There are multiple areas in the Department of Justice (DOJ) Evaluation which intersect with the area of continuous improvement. Under the section entitled Continuous Improvement, Periodic Testing, and Review it stated, “One hallmark of an effective compliance program is its capacity to improve and evolve. The actual implementation of controls in practice will necessarily reveal areas of risk and potential adjustment. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards.”
This tied to the 2012 FCPA Guidance, which made clear that compliance audits, with actionable remediation plans, are a key component of any effective compliance program. Another way to achieve these multiple and intersecting goals is through proactive monitoring. I spoke with Vincent DiCianni and Eric R. Feldman, of Affiliated Monitors, Inc., about their views on proactive monitoring.
According Feldman, proactive monitoring is an approach where a company “uses the services of an independent monitor to find out how their program is working and to be able to use that data with government regulators and law enforcement to demonstrate their due diligence in creating and continuously improving their corporate ethics and compliance program.” There are at least two different types of proactive monitoring. Feldman articulated the first as “reactive proactivity” which is the situation where a company determines it has a potential compliance violation and they bring in an independent monitor to address the issue.
The genesis for this type of monitoring is some event, such as a whistleblower report, internal report or investigation or detect control picking up information which warrants additional investigation. Feldman provided a couple of examples. The first might be “where one business unit has a problem and they’re worried about the other business units and they want to get an assessment.” Another situation could be there is a problem in a sector or “industry and they know that that industry is being scrutinized by law enforcement or the regulators and they fully expect the regulators or law enforcement to be coming in and looking at them.” Yet another area could be in a geographic area such as China or another high-risk region.
DiCianni noted there is a second type of proactive monitorship. It is where a company wants a true independent “to come in to test the quality of the program to see how impactful” the company’s compliance program is operating. It could assess a variety of issues, such as the compliance internal controls to test their benchmarking of a company’s compliance program. In this type of proactive monitorship, the examiner is not focusing on one issue or region as laid out in the first example as it is broader.
Moreover, it allows a true independent to perform the assessment as DiCianni noted, “it’s very difficult for companies and for compliance officers and their teams to self-assess the strength of their programs. They just have difficulty doing that. It’s just not an easy thing for them to get their hands on, how good a job am I doing? By having an independent come in with no skin in the game, with complete objectivity, neutrality, no judgements, or pre-judging the work, looking at the company’s program, the quality of the program, the makeup of the team, the organizational structure, where it’s placed. All of those kinds of things are parts of this proactive approach.”
The benefits of both types of proactive monitoring are multifold. It certainly helps to meet the control testing requirement found in the 2019 Guidance, which stated Prosecutors should likewise look to whether a company has taken “reasonable steps” to “ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct,” and “evaluate periodically the effectiveness of the organization’s” program.” This type of approach can provide benefits if a company finds itself in Foreign Corrupt Practices Act (FCPA) hot water, as both the DOJ and Securities and Exchange Commission (SEC) “will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines.” Yet the 2012 FCPA Guidance intones a business reason for the use of such techniques as proactive monitoring when it stated, “Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.”
Feldman pointed out yet another reason for such a proactive approach as it can create an administrative record, which a company can use to demonstrate it has remedied the problems. (“Document, Document, and Document”) Equally important, it establishes the company is maintaining its commitment to doing business in compliance. The key is the independence of the monitoring personnel, so they can present an accurate, unbiased opinion.
Feldman presented the example of a company which had been debarred by the US government and needed to demonstrate an acceptable level of compliance to get off the list. He and his team performed a baseline assessment and from there developed a remediation plan, which the company implemented. After six months or so, he and his team came back to assess the progress made by the company. From this follow-up assessment, they generated a report which was used in a submission to the government which essentially noted, “We are now ready to be a responsible contractor as defined by the federal acquisition regulations and we propose an administrative agreement with continued monitored that would move it from proactive monitoring over to mandatory monitoring for the next three years.”
Proactive monitoring is an excellent technique through which a company can engage in continuous improvement. Nonetheless, it has many other benefits including regulatory and evidence in a criminal investigation if needed under anti-corruption laws such as the FCPA. The bottom line is that all those scenarios might justify a company to engage a proactive monitorship to come in and do a complete ethics and compliance and cultural assessment or audit of their organization.
DiCianni concluded by stating, “While companies should take comfort in establishing a compliance program as part of its overall risk management strategy, one lingering question often remains: “Is it actually working?” We have found that the companies with the most effective programs periodically test it (as suggested by the DOJ evaluation guidelines) with an independent review to determine its impact on the workforce, how it compares to other, similar companies and whether they are maximizing their precious compliance dollars on the right compliance activities.”
[View source.]
