Yesterday I did another “Compliance in the Weeds” podcast with Tom Fox, where our subject of conversation were the Justice Department’s new guidelines for evaluating corporate compliance programs.
That guidance—46 questions that prosecutors might ask about your compliance program, across 11 broad categories—is manna from heaven for corporate compliance officers. The questions are specific. They tie directly to corporate operations. Compliance officers won’t be able to give decent answers to these questions unless your compliance program actually functions, rather than exists solely as ink on paper.
There are also a lot of questions (each of the 46 is really a set of several related questions), so let’s try to identify a few more broad themes here. That is, let’s look at what your compliance department must be doing, or be able to do, for you to answer these questions effectively.
First, compliance needs to work with internal audit. In several places, the guidance asks for evidence that only an audit function can provide. For example, the very first question the guidance asks whether the company performed a root cause analysis of the misconduct at hand, and whether there were any prior indications of trouble.
Further down, the guidance includes questions about testing controls for improper conduct. One question is even labeled “internal audit” and asks: “What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis?”
You can’t answer questions about internal audit work unless an internal audit function exists to do that work. The function doesn’t need to be a dedicated internal audit function per se; smaller companies might rely on a corporate controller or outsourced help from an audit firm.
Regardless, the company will need to be able to answer questions about assessing operations, testing controls, remediating weaknesses, and the like. Understand who can do that best at your business. For many compliance officers, who come from a legal background, that person probably isn’t you.
Second, you need a strong approach to policy management. The new guidance has more questions about policies and procedures than any other subject. Some of the questions are about policies’ design and accessibility; others are about how you integrate those policies into daily operations.
This is where all the action is for corporate compliance officers. If you design a policy in a vacuum, without consulting business units to understand how the company really operates, you’re sunk. Either the policy won’t work because it doesn’t address how your operations actually run, or employees will see the policy as an impediment to how they work and find ways around it.
Astute policy management solicits input from operating units about how the policy can work within regular operations. (That’s one question included in the guidance: “Have business units/divisions been consulted prior to rolling them out?”) It also connects your policies to regulatory requirements, and to the controls intended to prevent the misconduct at hand.
Will employees gripe about a new anti-corruption or vendor management policy anyway? Probably. But at least they’ll know where the policy came from, and how to follow it in their day to day chores. That’s miles better than confused employees dismissing unclear or irrelevant policies as the latest batch of fertilizer from senior management.
Third, compliance officers need effective analytics. Numerous questions in the guidance ask about how the company analyzes risks, operations, or transactions in aggregate. Those are good questions to ask; they force a company to explain how it nurtures a broader strategy for good conduct rather than narrow actions for regulatory compliance. But a company can’t analyze anything in aggregate unless it has lots of data and that data is prepared in a way that’s ripe for analyzing.
For example, one question asks whether the company “collects, analyzes, and uses information from its reporting mechanisms.” Great idea, but not an easy task. Compliance officers need to cobble together data from whistleblower hotlines, in-person reports to managers, and possibly even employee satisfaction surveys. You need a system to “normalize” those different information formats so your analytics can find trends that do exist, but don’t exist in a readily visible form.
Likewise, you need to know what the most useful metrics for analysis actually are. I’ve written about this subject before, using whistleblower hotline metrics as an example—that the best way to study the effectiveness of your hotline is to analyze the data about your hotline calls, rather than the number of calls alone. Data can always tell you something, but “data about the data” can tell you why you’re getting the data you have. That’s what compliance officers need to understand.
Those are three immediate conclusions that compliance officers can draw from this new Justice Department guidance. I’m sure we can draw many more, and in future posts we probably will. This guidance is the sort of thing a compliance officer should print out and pin to your wall.