Earlier this week we had a post about assistant attorney general Kenneth Polite’s idea to have chief compliance officers certify the effectiveness of their compliance programs. Today I want to revisit the rest of Polite’s speech; aside from that controversial proposal, he offered numerous other thoughts about effective compliance programs worth our attention.
Polite began by listing the three factors that prosecutors consider when evaluating a compliance program:
- Is the program well-designed?
- Is the program adequately resourced and empowered to function effectively?
- Does the program work in practice?
Those questions shouldn’t surprise anybody; they’re the same three factors listed in the Justice Department’s guidelines on effective compliance programs that we all treat as gospel. But how do those broad goals translate into specific compliance program traits that you should develop at your own company? Polite expounded on that, too.
First is a well-designed program. That largely depends on the company’s process for assessing risk and then building policies, procedures, and controls to address risks, Polite said.
“We want to see whether the company has implemented policies and procedures that are designed to address the key risk areas identified in its risk assessments, and that those policies and procedures are easily accessible and understandable to the company’s employees and business partners,” Polite said.
That’s all sensible, but remember that it rests upon two assumptions: that your risk assessment capabilities are sharp; and that you know how to communicate policies and procedures in plain, digestible ways.
So compliance officers need to think about how they can improve risk assessment. For example, do you collaborate with the internal audit function (assuming your company has one) on one single enterprise risk assessment? Or do you perform a compliance risk assessment yourself, while internal audit does its own thing? The latter could be duplicative and a turn-off to business units, weary of yet another risk assessment questionnaire. Meanwhile, if your company doesn’t have an internal audit team, you’ll need to develop that risk assessment expertise internally.
This point is also a reminder on the importance of testing; that’s how you can determine whether policies, procedures, and controls are working as intended. Test, evaluate, remediate — and document all of it, to show prosecutors should they ask for that evidence.
Other Compliance Considerations
Next is whether your compliance program is adequately resourced and empowered. That is not just about dollars and headcount, Polite said. Prosecutors will want to know about the compliance team’s expertise, plus its relationships with senior management and business operating units:
We will review the qualifications and expertise of key compliance personnel and other gatekeeper roles. We want to know if compliance officers have adequate access to and engagement with the business, management, and the board of directors. We seek to understand whether and how a company has taken steps to ensure that compliance has adequate stature within the company and is promoted as a resource.
Several points to consider here. First is that reporting relationships matter, especially the relationship the compliance officer has with the board. A steady stream of compliance professionals complain to me that companies low-ball the title and authority of compliance roles, where job postings include claptrap like “you may have the opportunity to brief the board.” That seems like a surefire way to irritate the Justice Department, based on Polite’s words above.
Second, however, is that even when the compliance officer does have ready access to the board, that doesn’t necessarily mean the board has enough time and mental focus for you. Many companies still assign oversight of compliance to the audit committee, and those folks are overwhelmed at the best of times. How productive is it, really, to have 15 minutes of face-time with the audit committee after that group just spent three hours poring over financial reports?
So I do have corporate governance concerns, that not enough boards are establishing risk or compliance committees of some kind, to give compliance issues their proper consideration. That’s not news, nor is it a question that compliance officers can solve easily; but it is a point worth remembering.
How Programs Work in Practice
Polite’s third point was about how the compliance program works on a day-to-day level, and it mostly builds upon his first point about program design. Namely, if your program is designed well, you should be getting needed compliance activities done in a prompt manner.
We look at whether the company is continuously testing the effectiveness of its compliance program, and improving and updating the program to ensure that it is sustainable and adapting to changing risks. We want to know that a company can identify compliance gaps or violations of policy or law. Equally importantly, we want to see how the company addresses the root causes of these gaps or violations and finds ways to improve its controls and prevent recurrence of issues.
Note that line about continuous testing of program effectiveness. It’s yet another reminder of why a risk-based approach to compliance is so important: you want to test your most important controls, policies, and procedures most often, and lesser risks less often.
Polite also talked several times about the importance of an ability to identify violations of law and reporting those violations when they happen. That’s not anything new either — but again, consider what it means. To identify violations of law, compliance functions need strong internal reporting programs, testing, and audits. To find the root causes of those violations, you need strong forensic or audit capabilities. (Another area where close collaboration with internal audit can be hugely helpful.)
And a Word on Corporate Culture
Polite also talked about the importance of corporate culture, and what the Justice Department wants to see for evidence of an ethical corporate culture — “examples of compliance success stories,” he called it.
We want to see examples of compliance success stories: the discipline of poor behavior, the rewarding of positive behavior, the transactions that were rejected due to compliance risk, positive trends in whistleblower reporting, and the partnerships that have developed between compliance officers and the business.
Those are all good examples of an ethical culture. My question: how many compliance departments are documenting such examples? How often are you alerted to transactions rejected because of compliance risk, or rewards employees receive for ethical behavior?
If a truly ethical business has embedded ethical behavior across all operating units, then in many instances immediate supervisors would make those ethical decisions as a matter of course. Maybe they will neglect to document those decisions and inform the compliance team, unless you specifically ask them.
I also wonder exactly what Polite means by “positive trends” in whistleblower reporting. Research shows that higher levels of internal reporting correlates to better business outcomes — so does he mean that more reports is a positive trend? We also have some tricky data analytics to do here, such as correlating a spike in internal reports about some issue to new training courses on that issue, and so forth.
One final point: Polite mentioned the need to measure and test corporate culture “at all levels of seniority and throughout its operations — and how it uses the data from that testing to embed and continuously improve its ethical culture.”
We could write a whole book on how to audit corporate culture, which in my opinion is more about auditing those things that tell you something about corporate culture, such as entertainment spending, or payment of invoices before receiving a purchase order, or even employee turnover. Regardless, the Justice Department wants to see evidence. You’ll need to think of what evidence you could gather and present.