to a company’s culture of compliance. The DOJ goes on to ask about substantiation rates, closure rates, consistent and fair application of discipline (and rewards when called for) and root cause analysis; which are not simply technical aspects of compliance programs but are concrete steps companies can implement to engender trust with employees that their concerns will be taken seriously and then acted upon when they are raised. Once again, as with clawbacks, these are levels of analysis that many compliance programs have not yet taken but are now required to do so.

Messaging Apps

The ECCP opened this section by noting, “Messaging applications have become ubiquitous in many markets and offer important platforms for companies to achieve growth and facilitate communication.” For any company under investigation or in a Foreign Corrupt Practices Act (FCPA) enforcement action, the DOJ will evaluate its “policies and mechanisms for identifying, reporting, investigating, and remediating potential misconduct and violations of law…governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications.” Off the shelf policies will not be sufficient as the company’s management of messaging apps “should be tailored to the corporation’s risk profile and specific business needs.” Not surprisingly the DOJ is also concerned about storage, access and even backups, requiring that “business-related electronic data and communications are accessible and amenable to preservation by the company.” Training and communication of these policies and procedures will also be evaluated and “whether the corporation has enforced the policies and procedures on a regular and consistent basis in practice.”

Final Thoughts

What does it all means for the compliance professional going forward? The 2023 ECCP and the year in compliance bore out the following.

 Use of Monitors

In the introduction its states “Moreover, Criminal Division policies on monitor selection instruct prosecutors to consider, at the time of the resolution, whether the corporation has made significant investments in, and improvements to, its corporate compliance program and internal controls systems and whether remedial improvements to the compliance program and internal controls have been tested to demonstrate that they would prevent or detect similar misconduct in the future to determine whether a monitor is appropriate.” This language is a firm rejection of the Benzkowski Memo and the prior administration’s reticence to employ monitorships as a tool to ensure compliance with not only the settlement documents but also the creation and implementation of a compliance program.

Internal Compliance Controls

Under Section II, entitled Is the Corporation’s Compliance Program Adequately Resourced and Empowered to Function Effectively? Is the new language, “In this regard, prosecutors should evaluate a corporation’s method for assessing and addressing applicable risks and designing appropriate controls to manage these risks.” This simple sentence packs quite a whoolop as it mandates a risk assessment, design and implementation of appropriate internal compliance controls and then monitoring of those controls to see if they are managing the risks identified in the risk assessment. Many of these concepts are fleshed out in the ECCP but it is clear this is a minimum expectation from the DOJ.

Adequate Compensation and Salary/Bonus Review for Compliance

Under Section III, Does Your Compliance Program Work in Practice, is the following new language “Independence and Empowerment – Is compensation for employees who are responsible for investigating and adjudicating misconduct structured in a way that ensures the compliance team is empowered to enforce the policies and ethical values of the company? Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel or others within the organization that have a role in the disciplinary process generally?”

This is a significant new addition to the ECCP. It forces a company to adequately compensation those employees who investigate and pass judgment on misconduct. But it is more than simply adequate compensation as it also requires a company not to retaliate via low salaries or limited raises or other compensation for doing their jobs as compliance officers. In other words, if the CEO is being investigated by compliance; that same CEO should not be setting or reviewing the salary of the CCO or those doing the investigation. This mandates that the DOJ will review the entire corporate organization on these issues.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Data Analytics: Day 10 – The Impact of Privacy Regulations on Compliance

What is the impact of privacy regulations on data-driven compliance? Every CCO must be aware of the importance of privacy in data-driven compliance and the challenges and tradeoffs involved in implementing effective compliance strategies. A key mandate is for CCOs and compliance professionals to have a compliance program that provides visibility into their data. This emphasizes the importance of having efficient and effective compliance solutions in place or as I have previously noted CCOs must have access to their compliance data literally at their fingertips.

This is one of the drivers for key trends shaping compliance technology in 2025 and beyond. The RegTech market is growing rapidly, and there is increased regulatory focus on cryptocurrency activities, ESG, and information security and cybersecurity. These trends indicate the evolving landscape of compliance and the need for organizations to stay updated and adapt their compliance strategies accordingly. By embracing connected compliance and leveraging technology, organizations can navigate the complex regulatory landscape and ensure compliance with privacy regulations while driving business efficiency.

 Three key takeaways:

  1. CCOs and compliance professionals must have a compliance program that provides visibility into their data.
  2. ESG regulations affect not only regulated industries but also any company holding private customer data or involved in large supply chains.
  3. By embracing connected compliance and leveraging technology, organizations can navigate the complex regulatory landscape and ensure compliance with privacy regulations while driving business efficiency.

For more on KonaAI, click here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Data Analytics: Day 5 – Data Driven Compliance and ESG Integration

ESG integration focuses on incorporating environmental, social, and governance considerations into business processes. This broader overview allows organizations to gain a comprehensive understanding of their impact, save costs, improve efficiency, and increase profitability. However, it is important to note that ESG initiatives often come with additional costs, as environmentally sound products may be more expensive than traditional alternatives. This is a tradeoff that companies must carefully consider when implementing ESG practices.

ESG integration in business processes is crucial for organizations aiming to enhance their compliance programs and make informed decisions. By leveraging data analytics, companies can identify and address ESG risks and opportunities more effectively. Collaboration and information sharing among companies also play a significant role in improving compliance efforts. As the compliance landscape continues to evolve, staying informed and adapting to new evaluation processes will be key for compliance professionals.

Three key takeaways:

  1. ESG integration in business processes is crucial for organizations aiming to enhance their compliance programs and make informed decisions.
  2. By leveraging data analytics, companies can identify and address ESG risks and opportunities more effectively.
  3. Collaboration and information sharing among companies also play a significant role in improving compliance efforts.

For more information on KonaAI, check out their website here.

Categories
Blog

Assessing and Improving Corporate Culture Through the Culture Audit™

I am hugely pleased to announce a dynamic new tool for compliance professionals, the Culture Audit™ which is a software tool designed to help companies evaluate their corporate culture and identify areas for improvement. Developed by Sam Silverstein, founder of the Accountability Institute, the Culture Audit™ allows a compliance professional or any business to assess their corporate culture quickly and efficiently as mandated by the Department of Justice (DOJ). (Full disclosure-I do work for and with Sam Silverstein and the Accountability Institute.)

Beginning with the speech by Deputy Attorney General Lisa Monaco in October 2021, the recognized the need for companies to assess, manage, monitor and improve their corporate culture. This was memorialized in the 2023 update to the Evaluation of Corporate Compliance Programs (ECCP), announced in January 2023. In the ECCP, the DOJ asks these following questions how often and how does a company measure a culture of compliance? What are your hiring and incentive structures around compliance? What steps have you taken in response to your measurements of compliance?

All these questions posed by the DOJ lead to the requirement that every company needs to assess their culture, because the DOJ is going to do in any enforcement action or review. However, it can be done using the same compliance processes currently in place, as culture is just like any other risk. As a risk, it can be assessed. This is why the Culture Audit™ is such a game-changer in compliance as it provides you a software tool to perform that initial risk assessment. When you have assessed a risk, then you can start to put together a risk management strategy in place. With your culture strategy in place, you can train your employees on it and then monitor their performance, determining the results. From there you can improve your culture strategy as needed. But it all starts with a culture assessment, and that’s what the Culture Audit™ allows you to do.

The Culture Audit™ can be set to 20 languages, which makes this the best possible tool, not just for international companies, with offices around the world, but also those in places like in South Dakota, where there might be a production facility and there could actually be three or four languages spoken on the production floor. This allows all employees in an organization the opportunity to communicate, to provide the vital feedback, and makes this a very powerful tool.

The Culture Audit™ is simple for all employees to use as a link is provided used throughout the organization. Moreover, it is an anonymous survey. The Culture Audit™ does collect any specific Personal Identifiable Information (PII). The Culture Audit™ does not know who is responding, and there is no ability to track back to individual employees. This provides an environment where employees are free to share what they really think about the organization, what they really feel about what’s happening inside in their workplace culture.

The Culture Audit™ measures various aspects of a company’s culture, including compliance practices, hiring processes, and employee engagement. It generates a comprehensive report that highlights gaps and provides actionable steps for improvement. The tool is particularly beneficial for global organizations as it supports international language communication.

One key feature of the Culture Audit™ is its emphasis on auditability and transparency. In the event of a regulator’s inquiry, the Culture Audit™ provides a detailed report that can be shared to demonstrate the company’s commitment to assessing and improving its culture. The questions and the results are fully auditable. The raw data collected during the audit is also retained for future reference, allowing organizations to track their progress over time.

One of the key benefits of the Culture Audit™ is its ability to identify areas for improvement and provide actionable insights. The Culture Audit™ report includes an action plan that guides organizations on specific areas to focus on and steps to take for improvement. Silverstein emphasized that all companies should be either improving because they are underperforming or reinforcing what they are already good at. By continuously reinforcing positive aspects of their culture, organizations can prevent a decline over time.

The Culture Audit™ can also be a valuable tool for companies considering acquisitions. By using the tool to assess the culture of a potential target, companies can gain insights into the target’s values, ethics, and decision-making processes. This information can help inform the decision-making process and identify potential risks or areas of alignment.

The Culture Audit™ is a true game-changer in compliance as it provides organizations with a powerful tool to assess and improve their corporate culture. By measuring various aspects of culture, providing actionable insights, and emphasizing auditability and transparency, the Culture Audit™ helps organizations create a positive and productive workplace environment. With the increasing focus on corporate culture by regulators, the Culture Audit™ can also help companies demonstrate their commitment to ethical behavior and compliance. By utilizing this tool, organizations can drive better leadership, improve employee engagement, and ultimately enhance their bottom line.

Resources

Culture Audit

Set up a call to discuss the Culture Audit, click here