Tag: compliance

Categories
Blog

Using a Root Cause Analysis for Remediation

The 2023 ECCP re-emphasized the need for both performing a root cause analysis but equally importantly using it to remediate your compliance program. It stated, “a hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”

It went on to state, what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk”).” The following questions were then posed:

Root Cause Analysis—What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?

Prior Weaknesses—What controls failed? If policies or procedures should have prohibited the misconduct, were they effectively implemented, and have functions that had ownership of these policies and procedures been held accountable?

You should begin with the question of who should perform the remediation; should it be an investigator or an investigative team which were a part of the root cause analysis? Jonathan Marks, believes the key is both “independence and objectivity.” It may be that an investigator or investigative team is a subject matter expert and “therefore more qualified to get that particular recourse”. Yet to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution.

Marks further noted that the company may also have deficiencies in internal controls. More importantly, the failure to remediate gaps in internal controls “provides the opportunity for additional errors or misconduct to occur, and thus could damage the company’s credibility with regulators” by allowing the same or similar conduct to reoccur. Finally, with both the 2023 ECCP and FCPA Corporate Enforcement Policy, the DOJ has added its voice to prior SEC statements that regulators “will focus on what steps the company took upon learning of the misconduct, whether the company immediately stopped the misconduct, and what new and more effective internal controls or procedures the company has adopted or plans to adopt to prevent a recurrence.”

As required under the 2023 ECCP, from the regulatory perspective, the critical element is how did you use the information you developed in the root cause analysis? Every time you see a problem as a CCO, you should perform a root cause analysis. Was something approved or not approved before the untoward event happened? Was any harm was done? Why or why not? Why did that system fail? Was it because the person who is doing the approval was too busy? Was it because people didn’t understand? It is in answering these and other questions which have been developed through a root cause analysis that you can bring real value and real solutions to your compliance programs.

The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step processes, in which one process can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event and you will have a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence.

When you step back and consider what the DOJ was trying to accomplish with its 2023 ECCP, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company’s risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk.

Categories
Innovation in Compliance

Innovation in Compliance – Dr. Karen Jacobson on Uncovering The Impact of Behavior

Innovation comes in many forms, and compliance professionals need to not only be ready for it but also embrace it. Today, I visited Dr. Karen Jacobson, a renowned expert in organizational leadership and communication.

Dr. Jacobson brings a unique perspective to her work, shaped by her diverse experiences ranging from serving in the military in Israel to running chiropractic offices in New York and Arizona. Dr. Jacobson’s holistic approach to organizational leadership and communication is rooted in her belief that work positioning, repetitive movements, and physical challenges are all interconnected and can impact the overall functioning of an organization. Drawing from her experiences in war, military, healthcare, and even competitive amateur ballroom dancing, she emphasizes the importance of core human connection skills such as conflict reduction, effective communication, and motivation. Her background as a chiropractor also gives her insights into understanding people and their behavior, including habits that affect posture and confidence. Join Tom Fox and Dr. Karen Jacobson on this episode of Innovation in Compliance.

Key Highlights:

  • Understanding behavioral styles is crucial for effective communication in the workplace.
  • Adapting communication for different generations and cultural differences is essential for effective workplace communication.
  • Effective leadership outside the United States requires understanding and respecting different cultures and customs.
  • Understanding personal strengths and leading with them can lead to more effective leadership.

Resources:

Karen Jacobson

Website

LinkedIn

Facebook

Twitter

YouTube

Instagram

 

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

What is a Root Cause Analysis?

One of the biggest changes in the 2020 FCPA Resource Guide, 2nd edition, is the addition of a new Hallmark, entitled, Investigation, Analysis, and Remediation of Misconduct, which reads in full:

The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s compliance program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls on a go-forward basis. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.

There are many interesting aspects to this Hallmark, not the least that it begins with “The truest measure of an effective compliance program is how it responds to misconduct.” This builds upon the language found in the “Confidential Reporting and Internal Investigations Hallmark, which stated, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response,”. Now beyond being properly funded, you must have a “well-functioning mechanism” for the “timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents.”

This clearly mandates that once an allegation or even suspicion comes to the attention of compliance, it must be properly triaged, your investigation protocol should kick in with a detailed and effective investigation that is completed in a reasonable time and provide a response to the investigative findings. Moreover, an investigation is not the ending point and should be followed with a robust root cause analysis. This builds upon several sources.

The 2023 ECCP also raised the following questions under “Root Cause Analysis—What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?”

Well known fraud investigator Jonathan Marks, partner at BDO, defined a root cause analysis as “research based approach to identifying the bottom line reason of a problem or an issue; with the root cause, not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.” He went on to note, “Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. When we are able to determine why an event or failure occurred, we can then recommend workable corrective measures that deter future events of the type observed.”

However, there is no one formula for performing a root cause analysis. One protocol, articulated by Health COMPass, advocates a four-step process which includes:

Step 1: Identify possible causal factors. Using the incident(s) to identify causal factors—things that cause or contribute to the compliance failure. It includes asking such questions as:

• What sequence of events leads to the problem?

• What conditions allow the problem to occur? [e.g., traditional values and practices]

• What problems co-exist with the central problem and might contribute to it? [e.g., lack of health facilities]

• Identify as many causal factors as possible. Start with the problem and brainstorm causal factors for that problem by asking “Why?” The root cause analysis team can also ask themselves (based on their own experience) and stakeholders “why” or “so what” questions to identify causal factors.

Step 2: Identify the root cause. To find root causes—the primary sources of the compliance violation—start with the causal factors and ask why. Root causes are seldom found in the most obvious causes. It is important to dig deeper and continue to ask “Why?” until nearly all responses have been exhausted or roots that seem important to address are reached. There are several useful methods for identifying root causes. One is to construct a root cause tree. Start with the problem and brainstorm causal factors for that problem by asking why. Connect them in a logical cause and effect order until arriving at the root of the problem.

Step 3: Identify communication challenges. Now ask which root causes are challenges that compliance can and should address and which are not. Share findings about other root causes with local authorities and leaders or organizations that might be able to address them.

Step 4: Prioritize compliance challenges. If root cause analysis identifies more than one compliance failure, decide which failure to address first. Rank root causes in order, starting with the main cause. To determine rank, consider:

• The potential impact of addressing the compliance failure. The greater the potential impact, the more important it is to address.

• How difficult it will be to reach the audience associated with the compliance failure.

• The mandate attached to the funding.

• If more than one causal factor is linked to the root cause. When a root cause is the source of multiple causal factors, it indicates that addressing the root cause can have far-reaching effects.

Another approach articulated by Marks is the Five Why’s approach. As he explained “Early questions are usually superficial, obvious; the later ones more substantive.” Borrowing from Six Sigma, the folks at iSixSigma.com believe this approach contemplates that “By repeatedly asking the question “Why” (five is a good rule of thumb), you can peel away the layers of symptoms which can lead to the root cause of a problem. Very often the ostensible reason for a problem will lead you to another question. Although this technique is called “Five Whys,” you may find that you will need to ask the question fewer or more times than five before you find the issue related to a problem.”

To use this approach, iSixSigma.com suggests the following protocol. Begin by writing down the specific problem, which assists you to formulate the issue or problem. Then begin asking, “Why?” Ask why the compliance failure occurred write the answer down below the problem. But do not stop there if this first response does not “identify the root cause of the problem that you wrote down in Step 1, ask why again and write that answer down. Loop back to step 3 until the team is in agreement that the problem’s root cause is identified. Again, this may take fewer or more times than five whys.”

Ultimately, performing a root cause analysis is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer that is provided to you, as you might in an internal investigation. As Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they’re doing.”

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 29 – Strategic Considerations for Implementing AI in Compliance

Implementing AI in compliance requires strategic considerations and decision-making. Understanding the impact of AI, maintaining an inventory of tools, considering cost efficiency and risk avoidance, involving all business sectors, and utilizing AI for better data usage are key factors to consider. Balancing exploration and rules, as well as selecting the right AI tools, are challenges that need to be addressed. By carefully navigating these considerations and challenges, companies can leverage AI to enhance their compliance programs and stay ahead in an ever-evolving regulatory landscape.

 Three key takeaways:

1. What are the key factors that impact these strategic considerations for implementing AI in compliance?

2. Compliance professionals need to stay updated with the latest AI developments and trends, which requires continuous learning and keeping abreast of industry news and insights.

3. Understanding the impact of AI, maintaining an inventory of tools, considering cost efficiency and risk avoidance, involving all business sectors, and utilizing AI for better data usage are key factors to consider.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Strategic Considerations for Implementing AI in Compliance

What are some of the strategic considerations for implementing AI in compliance? What are the key factors that impact these strategic considerations for implementing AI in compliance, exploring the tradeoffs, challenges, and importance of considering the impact on decision-making.

The first consideration is understanding the impact of AI on the company. AI can affect a company in various ways, from internal operations to the products or services it sells. It is crucial for compliance professionals, CEOs, and compliance functions to take a high-level perspective and identify all the ways AI can impact their organization.

The second consideration is maintaining an inventory of all tools used. This can be challenging, especially when a company uses a mix of homegrown and commercially available tools. However, understanding the tools being used in different parts of the company is essential for fully comprehending the privacy and regulatory risks involved.

The third consideration is understanding the tools for cost efficiency and risk avoidance. Companies need to evaluate the value and usage of AI tools regularly. This evaluation helps in balancing the necessary provision of tools with rigorous data security and risk minimization practices. It also ensures cost efficiencies by avoiding redundant tools and optimizing their usage.

The fourth consideration is involving all business sectors in AI discussions. AI implementation should not be siloed within compliance or any specific department. It requires collaboration and participation from various stakeholders, including the board, operations, and compliance teams. Bringing everyone together in an AI working group or team allows for a holistic and strategic approach to AI implementation.

The fifth consideration is utilizing AI for better data usage in compliance. AI enables compliance professionals to analyze trends and patterns in data effectively. This goes beyond simple automation and moves towards predictive analytics. By leveraging AI, compliance programs can enhance their effectiveness and stay ahead of potential risks.

While implementing AI in compliance brings numerous benefits, there are tradeoffs and challenges to consider. One tradeoff is the need to balance exploration and innovation with rules and regulations. Companies should encourage employees to explore and experiment with AI tools but within a safe environment and with clear guidelines. This ensures that AI is used to benefit the company without causing harm.

Another challenge is the selection of AI tools. With the rapid pace of AI development, companies must carefully evaluate and choose the right tools. The wrong choice can lead to wasted resources and missed opportunities. It is crucial to consider factors such as reliability, controls, and the ability to retrieve data if needed.

The impact of AI implementation on compliance cannot be underestimated. Compliance professionals need to stay updated with the latest AI developments and trends. This requires continuous learning and keeping abreast of industry news and insights. Subscribing to relevant sources, such as AI-focused publications or news platforms, can help compliance professionals stay informed.

Implementing AI in compliance requires strategic considerations and decision-making. Understanding the impact of AI, maintaining an inventory of tools, considering cost efficiency and risk avoidance, involving all business sectors, and utilizing AI for better data usage are key factors to consider. Balancing exploration and rules, as well as selecting the right AI tools, are challenges that need to be addressed. By carefully navigating these considerations and challenges, companies can leverage AI to enhance their compliance programs and stay ahead in an ever-evolving regulatory landscape.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 28 – Data-Driven Compliance – From Cutting Edge to Table Stakes

Compliance programs play a crucial role in ensuring that companies adhere to legal and ethical standards. In today’s digital age, where data is abundant and easily accessible, the importance of data-driven compliance programs cannot be overstated. This message was driven home very forcefully in a speech in November by Nicole Argentieri, acting assistant attorney general for the Criminal Division. She stated, “I’d like to now turn to our use of data. In the Criminal Division, we too are going above and beyond in our effort to combat white collar crime. We are not just waiting for companies to self-report, or witnesses to come forward, or for anomalies to reveal themselves on a one-off basis. Let me be the first to tell you that we have proactively used data to generate FCPA cases, and we’ve only just gotten started.”

Data-driven compliance programs have moved from cutting edge and are now seen as best practices. Soon, they will simply be table stakes for companies to effectively manage compliance risks. By actively monitoring and analyzing data, companies can identify potential compliance issues, mitigate risks, and maintain their reputation and integrity. Collaboration between different departments and a formal risk assessment are key factors in establishing a robust compliance program. As technology continues to advance, the role of data analytics and AI in compliance monitoring is expected to become even more significant. It is crucial for compliance professionals to stay informed, continuously learn, and adapt to the evolving landscape of data-driven compliance.

Three key takeaways:

1. Nicole Argentieri, acting assistant attorney general for the Criminal Division, said,  “Let me be the first to tell you that we have proactively used data to generate FCPA cases, and we’ve only just gotten started.”

2. . Compliance professionals must actively analyze the data for trends, anomalies, and potential compliance risks.

3. Data-driven compliance programs have moved from cutting edge and are now seen as best practices. Soon, they will simply be table stakes for companies to effectively manage compliance risks.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Data-Driven Compliance – From Cutting Edge to Table Stakes

Compliance programs play a crucial role in ensuring that companies adhere to legal and ethical standards. In today’s digital age, where data is abundant and easily accessible, the importance of data-driven compliance programs cannot be overstated. This message was driven home very forcefully in a speech in November by Nicole Argentieri, acting assistant attorney general for the Criminal Division. She stated “I’d like to now turn to our use of data. In the Criminal Division, we too are going above and beyond in our effort to combat white collar crime. We are not just waiting for companies to self-report, or witnesses to come forward, or for anomalies to reveal themselves on a one-off basis. Let me be the first to tell you that we have proactively used data to generate FCPA cases, and we’ve only just gotten started.”

Anselmo Guevara, Director, Compliance Monitoring and Analytics at VMware, has emphasized the need for companies to have a compliance program that provides visibility into their data at their fingertips. It is no longer sufficient to simply collect data and have someone review and reconcile it. Compliance professionals must actively analyze the data for trends, anomalies, and potential compliance risks. This proactive approach allows companies to identify and address compliance issues before they escalate.

But as with all new initiatives in compliance, one must emphasize the importance of starting a compliance journey with a formal risk assessment. Guevara suggested collaborating with various departments within the organization, such as accounts payable, receivables, internal audit, and business operations, to understand the risks associated with different processes. This collaborative effort helps identify compliance controls that need to be in place and ensures that the data required for analysis is available.

While low hanging fruit may seem like an attractive starting point, Guevara cautioned against solely focusing on easy wins. He advised against presenting a weak business case to secure budget approval for compliance projects. Instead, he recommended conducting a comprehensive compliance risk assessment to prioritize areas that require immediate attention. This approach ensures that compliance efforts are aligned with your organization’s overall risk management strategy.

Data analytics plays a crucial role in enhancing compliance efforts. By leveraging data analytics tools and techniques, compliance professionals can identify patterns, detect anomalies, and uncover potential compliance risks. However, Guevara highlighted the importance of validating suspicious transactions before raising concerns. It is essential to conduct due diligence and thoroughly investigate any potential issues to maintain financial integrity and credibility.

Data-driven compliance programs have moved from cutting edge and are now seen as best practices. Soon they will simply be table stakes for companies to effectively manage compliance risks. By actively monitoring and analyzing data, companies can identify potential compliance issues, mitigate risks, and maintain their reputation and integrity. Collaboration between different departments and a formal risk assessment are key factors in establishing a robust compliance program. As technology continues to advance, the role of data analytics and AI in compliance monitoring is expected to become even more significant. It is crucial for compliance professionals to stay informed, continuously learn, and adapt to the evolving landscape of data-driven compliance.

Categories
10 For 10

10 For 10: Top Compliance Stories For The Week Ending January 27, 2024

Welcome to 10 For 10, the podcast that brings you the week’s Top 10 compliance stories in one podcast each week. Tom Fox, the Voice of Compliance, brings to you, the compliance professional, the compliance stories you need to be aware of to end your busy week. Sit back, and in 10 minutes, hear about the stories every compliance professional should be aware of from the prior week. Every Saturday, 10 For 10 highlights the most important news, insights, and analysis for the compliance professional, all curated by the Voice of Compliance, Tom Fox. Get your weekly filling of compliance stories with 10 for 10, a podcast produced by the Compliance Podcast Network.

  1. God told Paster to commit cryptofraud.  (NYT)
  2. When fraud starts at the top. (FT)
  3. Shkreli lifetime pharma ban upheld. (Reuters)
  4. China is cracking down on data corruption. (South China Morning Post)
  5. Exxon sues to prevent shareholder climate petitions at Board meetings.  (BBC)
  6. Toughening China’s forced labor import ban is coming. (WSJ)
  7. Gen Z is taking on more part-time jobs. What are the compliance risks? (WaPo)
  8. Binance fights SEC oversight. (Reuters)
  9. The fraud of belts and roads.  (WSJ)
  10. ICBC was fined $32MM by DFS. (WSJ)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

You can check out the Daily Compliance News for four curated compliance and ethics-related stories each day, here.

Connect with Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 27 – Compliance Function in an Organization

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, 2020 FCPA Resource Guide, 2nd edition, under the Hallmarks of an Effective Compliance Program, simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

This Hallmark was significantly expanded in both the original FCPA Corporate Enforcement Policy and 2023 ECCP. In the FCPA Corporate Enforcement Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program: 1) the resources the company has dedicated to compliance; 2) the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; 3) the authority and independence of the compliance function and the availability of compliance expertise to the board; 4) the compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and 5) the reporting structure of any compliance personnel employed or contracted by the company.

The 2023 ECCP and 2023 Update to the FCPA Corporate Enforcement Policy both demonstrate the continued evolution in the thinking of the DOJ around the corporate compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically; and the compliance profession more generally. The more the DOJ talks about the independence of the compliance function, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations.

 Three key takeaways:

1. How is compliance treated in the budget process?

2. Has your compliance function had any decisions over-ridden by senior management?

3. Beware outsourcing of compliance as any such contractor must have access to company documents and personnel.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

The Compliance Function in an Organization

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, 2020 FCPA Resource Guide, 2nd edition, under the Hallmarks of an Effective Compliance Program, simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

This Hallmark was significantly expanded in both the original FCPA Corporate Enforcement Policy and 2023 ECCP. In the FCPA Corporate Enforcement Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program: 1) the resources the company has dedicated to compliance; 2) the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; 3) the authority and independence of the compliance function and the availability of compliance expertise to the board; 4) the compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and 5) the reporting structure of any compliance personnel employed or contracted by the company.

Clearly the DOJ is articulating that in an operationalized compliance program, it expects true compliance professionals, who understand the way compliance interacts with and supports the business. Companies must compensate and promote compliance professionals within their organization.

Funding and resources. You will now have to justify your corporate compliance spend. This means at a minimum you will have to meet some general industry standard. If a corporation tries to low-ball both the pay to compliance professionals, as well as the dollar and head count made available to a compliance function, it will not be viewed positively. Also noted in the Evaluation, a company must be prepared to defend any request for compliance resources which are turned down. Budget requests and allocations are always difficult times in any corporation. There is never enough money to go around and most senior management thinks it is their job to slash all budget requests as a simple matter of course. Now such blanket management will be penalized.

If a compliance function is so hampered by resource restrictions it cannot carry out the basic functions needed for a compliance program to operate, it will not find favor under either the Evaluation or the FCPA Corporate Enforcement Policy. If there are compliance projects needed to address basic compliance risks which are not funded because management failed to heed a CCOs or compliance functions budget request, this could be evidence of conscious indifference by senior management.

Role of compliance and empowerment. More than simply throwing money at the compliance function (as if that would ever happen) the DOJ is now inquiring into how the compliance function and its recommendations are treated. If there is business unit over-ride of compliance decisions, there must be an auditable decision trail. This, of course, is anathema to corporate executives who do not want to put themselves at risk.

But more than simply preventing management over-ride, a corporate compliance function has to be empowered by the Board and CEO to intervene in business decisions that implicate the company’s ethics and compliance issues, compliance with business code of ethics, agent/distributor and supplier codes of conduct, training, communication and internal investigations. If a company considers a business decision or practice that implicates the company’s ethical principles, the compliance function must have the internal authority to weigh in and ensure that ethical principles and compliance issues are factored into the business decision.

In the 2023 ECCP, under Section III, Does Your Compliance Program Work in Practice, is the following new language “Independence and Empowerment – Is compensation for employees who are responsible for investigating and adjudicating misconduct structured in a way that ensures the compliance team is empowered to enforce the policies and ethical values of the company? Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel or others within the organization that have a role in the disciplinary process generally?”

This is a significant new addition to the ECCP. It forces a company to adequately compensation those employees who investigate and pass judgment on misconduct. But it is more than simply adequate compensation as it also requires a company not to retaliate via low salaries or limited raises or other compensation for doing their jobs as compliance officers. In other words, if the CEO is being investigated by compliance; that same CEO should not be setting or reviewing the salary of the CCO or those doing the investigation. This mandates that the DOJ will review the entire corporate organization on these issues.

Outsourcing of compliance. This area of compliance practice has arisen largely since the articulation of the Hallmarks in the 2020 FCPA Resource Guide, 2nd edition. While this might make sense from a cost perspective, it can be largely problematic if it is not managed properly. Rarely do outsiders have the same access as corporate employees, particularly in a function as important as compliance. Additionally, there will never be the trust level with outsiders there is with someone who wears the same color shirt as the employees. Here a company must not only have a rationale in place, which will largely be cost savings; a company must also have a mechanism in place to assess, on an ongoing basis, any outsourced compliance function. This will be beyond the reach of probably 99% of the companies engaged in such outsourcing.

The 2023 ECCP had further detailed questions to pose:

Structure—Where within the company is the compliance function housed (e.g., within the legal department, under a business function, or as an independent function reporting to the CEO and/or board)? To whom does the compliance function report? Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company? Are compliance personnel dedicated to compliance responsibilities, or do they have other, non-compliance responsibilities within the company? Why has the company chosen the compliance structure it has in place? What are the reasons for the structural choices the company has made?

Seniority and Stature—How does the compliance function compare with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions? How has the company responded to specific instances where compliance raised concerns? Have there been transactions or deals that were stopped, modified, or further scrutinized as a result of compliance concerns?

Experience and Qualifications—Do compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities? Has the level of experience and qualifications in these roles changed over time? How does the company invest in further training and development of the compliance and other control personnel? Who reviews the performance of the compliance function and what is the review process?

Funding and Resources—Has there been sufficient staffing for compliance personnel to effectively audit, document, analyze, and act on the results of the compliance efforts? Has the company allocated sufficient funds for the same? Have there been times when requests for resources by compliance and control functions have been denied, and if so, on what grounds?

Data Resources and Access—Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?

Autonomy—Do the compliance and relevant control functions have direct reporting lines to anyone on the board of directors and/or audit committee? How often do they meet with directors? Are members of the senior management present for these meetings? How does the company ensure the independence of the compliance and control personnel?

The 2023 ECCP and 2023 Update to the FCPA Corporate Enforcement Policy both demonstrate the continued evolution in the thinking of the DOJ around the corporate compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically; and the compliance profession more generally. The more the DOJ talks about the independence of the compliance function, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations.