I recently had the opportunity to visit with Stephen Martin, Partner at StoneTurn, to consider some of the impacts on corporate compliance programs from the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). Martin had some interesting insights which I thought demonstrated the fully integrated nature of a best practices compliance program. Everything starts with a risk assessment moving towards continuous improvement of your compliance program.
The 2020 Update emphasized the continuous evaluation of compliance programs. Martin agreed that it must be done “in light of the risks that your company faces. When the government talks about risk it’s government enforcement actions, industry regulations, industry enforcement activity, as well as specific risks to your company.” Your compliance program must evolve because your risks are constantly evolving. Martin went on to say, “It used to be that you could conduct a risk assessment every couple of years and make tweaks to your program. Now what they’re suggesting is you should always be evaluating your risks and you should be evolving the program on an ongoing basis.” Unfortunately, this is not something most companies are very good at doing.” But this is clearly the government’s expectations now.
A key area to begin with is a risk assessment. While most companies conduct risk assessments, Martin believes “even if they can conduct an adequate risk assessment, they really do not understand their risk or their risk profiles are really static.” The significance of your risk assessment is also important to ongoing monitoring and enhancement of your program. Martin believes this is where the DOJ “has now caught up to that and understands it and is pushing companies to recognize that those are the two components of a program.”
The DOJ also talked about real time data, in terms of monitoring and having access to real time transactions. Martin believes that it is “cutting edge”. While there are some industry leaders on the compliance side who have real time monitoring, it is not as well-favored yet. However, it is something Martin is starting to talk to clients much more about. Things like real time data dashboards, data analytics that you can use and Artificial Intelligence (AI) technology so that you cannot simply be reactive in your program but proactive. It allows a compliance professional to be predictive and understand where the risks are, what the trends are looking like, how you can use that data and information to be ahead of the curve in understanding where the potential issues might be for your company. Martin believes this will be “a huge step forward because instead of being just a cost center or being reactive, now you’re going to be instrumental in helping the company, reduce its risk profile, maximize its profitability and work on behalf of all stakeholders.”
This seems to be a clear direction where the compliance discipline is headed and where the DOJ wants compliance programs to be leaders in for their corporations. Martin added that it will “really bring the business forward to where it should be, by using real time analytics. While at this point, most companies are not doing so, it’s certainly where things are headed, both from the DOJ perspective, as well as what you should be doing for your compliance program just to be effective.”
We conclude by looking at third parties, which are still seen as the highest Foreign Corrupt Practices Act (FCPA) risk. While many companies follow the lifecycle of third-party risk management, they still fall down when it comes to Step 5, managing the relationship after the contract is signed. Companies do not work to monitor their third parties. As Martin intoned, “half the time they don’t even go back and conduct due diligence after the fact which can lead to uncovering, changes in ownership, where payments are going and all kinds of issues that would flag potential FCPA violations.” A US company would not even know if their third parties are meeting your expectations regarding your code and the appropriate anti-corruption laws in the various countries in which they are operating. The key is to monitor after the contract is signed. Martin stated, “I think the best companies in the world that are doing this and they are really protecting their stakeholders through ongoing monitoring.”
We then turned to third-party audits to follow up on due diligence, check ownership and test training. From there you need to move to ongoing monitoring. Martin said, “I often tell my clients you should be conducting reviews of all your third parties over a two to four-year period, depending on their risk profiles and then following up on that. That is now the government expectation.” The bottom line is that a more fulsome, ongoing continuous monitoring needs to be implemented to not only meet the DOJ expectations but also protect your organization.
Each one of these steps raised by Martin clearly demonstrates the integrated nature of how the DOJ sees compliance programs. Just as silos around data must be overcome by a compliance function, silos within a compliance program must also be overcome. The more integrated your approach is the more efficient your business process will be, making you, at the end of the day, more profitable. During this time of Covid-19, this will be an important step for compliance professionals to not only take but embrace as well.
[View source.]
