Categories
Blog

2024 ECCP – Embracing Continuous Improvement

In her recent speech at the Society of Corporate Compliance and Ethics 23rd Annual Compliance & Ethics Institute, Principal Deputy Assistant Attorney General Nicole M. Argentieri discussed the Evaluation of Corporate Compliance Programs (2024 ECCP). (A copy of her remarks can be found here.) Today, I want to consider her remarks and the 2024 ECCP on continuous improvement.

Continuous Improvement: A Foundational Pillar

The ability to adapt and evolve is at the heart of any successful compliance program. Deputy Attorney General Lanny Breuer said that in 2009, which is still true today. Continuous improvement ensures compliance programs remain agile and responsive to internal and external pressures. The DOJ’s 2024 ECCP clarified that there is no one-size-fits-all approach to compliance. Instead, companies must tailor their programs to reflect their specific risk profiles, industries, and operational footprints. The three key questions the DOJ asks when evaluating a company’s compliance program are pivotal:

  1. Is the program well-designed?
  2. Is it applied in good faith and adequately resourced?
  3. Does it work in practice?

The answers to these questions must evolve as the company grows, its risk environment changes and new technologies or regulatory frameworks emerge. In other words, continuous improvement should be ingrained in the DNA of the compliance function.

Focus on Emerging Risks and Technology

A critical aspect of the 2024 ECCP update is its emphasis on emerging risks, particularly those related to artificial intelligence (AI) and other disruptive technologies. The DOJ has clarified that prosecutors will closely examine how companies assess and mitigate risks associated with AI and technology-enabled schemes. In an age where AI is increasingly used in business operations, compliance professionals must ensure that their companies are leveraging these technologies ethically and implementing robust controls to monitor for potential misuse.

For instance, as AI systems are deployed in decision-making processes—such as approving financial transactions or conducting due diligence—companies must have mechanisms to validate AI-generated data’s accuracy and reliability. This includes periodic testing, ongoing monitoring, and ensuring that human oversight remains an integral part of the compliance process.

Moreover, continuous improvement in this area involves staying ahead of technological trends. Compliance professionals must regularly update risk assessments for new technological developments, ensuring their controls and policies remain relevant. The ability to proactively manage these emerging risks is a hallmark of a forward-thinking compliance program.

Encouraging a Speak-Up Culture

Another critical update to the ECCP addresses the importance of fostering a “speak-up” culture within organizations. The DOJ’s increased scrutiny of whistleblower protections underscores the need for companies to encourage internal reporting of misconduct without fear of retaliation. Compliance programs must be designed to detect wrongdoing and provide employees with the tools and confidence to report issues when they arise.

Continuous improvement in this area means regularly testing and refining internal reporting mechanisms. Companies should ask themselves: Are our employees aware of how to report misconduct? Do they trust the process? Are we doing enough to protect whistleblowers? The ECCP now explicitly evaluates whether companies have anti-retaliation policies and whether they promote a culture encouraging employees to come forward.

It is also worth noting that companies can earn significant benefits by prioritizing internal reporting. Under the DOJ’s whistleblower pilot program, companies that receive an internal report and then self-disclose misconduct to the DOJ within 120 days can qualify for a presumption of a declination of prosecution. This sends a powerful message that promoting a speak-up culture is the right thing to do and strategically advantageous.

Leveraging Data for Compliance Effectiveness

The 2024 ECCP also strongly emphasizes the role of data in compliance programs. Companies are expected to use data to identify misconduct and assess the effectiveness of their compliance programs. Compliance professionals must ensure adequate access to relevant data sources and the resources to analyze that data effectively.

Continuous improvement in data management involves regularly auditing the sources and quality of data used in the compliance program. Are compliance personnel receiving timely and relevant data? Are there gaps in data collection that could hinder the detection of misconduct? By addressing these questions and implementing the necessary improvements, companies can ensure that their compliance programs function efficiently.

The Power of Adaptation

One of the most insightful aspects of the 2024 ECCP is its focus on learning from past mistakes—whether those mistakes occurred within the company or elsewhere in the industry. The DOJ encourages companies to conduct thorough root cause analyses after incidents of misconduct, using those insights to inform and improve compliance policies and procedures

Incorporating lessons learned into a compliance program is key to continuous improvement. Companies should routinely review their own experiences and external enforcement actions to identify weaknesses and strengthen their controls. For example, a company that uncovers a gap in its third-party due diligence process should take immediate action to address it and prevent similar issues.

Compensation and Clawbacks: A Shift Toward Accountability

Finally, the DOJ’s Compensation Incentives and Clawbacks Pilot Program is another area where continuous improvement can drive compliance excellence. By aligning compensation structures with ethical behavior, companies can incentivize employees to prioritize compliance. The DOJ now requires that compensation systems include criteria for promoting compliance and deterring misconduct, and early indications suggest that this positively impacts corporate behavior.

Continuous improvement in this area means regularly assessing whether the metrics used to evaluate employee performance are aligned with compliance objectives. Companies should also ensure that their compensation structures provide clear consequences for misconduct, such as clawing back bonuses or withholding future compensation from culpable employees.

In 2024 and as we move to 2025, continuous improvement is not a luxury but a necessity. Compliance professionals must remain vigilant, regularly evaluating and updating their programs to address new risks, leverage emerging technologies, and promote a strong culture of ethics. The DOJ’s 2024 ECCP provides a roadmap for how companies can achieve these goals, but the responsibility ultimately falls on compliance professionals to ensure that their programs are well-designed and effective in practice.

As we progress, the key to success lies in our ability to embrace continuous improvement. We must make the necessary investments in compliance to prevent, detect, and remediate misconduct. By doing so, we protect our organizations from legal and financial risk and foster a corporate culture that values integrity and ethical leadership.

Categories
Compliance Tip of the Day

Compliance tip of the Day: Embracing Continuous Improvement in Compliance Programs

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we explore why the DOJ’s emphasis on continuous improvement in compliance programs is a call to action for all of us.

Categories
Blog

Lessons on Ongoing Monitoring and Continuous Improvement from Star Trek: Spectre of the Gun

Last month, I wrote a blog post on the tone at the top, exemplified in Star Trek’s Original Series episode, Devil in the Dark. Based on the response, some passionate Star Trek fans are out there. I decided to write a series of blog posts exploring Star Trek: The Original Series episodes as guides to the Hallmarks of an Effective Compliance program set out in the FCPA Resources Guide, 2nd edition. Today, I will continue my two-week series by looking at the following Hallmarks of an Effective Compliance Program laid out by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in the FCPA Resources Guide, 2nd edition. Today, we look at lessons learned about ongoing monitoring and continuous improvement from the episode Spectre of the Gun, which provides a compelling narrative to explore the compliance concepts of ongoing monitoring and continuous improvement within a best practices compliance program.

In “Spectre of the Gun,” Captain Kirk and his crew are sent to make contact with the Melkotians, a reclusive alien species. Despite a warning buoy advising them to leave, the crew presses forward, and as a result, the Melkotians transport them into a surreal, incomplete version of the American Wild West. The crew finds themselves in a reenactment of the infamous Gunfight at the O.K. Corral, with Kirk, Spock, McCoy, Scotty, and Chekov cast as the doomed Clanton gang. The situation forces the crew to adapt rapidly, relying on their ingenuity and continuous assessment of their circumstances to survive. This scenario provides valuable lessons for compliance professionals on monitoring and constant improvement.

Lesson 1. Ongoing Monitoring and Continuous Assessment

In the Melkotian scenario, the Enterprise crew must continuously assess their environment to understand its limitations and potential dangers. The partial nature of the setting indicates that their perceptions can influence outcomes, requiring constant vigilance and situational awareness.

Continuous assessment is crucial for effective compliance programs. Organizations must be keenly aware of their regulatory environment and internal operations to identify potential risks and changes affecting compliance. This involves regular audits, risk assessments, and monitoring of key performance indicators to detect issues early. By maintaining situational awareness, compliance teams can proactively address emerging risks and ensure adherence to policies and regulations.

Lesson 2. Adapting Strategies Based on Feedback

Throughout the episode, the crew receives feedback from their interactions within the environment, leading them to adjust their strategies. Spock’s logical deductions and Kirk’s leadership guide the crew in adapting their actions to overcome the perceived threat.

Adaptability and flexibility are essential components of continuous improvement in compliance programs. Organizations should encourage a culture where feedback is sought and used to refine compliance strategies and controls. Implementing regular reviews and updates to compliance policies based on feedback and lessons learned ensures that the program remains effective and responsive to changes. Continuous improvement processes, such as after-action reviews and root cause analyses, enable organizations to refine their approaches and enhance compliance outcomes.

Lesson 3. Leveraging Expertise and Collaboration

The crew relies on Spock’s logical analysis and each member’s unique skills to navigate the challenges of the scenario. Their ability to collaborate and leverage individual strengths is key to their survival.

Effective compliance programs rely on the expertise and collaboration of diverse teams. Organizations should foster cross-functional collaboration, bringing together individuals from different departments to address compliance challenges comprehensively. Leveraging expertise from legal, risk management, operations, and other areas enhances the organization’s ability to monitor compliance effectively and implement improvements. Encouraging open communication and teamwork ensures that diverse perspectives contribute to developing robust compliance solutions.

Lesson 4. Proactive Problem-Solving and Innovation

The crew’s success in the scenario depends on their ability to innovate and develop creative solutions to their challenges. Spock realizes that the bullets are not real, and the crew’s collective belief in this fact allows them to avoid harm.

Proactive problem-solving and innovation are critical for continuous improvement in compliance programs. Organizations should encourage employees to think creatively and explore innovative solutions to compliance challenges. This involves fostering a culture that supports experimentation and learning from successes and failures. By empowering employees to propose and test new approaches, organizations can continuously enhance their compliance programs and remain agile in the face of change.

Lesson 5. Staying Vigilant

In the episode, the Enterprise crew is transported to an alternate reality where they must participate in a deadly reenactment of the O.K. Corral shootout. The crew must constantly adapt their strategies and tactics as the scenario changes. Similarly, compliance professionals need to remain vigilant and be prepared to adjust their compliance programs to address evolving risks, regulations, and business environments. Compliance professionals should take a comprehensive approach, conducting holistic risk assessments that consider obvious and obscure compliance risks across the organization.

As the crew faces new challenges in the alternate reality, they must quickly learn from their experiences and refine their strategies. Compliance professionals should similarly adopt an iterative approach to improving their programs, constantly evaluating their effectiveness and making adjustments as needed. By drawing these parallels between the lessons from “The Spectre of the Gun” and the practices of effective compliance management, compliance professionals can strengthen their programs and foster a culture of continuous improvement within their organizations.

Spectre of the Gun provides valuable insights into ongoing monitoring and continuous improvement compliance concepts. The episode highlights the importance of constant assessment, adaptability, collaboration, and proactive problem-solving in navigating complex and dynamic challenges. For compliance professionals, the key takeaway is the need to establish robust monitoring systems, encourage adaptability and innovation, and foster a culture of collaboration and continuous improvement. By applying these principles, organizations can enhance compliance programs, effectively manage risks, and achieve sustainable success in an ever-evolving regulatory landscape. Just as the Enterprise crew adapted to and overcame the challenges presented by the Melkotians, compliance professionals must remain vigilant and proactive in navigating the complexities of modern compliance environments.

Join us tomorrow as we consider the lessons on mergers and acquisitions from the Star Trek episode The Ultimate Computer.

Categories
Blog

Transforming Culture: Part 5 – Ongoing Monitoring and Continuous Improvement of Culture

Boeing is not the first company to find itself amid a massive scandal. You can think of Siemens’ bribery and corruption scandal, the VW emissions-testing scandal, the Wells Fargo fraudulent accounts scandal, or any other myriad of corporate scandals where culture failed and created a toxic culture. The question for any organization in such a situation is how to transform its culture. Currently running on the Culture Crafters podcast on the Compliance Podcast Network is a 5–part of podcast series with myself and Sam Silverstein, the most trusted voice in America on accountability. (The Culture Audit™ is the sponsor of this blog post series.)

In this companion, 5-part blog post series, we have looked at how a company in the depths of such a toxic culture can begin to make a comeback by planning and taking concrete steps to turn around and rebuild its culture. In this concluding Part 5, we show why you must not simply stop after implementation but must monitor your culture continuously and work to improve it continuously. It is an ongoing work in progress, and you can always continue working on your corporate culture.

Ongoing monitoring is not something compliance professionals are unaware of or have never heard about. This concept must be used in your culture management strategy as well. You must assess how your culture management strategy is doing continuously. This is one of the power outcomes of The Culture Audit™ (the sponsor of this blog post series). Not only have you created a baseline of where your culture is at any point in time, but through ongoing use of the Culture Audit, you can measure your specific indices of culture on a go-forward or ongoing basis. You can then continually work to update as appropriate. If your organization needs greater trust, you can put further work into this through your speak-up culture.

Creating an organization’s speak-up culture is essential for fostering open communication, transparency, and employee trust. Such a culture encourages individuals to raise concerns, flag potential issues, and contribute to a safer and more accountable work environment. By prioritizing a speak-up culture, companies can proactively address challenges, prevent safety risks, and promote a culture of continuous improvement.

The significance of a speak-up culture must be balanced as a critical factor in ensuring organizational success and psychological safety. Silverstein emphasized the need for employees to feel safe, valued, and empowered to voice their opinions without fear of reprisal. He highlighted the role of trust and psychological safety in enabling individuals to speak up, noting that a culture that supports open communication leads to better decision-making processes and overall performance. The insights shared underscored the pivotal role of a speak-up culture in shaping a positive and proactive organizational environment.

Accountability in leadership is fundamental in setting the tone for organizational culture and fostering a sense of responsibility and integrity among team members. Leaders who demonstrate accountability model desired behaviors and create a culture where individuals take ownership of their actions and outcomes. By holding themselves and others accountable for their commitments and decisions, leaders cultivate a culture of trust, respect, and ethical conduct.

Leadership will always have a transformative impact on organizational dynamics. Emphasizing that accountability is a way of life rather than a mere task demonstrates leaders’ profound influence in shaping the values and norms within their teams. There must be consistency and fairness in holding individuals accountable. Leaders play a pivotal role in setting expectations and driving cultural change. The discussion underscores the critical role of leadership accountability in fostering a culture of integrity and excellence within organizations.

Changing organizational culture is a complex and multifaceted endeavor that requires a deliberate and strategic approach. Organizations seeking to shift their culture must assess the existing norms, values, and behaviors that shape their environment. By identifying areas for improvement and aligning cultural practices with desired outcomes, companies can embark on a journey of cultural transformation that enhances employee engagement, performance, and overall organizational success.

Companies can initiate meaningful change by defining and measuring the current culture, investing in training and education, and holding individuals accountable for upholding cultural values. You must align cultural initiatives with business objectives and ensure that cultural transformation efforts are embedded in every aspect of the organization. Organizations face challenges and opportunities when navigating cultural change, highlighting the critical role of leadership in driving lasting transformation.

The crucial role of leadership in shaping organizational culture provided valuable insights into the steps leaders can take to create a positive and thriving workplace environment. By prioritizing values, fostering open discussions about culture, and making data-driven decisions, organizations can pave the way for long-term success and employee well-being.

Categories
Blog

Sustaining Culture: Continually Improve Company Culture

What’s measured is treasured. If it is important, you want to know what is going on and improve on it. And it’s data; it’s factual. And so right away, we know what to do, and we can see the improvements we’re making because we can measure and improve them. Sam Silverstein.

I am in the middle of premiering a new podcast series, Culture Crafters, on the Compliance Podcast Network. In this series, together with Sam Silverstein, we are taking a deep dive into corporate culture: how to measure it, assess it, monitor it, and improve it. Through this exploration, we have uncovered the surprising truth behind sustained success in company culture. We have taken a deep dive into maintaining a high-performing culture that attracts and retains top talent. We have discussed the often overlooked strategy that propels companies to celebrate every win, big or small, and compound their growth year after year. Today, we continue our journey by considering why you should continuously audit and assess your culture to improve it.

Achieving and sustaining a great culture within organizations is foundational to long-term success. It involves creating an environment where individuals feel valued and motivated to contribute meaningfully towards shared goals. This process starts with leadership setting the tone by exemplifying behaviors prioritizing people’s well-being and professional growth. Leaders can inspire employees to engage fully and commit to the organization’s vision by fostering a culture of trust, respect, and open communication. Consistently reinforcing core values and recognizing contributions are key components in nurturing a positive culture that endures challenges and fosters innovation.

Regular culture audits are essential for organizations seeking to understand and improve their cultural dynamics. These assessments provide a baseline for measuring progress and identifying areas for growth. By gathering data on employee perceptions, engagement levels, and alignment with organizational values, companies can pinpoint strengths and weaknesses within their culture. This information allows leaders to tailor interventions, policies, and initiatives that align with the organization’s desired cultural outcomes.

Moreover, ongoing assessments enable organizations to adapt to changing circumstances and ensure that the culture remains aligned with evolving goals and external influences. Sam Silverstein’s discussion on culture audits highlights the value of using data-driven insights to inform decision-making and drive cultural improvements. He stresses the importance of combining qualitative feedback with quantitative metrics to understand the organization’s culture comprehensively.

By being transparent about assessment results, leaders can foster a culture of accountability and continuous improvement. Sam’s emphasis on the iterative nature of culture assessments underscores the need for organizations to view cultural dynamics as dynamic and evolving. The conversation underscores that continual assessment is not merely a one-time exercise but a strategic tool for maintaining a healthy and adaptive culture over time. You should develop a plan to assess and regularly improve your culture.

  • Culture Audit: Develop a culture audit to assess the current state of your company’s culture. This can help identify areas for improvement and set a baseline for future assessments.
  • Documentation: Document your culture assessment findings and improvement plans. Utilize tools to create and maintain detailed records of your culture assessment and improvement initiatives.
  • Regular Assessment: Implement a schedule for culture assessments, such as quarterly or bi-annually. Use tools to gather feedback and measure progress over time.
  • Celebrate: Incorporate a culture of celebration within your organization. This can include employee recognition programs, town hall meetings, or even small gestures like personalized notes or tokens of appreciation.
  • Continuous Improvement: Based on the results of your culture assessments, develop a plan for continuous improvement. Use project management tools like Asana, Trello, or Monday.com to track and execute improvement initiatives, ensuring that progress is ongoing and continuous.

The bottom line is that authentic leadership plays a pivotal role in shaping a thriving culture. Compliance professionals and business leaders go beyond superficial gestures and genuinely prioritize the well-being of their teams. Leaders can create a culture where individuals feel respected and valued by demonstrating care and investment in employees’ development. Key traits include actively listening to employee feedback, providing growth opportunities, and demonstrating ethical decision-making. Ultimately, the conversation reveals that sustained success in company culture hinges on leaders’ commitment to prioritizing people and consistently reinforcing a positive work environment.

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Continually Evolving Compliance

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

In this episode, we consider how your compliance program should continually evolve from your Code of Conduct to Risk Assessment to Continuous Improvement, all in a process oriented, documented approach.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 9 – Continuous Monitoring and Continuous Improvement

Continuous monitoring and continuous improvement are two of the most important phrases for any compliance program. These twin concepts were further enshrined in the 2023 Update to the Evaluation of Corporate Compliance Programs (2023 ECCP). In 2023, all companies’ risks changed as we moved from Working From Home to Return To Office and, now, a hybrid model. In addition to this straight-forward change in risk due to working locations, new risks in the form of geopolitical, supply chain, and export control, as well as increased risk due to social media, continue to impact compliance programs.  Your compliance program must be ready to respond to whatever those risks might be going forward.

Continuous improvement runs the gamut in a best practices compliance program, from risk assessments to policies and procedures to periodic testing and review.

Three key takeaways:

1. How have your company’s risks changed over the past year, and how will they change in 2024?

2. What is your process for continuous monitoring and improvement?

3. What sources of information do you use that come from outside your organization?

Categories
Innovation in Compliance

Unlocking Success: The Crucial Role of Culture in Compliance: Part 5 – Alexander Cotoia on the Continuous Improvement of Culture

Welcome to a special series on building a stronger culture of compliance through targeted and effective training sponsored by Diligent. I will visit with Yvette Hollingsworth-Clark, Viktor Culjak, Jessica Czeczuga, Michael Parker, and Alexander Cotoia in this series. Over this series, we will consider what culture is, how to assess culture, putting together a strategy to manage culture based upon this assessment, monitoring that strategy in the future, and using information from your monitoring to improve your culture continuously. In this concluding Part 5, we visit with Alexander Cotoia to discuss a strategy to enhance your compliance program in the future constantly.

Alexander Cotoia, a regulatory compliance manager and consultant at the Volkov Law Group, has a rich background in commercial litigation and has spent a significant part of his career in an in-house role at Virgin Galactic. Alexander strongly emphasizes the importance of compliance culture in organizations, believing that a culture promoting compliant behavior reduces the likelihood of ethical lapses or legal violations. He argues that creating a culture of compliance is not only ethically sound but also makes good business sense in today’s era, where consumers are well-informed and employees prioritize alignment with organizational values. Alexander suggests that organizations should reinforce their values and highlight the economic benefits of compliance to gain employee buy-in and engagement, emphasizing the need for continuous improvement, conducting root cause analysis, and involving various stakeholders to address cultural issues effectively. Join Tom Fox and Alexander Cotoia as they dive deep into how to continuously improve your compliance program in this episode of Unlocking Success: The Crucial Role of Culture in Compliance Best Practices podcast episode.

Key Highlights: 

  • Cultivating CEO Involvement for Compliance Success
  • Improving Corporate Culture through Effective Monitoring
  • Cultivating Compliance Culture through Stakeholder Collaboration

Ready for Purpose-Driven Compliance? Diligent equips leaders with the tools to build, monitor, and maintain an open, transparent ethics and compliance culture. For more information and to book a demo, visit Diligent.com.

Categories
31 Days to More Effective Compliance Programs

Day 21 – Continuous Improvement in a Compliance Program

The 2020 Update was clear about the need for continuous improvement in any compliance program. It succinctly stated, “One hallmark of an effective compliance program is its capacity to improve and evolve. Implementing controls in practice will necessarily reveal areas of risk and potential adjustment. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards. Accordingly, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure it is not stale.”

Continuous improvement through monitoring or similar techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based on new and updated best practices specified by regulators. A compliance program is, in many ways, a continuously evolving organism, just as your company is. It would be best to build a way to keep pace with the market and regulatory changes to have a truly effective anti-corruption compliance program.

 Three key takeaways:

  1. Your compliance program should be continually evolving.
  2. Monitoring and auditing are different yet complimentary tools for continuous improvement.
  3. Cultural assessment and monitoring are also now required as well.
Categories
31 Days to More Effective Compliance Programs

Day 2 – Continuous Monitoring and Continuous Improvement

Continuous monitoring and improvement are two of the most important phrases for any compliance program. These twin concepts were perhaps the biggest modifications in the 2020 Update to the Evaluation of Corporate Compliance Programs. In 2021 and 2022, all companies’ risks changed as we moved from Working From Home to Return To Office and now a hybrid work model. Of course the great resignation has also played a part.These changes in our basic work location drove home perhaps the most prescient comment I heard during the pandemic, which was by Jed Gardner, who said, “We have moved from disaster recovery to business continuity to business as usual.” This means that risks will change in ways you may not see at speeds you do not anticipate. Your compliance program must be ready to respond to whatever those risks might be going forward.

In the 2020 Update, the DOJ began to address this from the compliance program perspective with several questions. “Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?”

The next area for continuous monitoring and improvement was an area of compliance that is not normally associated with those concepts, Policies, and Procedures. Here questions included “When was the last time your policies and procedures were updated? Perhaps more importantly, under the 2020 Update, what was your process for doing so? Was there any rigor around your process? Did that rigor include incorporating information and data collected through continuous monitoring, real-time monitoring, or continuous access to operational data and information across functions?”

The final area in the 2020 Update for consideration is called Continuous Improvement, Periodic Testing, and Review. The question included the following, “How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular risk areas are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? Does the company review and adapt its compliance program based on lessons learned from its misconduct and/or other companies facing similar risks?”

Three key takeaways:

1. How has your company’s risks changed over the past year?
2. What is your process for continuous monitoring and improvement?
3. What sources of information do you use that come from outside your organization?