Some Polite Words on Testing
Gather round, corporate compliance professionals. We have another speech from a high-ranking Justice Department official about how compliance programs should work, and as usual these days, the speech is full of clues that are well worth your time and attention.
The speech came from Kenneth Polite, assistant attorney general for the Criminal Division, who spoke in Washington last week at a conference of compliance professionals. A former chief compliance officer himself, Polite’s wide-ranging speech touched on everything from specific recent FCPA settlements you should study, to what an empowered compliance function really looks like, to the “compliance success stories” his division wants to hear should you ever be in front of prosecutors looking for a favorable settlement.
What struck me most, however, was the emphasis Polite placed on one of the more mundane elements of corporate compliance programs: testing.
Polite mentioned testing eight times in his remarks. He talked about how the Justice Department considers the testing of your compliance program when deciding whether to impose a compliance monitor; about the need for continuous testing even after a matter is resolved with the Justice Department; and about how a company should use testing results to guide program improvements.
Clearly testing is an issue the Justice Department considers quite a bit.
Polite gave the example of companies Balfour Beatty and NatWest, which both settled FCPA cases in December and both agreed to independent compliance monitors for three years. Why?
“Look at the plea documents. The Criminal Division determined that three-year monitorships were warranted in both cases because the companies had failed to fully implement and test their compliance programs by the time of the resolution,” Polite said.
That passage alone demonstrates why Polite’s speech from last week is so useful to compliance officers. He names specific companies and gives specific reasons why they received the punishments they did. He is literally telling us what to do — “look at the case documents” — to gain a better understanding of how compliance programs should work.
What Testing Requires
Let’s remember why testing of compliance programs is so important: because testing tells you whether your policies, procedures, and other controls are designed correctly.
For testing to work, compliance officers (and the programs you run) need several things.
First, you need testing procedures — meaning, somebody has to go forth and test the controls you have in place. That can be your team, the internal audit department, or perhaps some external group hired to do the testing; but somebody somewhere in your enterprise must do the work. Moreover, this group needs to know what they’re doing: how to select a sample of transactions and, say, search for sufficient supporting documentation that the transaction wasn’t a bribe.
Second, you need good data analytics, so you collate all your testing data and analyze it in useful ways. In fact, let’s look at what the Justice Department itself says about testing, straight from its guidance on effective compliance programs:
Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? … More generally, what testing of controls, collection and analysis of compliance data, and interviews of employees and third parties does the company undertake? How are the results reported and action items tracked?
The third part of all this is what comes after all that testing and data analytics. You need to revisit the design of your controls and strengthen the weaknesses that testing brings to light.
That’s an easy idea to grasp in the abstract, but also consider how it happens in practice. A company can’t get thoughtful design of controls unless the compliance function works closely with other parts of the enterprise. You’ll typically need help from internal audit teams, who are versed in control design. You’ll absolutely need consultation with First and Second line teams who, as we constantly say in Best Practices Land, “own the risk.”
Without that cooperation and advice, compliance teams are just designing controls for the sake of looking busy. Meanwhile, the rest of the enterprise ignores you and looks for ways to evade all those controls you keep introducing, obstacles to them doing their “real” jobs.
And that cooperation from the rest of the enterprise doesn’t happen unless the compliance team has strong support from senior management. As always, a successful compliance program keeps circling back to this fundamental point.
Now let’s circle back to Polite’s points.
Testing, Progress, Monitors, Success
Polite said the Justice Department wants to evaluate the state of your compliance program at two points in time: when the misconduct occurred, and when the resolution is at hand. Moreover, Justice Department officials will use the same criteria both times. Meaning, the goal is to see how your company’s compliance program effectiveness has evolved over time.
You, the compliance officer, will need to demonstrate that evolution. Hence testing and redesign of weak controls is so important: it’s the evidence you can provide to show that, yes, your company has studied the errors of its ways and is trying to improve.
There’s also an urgency here, that your company must make those improvements in a timely manner — not at reckless, breakneck speed; but promptly. The more quickly you can implement, test, and document the strength of your compliance program, the more likely you are to achieve a favorable resolution.
Polite gave the recent example of Stericycle, which in April settled FCPA charges with $84 million in penalties, a three-year deferred-prosecution agreement, and a compliance monitor for two years.
Stericycle’s offenses in the 2000s and early 2010s were egregious. By the late 2010s, however, new management arrived and embarked on an overhaul of the compliance program. “But because the controls were so new and because they had not been fully implemented or tested by the time of the resolution,” Polite said, “it was our assessment — and the company agreed to this — to impose a monitor for a shorter period of time, only two years.”
Now, if Stericycle had been even more ambitious with its compliance overhaul, and tested everything more quickly, would it have avoided a monitor entirely? We’ll never know — but the opposite statement is clearly true.
That is, if senior management isn’t serious about reforming compliance, and you’re dithering with inadequate budgets and operating units that ignore your pleas for help, then unfavorable outcomes such as monitors and penalties and DPAs become much more likely.
Polite’s speech connects all those dots. It lets compliance professionals see how strong executive support for ethics and compliance should lead to more resources and collaboration for practical steps such as testing and control redesign; which should lead to more favorable resolutions when you’re across the table from the FCPA Unit.
That’s a picture worth painting to the board next time you’re meeting with them.