Forgive me for dedicating a posting to this topic, since I have a vested interest in this topic. I have conducted a number of Anti-Corruption Compliance Program Assessments. I am a strong advocate for conducting such assessments. My belief has nothing to do with compliance with the Sentencing Guidelines or the DOJ/SEC FCPA Resource Guide, which include specific directives to businesses to conduct such assessments. Instead, I advise clients to conduct such assessments as a valuable tool to prioritize their efforts to build and sustain an “effective” anti-corruption compliance program.
The government has made it abundantly clear – in words and in actions – that companies which maintain an “effective” anti-corruption compliance program will benefit from such a program in the event of a violation. DOJ and the SEC deserve credit for their policies which carefully reward companies which maintain (or are committed to trying to maintain) an “effective” anti-corruption compliance program.
Even more important, DOJ and SEC deserve credit for describing in significant detail the elements of an “effective” compliance program as described in their FCPA Guidance. I continue to find the FCPA Resource Guide to be a comprehensive and well drafted document which provides ample guidance to companies seeking to comply with the law. I am well aware of critics who suggest that the FCPA Resource Guide is somehow incomplete or not much of a game changer. Their words are hollow and lack credibility because the FCPA Resource Guide is an unprecedented statement by two enforcement agencies on compliance with the FCPA.
In this environment, I have worked with a number of companies to assess the overall performance of their anti-corruption compliance program. Such an assessment provides a very important picture from the 64,000-foot level (or ivory tower, if you prefer) and detailed review of certain policies and procedures (e.g. due diligence of third parties or gift policies). The perspective is unique and inevitably results in a focused and clear picture of compliance strengths and weaknesses.
The result of the assessment process is not just a lengthy report filled with recommendations but a picture of priorities. Every Chief Compliance Officer has a list of projects and issues they need to address. The list never goes away – it gets shorter for a short period of time but can always be expanded to address more risks and improvements which are needed.
The key to an “effective” anti-corruption compliance program is to prioritize the list based on company needs, relevant risks and cost-benefit analyses. DOJ and SEC have emphasized the importance of a “risk-based” compliance program. A compliance program assessment is the critical requirement for beginning to implement a “risk-based” approach.
The distinction between a risk assessment and a compliance program assessment is significant. In contrast to a risk assessment, a compliance program assessment focuses not only the risk assessment process but the effectiveness of existing policies and procedures in minimizing identified risks. In addition, a compliance program assessment examines structural issues relating to corporate governance, senior management’s role in implementing the compliance program and specific operational issues which are unlikely to be uncovered in the risk assessment project.
In the end, an effective anti-corruption compliance program requires allocation of limited resources to compliance elements designed to reduce the greatest risks. As risks are reduced on a relative basis, a compliance program can be adjusted to reallocate resources on a continuing basis to minimize risk. A comprehensive compliance program evaluation is an important step in this process.