Regulators’ anti-corruption initiatives appear to be focusing attention on the effectiveness of companies’ compliance programs and controls. Remediation that includes implementation of effective controls may not only limit corruption risk but, for companies facing a potential investigation, they can also increase the likelihood that regulators may decline to pursue enforcement actions.
The U.S. Department of Justice recently announced a one-year pilot program to fulfill three objectives:[1]
- provide information to the public about how declinations, criminal charges and other resolutions are reached,
- encourage companies to voluntarily self-disclose violations and identify the individual corporate executives who engaged in wrongdoing, and
- provide practical, written guidance for companies when they suspect and uncover Foreign Corrupt Practices Act (FCPA) misconduct about how to receive credit for cooperating and correcting flaws in their controls and compliance programs.
The potential monetary savings from the pilot program are significant: Companies that cooperate and fix their compliance issues may receive a reduction in fines applicable under U.S. Sentencing Guidelines by up to 50 percent and avoid the additional scrutiny – and associated financial costs – that come with a government-appointed monitor.[2] In addition, where those same conditions are met, the Fraud Section’s FCPA Unit will consider a declination of prosecution.[3]
Each case may be different, rendering a road map to remediation unrealistic. But there are steps that companies may consider to deter both noncompliance risk in connection with the FCPA and other regulations and, if faced with an investigation, to improve the likelihood of obtaining a declination, a reduction in fines and an independent compliance monitor, including addressing:
- the tone of the team
- controls, monitoring and innovation for evolution
- risk assessments and compliance program evaluations
Tone of the Team
Compliance programs should be enforced throughout an organization, not just from the top but from middle management, too. It is important that employees live by the tenets of the program daily, and disciplinary measures should be applied consistently and regardless of level.
Training and communication initiatives are important to ensure that programs are effective, and participation occurs across business units, while also improving buy-in of the program. Annual compliance certifications and hotline reporting provide data to monitor the effectiveness of the program and a mechanism to collect information about risks and potential violations. Electronic training reminders can improve participation rates, and automated central training repositories can facilitate responses to regulators’ and auditors’ requests. Compliance newsletters allow the organization to proactively market compliance initiatives through case studies and examples of compliant and noncompliant behavior.
Companies may also consider separating the roles of general counsel and chief compliance officer, and enabling a direct reporting line and regular reports from the compliance department to the board of directors outside of the presence of other executives.
Controls, Monitoring and Innovating
Establishing anti-corruption controls and monitoring are important to prevent and detect noncompliant behavior. Automated controls and monitoring tools often improve a company’s ability to identify potential issues and outlier patterns that may indicate risk. Manual controls are needed when automation may be too expensive or difficult to implement within the organization’s current environment. Rather than a “check the box” approach, implemented controls should be relevant and tailored to an organization’s business. There are three types of key controls and examples of enhancement:
- preventative controls within accounting systems for procurement processes, requiring compliance with policies and increasing deterrence of potentially improper behavior and payments
- detective controls – featuring custom, interactive dashboards and monitoring – to help the internal audit and compliance departments monitor for outliers and patterns in high-risk processes and regions
- reactive controls, addressing automated holds on pending payments and product shipments that can reduce the impact of wrongdoing, and notification to the compliance department for timely reviews and internal investigations
Integrating controls into operating processes and systems may ease the user experience, improve efficiency and sustainability, and make data readily available for compliance program testing and investigations. Manual controls could be overly burdensome and costly to operate over a long period. Such controls may not produce sustained change, may limit a company’s ability to address the nature of identified risks, and may make investigations more costly if data is not readily accessible. Importantly, a company should analyze the return on investment of enhanced controls through automation. Though it may require a greater initial investment, the advantages of integrated system controls often serve as a deterrent to potential misconduct or facilitate a more effective compliance program in the event a company faces an enforcement action.
Program Evaluations
The litmus test for a compliance program is the quality of responsive and necessary internal reviews, and the resulting operational planning and remediation. Accordingly, companies should seek to ensure that their programs can address emerging risks.[4]
One way they may do so is by revising compliance programs to reflect changes in a company’s business, customers and operating environment.
As part of reviewing their compliance program, companies may use annual and on-demand risk assessments to uncover gaps within systems and process controls that could fail to deter improper behavior by employees or third parties. Notably, risk assessments should focus on current investigations, reports of allegations made by whistleblowers, and reports of remedial actions and resolutions. This allows for an efficient and effective approach for a compliance program tailored to the company’s highest and most visible risks.
An effective compliance program is the first step in preventing a potential violation related to the FCPA or other anti-corruption or anti-money-laundering regulations. There is much that companies can do – chief among them are enhancing controls and firming up compliance programs to prevent future violations and having a more defensible position, based on regulatory guidance, should regulators come calling. The DOJ’s pilot program provides insight into the agency’s expectations and the value of self-disclosure. The benefits are clear – as much as a 50 percent reduction in fines and an opportunity to receive a declination of prosecution and imposition of a monitor. The program’s benefits seem to be such that companies may not wish to wait until an often lengthy investigation has occurred to develop, refine and fully implement their compliance programs.
Published August 25, 2016.