The Hui Chen hit parade continues! Today the corporate compliance community can, finally, hear her thoughts on the one subject Chen hasn’t yet discussed publicly: the actual love and care of corporate compliance programs.
I spoke with Chen earlier this week, and you may already know her backstory. She was hired in October 2015 as the first-ever compliance counsel for the Fraud Section of the Justice Department, to help prosecutors evaluate the compliance programs of companies under investigation. Chen quit that post one week ago, saying that the Trump Administration’s own ethical shortcomings made her position too difficult.
That’s the colorful political drama to Chen’s exit. But rather than rehash that story yet again, I asked: Could we delve into the Justice Department guidance published in February, about effective corporate compliance programs? After all, she wrote it.
She eagerly agreed. You can hear a podcast of our full conversation (20 minutes) below. Meanwhile, let me recap a few highlights here…
Success isn’t about the metrics; it’s about the vectors. Chen didn’t use the word “vectors” herself, but remember what a vector is—a number or equation that shows the direction of a trend. That’s what the Effectiveness Questions are meant to elicit from compliance officers.
For example, Chen said, she would meet with companies under investigation by the Fraud Section, and the compliance officers would bring along reams of policies or reproductions of the hotline posters hanging in the company break room. (“The amount of trees killed by these presentations always exasperated the environmentalist in me.”) Then Chen would ask how often the company had disciplined someone for a compliance infraction, or how a specific control actually functioned. Blank stares.
What prosecutors want to see, she said, is evidence of how your program works; not which motions your program goes through. “We wanted people to see that we put a lot of emphasis on evidence and data,” she said. “Don’t just tell us you have a hotline. Show us how you know it’s working.”
Don’t get hung up on the structure of the guidance. Many compliance commentators, including me, sacrificed billions of electrons to write, tweet, post, and podcast about the Effectiveness Questions. We tried to divine all sorts of inner meaning from it. In various ways, Chen said, we’ve been missing the point.
First, if your company is under investigation: consider the misconduct that brought you to the Justice Department’s attention, and how you’ll answer questions most relevant to that problem. For example, in the Effectiveness Questions, the section on policies and procedures is longer than any other. Yet many times when meeting with companies, Chen said, questions about policies and procedures never came up, because policy development wasn’t the cause of the misconduct under the Fraud Section microscope.
“The Justice Department is a prosecuting agency,” she said. “It’s not a regulator looking at compliance programs just for the heck of it. It’s looking at a company’s compliance programs in the context of a criminal investigation.”
So, wait a minute. All of us counting the number of questions in the guidance and comparing one section to another—it never mattered at all?
“Frankly, that never occurred to any of us.”
Not under investigation? You can still use these questions. The Effectiveness Questions are a direct descendant from the Justice Department’s first pass at FCPA guidance published in 2012. That guidance had 10 sections, and they all appear here, too. Chen also added an 11th section about trying to determine the root cause of misconduct. For compliance officers who simply want to improve their program, she suggests starting there.
The reality, which Chen acknowledges, is that small compliance failures happen at companies all the time. No harm happens. Still, something allowed that no-harm failure to occur—so use that failure as an opportunity to study the root cause.
Maybe the cause was a poorly worded policy; maybe it was an overworked employee who didn’t sign an approval; maybe it was a senior executive who didn’t convey the importance of good conduct. Regardless, a failure like that gives you the opportunity to find and remediate those compliance gaps before they magnify into something serious. Take it.
Chen recommends performing that root cause analysis; then try to match the cause(s) to your company’s risks. You can get a better sense of what regulatory trouble you might encounter, and then use the other 10 parts of the Effectiveness Questions to reverse-engineer improvements you might want to make.
You can hear the podcast below, or on YouTube. And somehow, I suspect we’ll be hearing more from Chen in the future.