Recently, Assistant Attorney General Kenneth A. Polite Jr. gave a speech during Compliance Week detailing how the DOJ evaluates corporate compliance programs. The purpose of clearly articulating these expectations in detail is to “ensure that companies design and implement effective compliance systems and controls, create a culture of compliance, and promote ethical values,” says Polite.
In this article, we summarize what compliance professionals need to know to ensure their programs comply with DOJ guidelines. To begin, Polite outlines three key DOJ expectations for compliance programs:
- That compliance programs are well designed
- They have adequate resources and are empowered to operate effectively
- Compliance programs work in practice
Polite explains very clearly how compliance programs should be designed and what the DOJ expects from organizations to meet this standard.
“First, when we say we expect a company’s compliance program to be well-designed, we look closely at the company’s risk assessment process and the development of a program tailored to the management of its specific risk profile. We want to see if the company has policies and procedures in place designed to address the key areas of risk identified in its risk assessments, and if these policies and procedures are easily accessible and understandable to employees and business partners of the company. We want to know how the company trains employees, management and third parties on the risk areas and responsibilities applicable to these individuals. Policies, training, and other processes should address relevant high-risk elements of the company’s business model, such as third-party relationships or mergers and acquisitions. We want to ensure that the company has a process in place for reporting violations of law or company policy that encourages employees to speak up without fear of retaliation, and that such reports are taken seriously , properly documented, investigated and, if substantiated, corrected. ”
Polite draws on his experience as a compliance manager and discusses some of the common challenges you may also face.
“I know the resource challenges. The difficulties you encounter in accessing the data. relationship challenges. The compartmentalization of your function. You are called to be a source of information, an enforcer of law and policy, and somewhat the main architect of your company’s ethical culture,” says Polite.
Compliance officers facing resource allocation issues may want to refer to Polite’s advice on how the DOJ defines “adequate resources.”
“When assessing whether a compliance program is adequately resourced and empowered to operate effectively, we want to know more than dollars, headcount and reporting lines. We will review the qualifications and expertise of key personnel in compliance and other gatekeeper roles. We want to know if compliance officers have adequate access and engagement with the company, management and the board. We seek to understand if and how a company has taken steps to ensure compliance has adequate stature within the company and is promoted as a resource. A company’s commitment to promoting compliance and ethical values at all levels, from the CEO down to middle and lower management, is essential. »
A well-designed compliance program is one that is embedded in the culture of the company, used by employees at all levels and, to reiterate the point above, with sufficient resources and empowered leaders.
“We want to see evidence that the compliance program is working in practice. We review whether the company continually tests the effectiveness of its compliance program, and improves and updates the program to ensure it is sustainable and adapts to changing risks. We want to know that a company can identify compliance gaps or violations of policy or law. Equally important, we want to see how the company addresses the root causes of these deficiencies or violations and finds ways to improve its controls and prevent the recurrence of problems. We want to see examples of compliance success stories: disciplining bad behavior, rewarding positive behavior, transactions that have been rejected due to compliance risk, positive trends in whistleblower reporting, and partnerships that developed between compliance officers and the business. . We are also interested in how a company measures and tests its culture – at all seniority levels and throughout its operations – and how it uses data from these tests to embed and continually improve its ethical culture,” Polite says.
Politeness also includes “if and how the company responds to past misconduct demonstrates its commitment to compliance and an ethical culture. Companies that have effectively deployed capabilities to conduct independent monitoring and testing of all elements of their compliance program, not just their financial controls…”.
“We prefer not to hear a ‘check-the-box’ presentation from outside counsel. We love seeing the compliance manager leading the compliance presentation and demonstrating knowledge and ownership of the compliance program. Not for show, but because we want to empower these teams,” says Polite.
He goes on to say, “Other senior managers should also participate, taking ownership of their role in the compliance program and demonstrating their commitment to compliance. Based on what we learn about the company’s compliance program, we determine whether an independent compliance monitor should be required.
“We believe that surveillances are effective tools to strengthen corporate compliance programs in companies where there were compliance weaknesses that led to criminal behavior. Monitors can be allies of compliance officers by making recommendations that create lasting, long-lasting change in corporate culture,” says Polite.
The DOJ plans to mandate independent compliance monitors, where appropriate, to convince prosecutors that programs meet compliance and disclosure obligations for non-trial resolution. In these cases, they follow Criminal Division screening procedures to ensure applicants are well-qualified with “extensive compliance experience,” and they demonstrate diversity in experience and background.
Polite also says that even when a compliance monitor isn’t deemed necessary, there’s still work to be done. “When we determine that a monitor is not necessary, it does not mean that the company’s obligations to continue to test, improve and demonstrate the effectiveness of its compliance program end when the resolution is written. Businesses without a monitor are still required to comply with ongoing obligations and report to the Department on the status of compliance obligations.
Because compliance programs typically don’t provide an immediate return on investment, decision makers in some organizations may be reluctant to go all out to invest in and mature the E&C function. This is, unequivocally, a risky business decision. As Polite makes clear, “We hold companies accountable for failing to meet their obligations under our corporate resolutions, including obligations to implement an effective compliance program, cooperate or report allegations of misconduct.”
If you’re struggling to gain momentum, this poignant statement can provide clarity for those blocking the path to funding and maturing the program:
“Our message is clear: companies that invest seriously in improving their compliance programs and their internal controls will be better perceived by the Ministry. Support your compliance team now or pay later.
Polit adds that this declaration is “a new tool in your arsenal to combat these challenges. This is the type of resource that compliance officers, myself included, have been looking for for some time, as it makes it clear that you should and must have an appropriate stature in corporate decision-making. It is intended to enable our compliance professionals to have the data, access and voice within the organization to ensure you and us that your business has an ethical and conformity.
Whether starting out or looking to strengthen and mature your organization’s compliance program, there is plenty of ammunition demonstrating the importance and value of strong E&C programs. Compliance leaders must feel empowered to champion the resources and autonomy needed to improve the health and culture of their organizations through the E&C programs they lead.
The full transcript of Polite’s remarks can be found here. NAVEX is also pleased to offer tools and resources to help support your organization’s ethics and compliance journey.
For more helpful information, download these resources:
How to get started with ethics and compliance
10 Key Steps to a Strong Ethics and Compliance Risk Assessment
See the original article on Risk & Compliance Matters