Protecting value with your compliance and response program

Businesses with an eye on compliance know that the Department of Justice’s (DOJ) Criminal Division has recently released an update to the Evaluation of Corporate Compliance Program (2023 Guidance). Although this update is meant to assist prosecutors in evaluating and determining the adequacy and effectiveness of a corporation’s compliance program, the 2023 Guidance should be considered by in-house counsel, corporate compliance leaders and auditors as they administer and oversee their own programs, including their response to allegations of noncompliance, both in design and practice. For instance, recent regulation regarding clawback of management compensation due to noncompliance has been top of mind for executives and attorneys alike.

The importance of a robust compliance program cannot be emphasized enough in today’s complex regulatory and legal environment. The financial impact of settlements, fines and penalties for compliance violations are continually on the rise—and often on the front page of the news. All things considered, your company’s reputation, as well as current and future profitability, will be better protected when you have integrated compliance and investigations teams.

The case for integrated compliance and investigations teams

A sophisticated compliance program recognizes that (1) proactive compliance and (2) any resulting investigations into alleged noncompliance can each influence, complement and strengthen the other.

1. A strong and effective compliance program lays the foundation for a healthy and ethical business operation. However, even the most robust ethics and compliance programs cannot eliminate all fraud and corruption risk. As such, while the occurrence and magnitude of misconduct can be minimized, it cannot be fully eliminated. When allegations of misconduct and noncompliance occur, companies can quickly determine the who, what, when, where, how and potentially why through deploying leading practices in conducting investigations.
2. After misconduct or noncompliance is alleged or identified, well-executed investigations should be conducted that include root cause analyses to provide valuable feedback on required internal control and compliance program remediation, further enhancing the effectiveness of the corporate compliance program. The integrated cycle of identify—investigate—report—remediate across the compliance and investigations functions demonstrates the organization’s earnestness regarding its obligations toward compliance and legal issues.

What should companies focus on?

Compliance programs are not one-size-fits-all. Your organization should tailor your program to fit your needs and circumstances. However, based on recent cases resolved under the DOJ guidance, your company should consider how well your programs are designed to address four key elements critical to compliance programs. Addressing these issues will increase the chances of a more positive outcome when faced with compliance issues:

1. Risk mitigation: Compliance frameworks are designed to identify and mitigate risks so corporations can adhere to relevant laws and regulations. Understanding the existing legal and regulatory landscape (both domestically and globally) facing your organization, coupled with a focus on communication and engagement, as well as conducting periodic risk assessments shaped by the evolving environment in which you operate, will increase your organization’s preparedness and reduce harm.
2. Know and use your data: Understanding the information and data available to you, including where it resides and its limitations, is imperative to both assess compliance and respond to allegations of misconduct or noncompliance. In more mature compliance programs, the same data and technology utilized by management to make strategic decisions can be leveraged to identify key issues with compliance. Regulators have now come to expect continuous monitoring of key risk areas to mitigate the severity of compliance issues and limit their frequency.
3. Investigation management drives reputation management: The rigor with which a business investigates misconduct allegations can demonstrate a company’s commitment to ethical conduct. Organizations that do not disclose all facts may lose credibility with regulators, enforcement agencies and their employees. By enhancing employee awareness of confidential reporting hotlines and other resources, including whistleblower protection rights, reputational harm can be mitigated by all employees within the organization.
4. Consequence management: Finally, the objectives of any compliance and investigation effort should include limiting financial and reputational impact on the business. If a violation occurred, swift and meaningful action, based on the severity of the conduct and the pervasiveness of the issue, illustrates the thoughtful and strategic manner in which your organization has created an environment of compliance in spirit and practice.

Help to integrate

There are a variety of ways your organization can look to mature your compliance and investigations efforts with the help of external experience and insight.

Compliance program review and continuous improvement

An effective compliance program should evolve and adapt to the changes in the business, industry and any other relevant external circumstances. To that end, companies may periodically engage with external advisors to independently review and update their existing compliance program. Experience from outside your organization brings lessons learned from competitors, other industries and geographies to leverage against the specific compliance needs at issue, limiting risks of noncompliance with new industry standards, regulations and laws.

Third-party risk management (TPRM) and international compliance

Third-party resellers, vendors, suppliers, agents and contractors play vital roles in organizations in the global business environment. However, the use of third parties and their relationships introduces certain risks. In some cases, external entities can affect your company’s compliance status and its brand reputation. Risk mitigation begins with establishing and monitoring a TPRM program led by trained compliance advisors to ensure effective due diligence, mitigating potential risks associated with higher-risk external parties.

For companies operating globally, navigating the complexity of international regulations and laws of foreign countries could be challenging. External advisors with a global network can help your company comply with diverse regulatory requirements and form law-abiding strategies abroad.

Investigation support

Without timely and thorough investigations of allegations of noncompliance, the effectiveness of a compliance program can be significantly diminished. Your organization should maintain relationships with experienced law and investigative firms to provide appropriate global subject matter experience when required. Your organization may lack well-established procedures, personnel or resources; the necessary tools and technology to conduct a thorough investigation; or sometimes, the stakes may simply be too high to go at it alone.

Post-investigation analysis and remediation recommendation

As part of the conclusion of any investigation, a thorough root cause analysis of noncompliance incidents is essential to address the underlying financial or operational issues. Internal controls and process management advisors have deep insights into the types of noncompliance activities and control failures in specialized industries. Advisors can perform the appropriate analyses, determine remediation efforts, assess the adequacy of your data and technology, and develop a prioritized, actionable work plan to remediate control deficiencies.

The risks, the expectations and the stakes for compliance and response have never been higher.  When you establish a team of integrated compliance and investigative professionals that deploy the right technology and outside resources when needed, you are positioned for future success reputationally and financially.