One of the key lessons I learned in doing the research for The Complete Compliance Handbook is the evolution of compliance programs beyond the basic formulation laid out in the 2012 FCPA Guidance’s Ten Hallmarks of an Effective Compliance Program. In addition to enforcement actions, the Department of Justice’s (DOJs) 2016 FCPA Pilot Program, coupled with 2017’s Evaluation of Corporate Compliance Programs (Evaluation) and the FCPA Corporate Enforcement Policy, all provided significant information for the compliance practitioner on what the DOJ is thinking and where the compliance ball has moved since 2012. Over the next few blog posts, I am exploring this evolution and lay out where I think a best practices compliance program currently stands. Today, I take up Hallmarks IV through VI.
Hallmark IV – Risk Management
Under the original formulation of the Ten Hallmarks of an Effective Compliance Programs, risk assessment was articulated as the cornerstone of all compliance programs. However now a full risk management program is the standard for any best practices compliance program. This consists of three components. First is forecasting, which allows you to consider your business strategy and wed the risks you can foresee. By starting with forecasting, a compliance function utilizes risk assessment to consider issues which forecasting did not predict for or issues which the forecasting model raised as a potential outcome which warranted a deeper dive. The second is that risk assessments allow you to evaluate and measure known risks. If you are moving into a new product or sales area and are required to use third-party sales agents, a risk assessment would provide information that a company could use to ameliorate the risks. Third is risk-based monitoring which allows you to monitor both the compliance risks you know about and detect those you do not know, on an ongoing basis. The basis of your compliance program in many ways turns on the robustness of your risk management process.
As compliance evolves, and corporate compliance programs become more sophisticated, compliance is seen not as simply a legal prophylactic, but as a business process. Seen in this light, it is clear the risk management process should begin with forecasting as it attempts to estimate future aspects of your business. Compliance professionals should be able to say with some degree of authority, what will happen in the next three, six, twelve to twenty-four months. This can facilitate resource deployment where deemed appropriate in order to meet these future demands. This tie back into process management and process improvement. There is a balance between what is actually important for your business or for proper execution; versus the practical aspects of the whole process.
Hallmark V – Communication and Training
One of the key goals of any compliance program is to train employees in awareness and understanding of the Foreign Corrupt Practices Act (FCPA); your specific company compliance program and to create and foster a culture of compliance. Beginning in the fall of 2016 through the announcement of the FCPA Pilot Program, the DOJ began to talk about whether you have determined the effectiveness of your training. This continued with the 2017 Evaluation where they asked, “How has the company measured the effectiveness of the training?” This point has bedeviled many compliance professionals yet it is now a key metric for the government in evaluating compliance training.
Most companies have not considered this issue, the effectiveness of their compliance program. I would suggest that you start at the beginning of an evaluation and move outward. This means starting with attendance, which many companies tend to overlook. You should determine that all senior management and Board members have attended compliance training. You should review the documentation of attendance and confirm this attendance. Make your department or group leaders accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program.
Also raised in the Evaluation was the focus of your training programs, where the DOJ inquired into whether your training was “tailored” for the audience. This added new requirements. One being that you must assess your employees for risk to determine the type of training you might need to deliver. This means that you should risk rank your employees. Obviously, the sales force would be the highest risk but there may be others which are deserving of high risk training as well. From your risk ranking, you need to then develop training tailored for the risks those employees will face.
The key going forward is that you have thoughtfully created your compliance training program. Not only in the design but who receives it, all coupled with backend determination of effectiveness. Finally, all of this must be documented.
Hallmark VI – Incentives and Discipline
a. Incentives
The 2012 FCPA Guidance stated the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” This same concept was expanded in the Evaluation under Prong 8, Incentives and Disciplinary Measures:
How has the company incentivized compliance and ethical behavior? How has the company considered the potential negative compliance implications of its incentives and rewards? Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations?”
As your compliance program matures and your strategy is more fully operationalized, your sales force should embrace this operationalization to help achieve compliance. The prescription for you, as the compliance practitioner, is to revise the incentive system to focus your employees on the goals of your compliance program. This may mean that you need to change the incentives as the compliance programs matures; from installing the building blocks of compliance to integrating anti-corruption compliance with the DNA of your company. There are three key questions you should ask yourself in modifying your compensation structure from the compliance perspective. First, is the change simple? Second, is the changed aligned with your company values? Third, is the effect on behavior immediate due to the change?
b. Discipline
In the original formulation of the Ten Hallmarks it stated, “DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation.”In the Evaluation, the requirements around discipline expanded to “Have the disciplinary actions and incentives been fairly and consistently applied across the organization?” Similarly, the FCPA Corporate Enforcement Policy states: “Appropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred.”
One of the areas which can work to more fully operationalize your compliance program is to ensure that discipline is handed out fairly across an organization and to reward those employees who integrate such ethical and compliant behavior into their individual work practices going forward. In addition to providing a financial incentive for ethical behavior, it also provides a sense of institutionalobjectivity. Institutional objectivity comes from procedural fairness and is one of the areas that will bring credibility to your compliance program.
Today, that is called the Fair Process Doctrine, which recognizes that there are fair procedures, not arbitrary ones, in processes involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by processes and procedures that are perceived as fair. As you incorporate the Fair Process Doctrine in your compliance program, consider these three key areas: (1) Administration of discipline; (2) Employee promotions; and (3) Internal investigations.
Tomorrow, I will consider Hallmarks VII to IX.
[View source.]
