Businesses with an eye on compliance know that the Department of Justice’s (DOJ) Criminal Division has recently released an update to the Evaluation of Corporate Compliance Program (2023 Guidance). Although this update is meant to assist prosecutors in evaluating and determining the adequacy and effectiveness of a corporation’s compliance program, the 2023 Guidance should be considered by in-house counsel, corporate compliance leaders and auditors as they administer and oversee their own programs, including their response to allegations of noncompliance, both in design and practice. For instance, recent regulation regarding clawback of management compensation due to noncompliance has been top of mind for executives and attorneys alike.
The importance of a robust compliance program cannot be emphasized enough in today’s complex regulatory and legal environment. The financial impact of settlements, fines and penalties for compliance violations are continually on the rise—and often on the front page of the news. All things considered, your company’s reputation, as well as current and future profitability, will be better protected when you have integrated compliance and investigations teams.
The case for integrated compliance and investigations teams
A sophisticated compliance program recognizes that (1) proactive compliance and (2) any resulting investigations into alleged noncompliance can each influence, complement and strengthen the other.
- A strong and effective compliance program lays the foundation for a healthy and ethical business operation. However, even the most robust ethics and compliance programs cannot eliminate all fraud and corruption risk. As such, while the occurrence and magnitude of misconduct can be minimized, it cannot be fully eliminated. When allegations of misconduct and noncompliance occur, companies can quickly determine the who, what, when, where, how and potentially why through deploying leading practices in conducting investigations.
- After misconduct or noncompliance is alleged or identified, well-executed investigations should be conducted that include root cause analyses to provide valuable feedback on required internal control and compliance program remediation, further enhancing the effectiveness of the corporate compliance program. The integrated cycle of identify—investigate—report—remediate across the compliance and investigations functions demonstrates the organization’s earnestness regarding its obligations toward compliance and legal issues.
What should companies focus on?
Compliance programs are not one-size-fits-all. Your organization should tailor your program to fit your needs and circumstances. However, based on recent cases resolved under the DOJ guidance, your company should consider how well your programs are designed to address four key elements critical to compliance programs. Addressing these issues will increase the chances of a more positive outcome when faced with compliance issues:
- Risk mitigation: Compliance frameworks are designed to identify and mitigate risks so corporations can adhere to relevant laws and regulations. Understanding the existing legal and regulatory landscape (both domestically and globally) facing your organization, coupled with a focus on communication and engagement, as well as conducting periodic risk assessments shaped by the evolving environment in which you operate, will increase your organization’s preparedness and reduce harm.
- Know and use your data: Understanding the information and data available to you, including where it resides and its limitations, is imperative to both assess compliance and respond to allegations of misconduct or noncompliance. In more mature compliance programs, the same data and technology utilized by management to make strategic decisions can be leveraged to identify key issues with compliance. Regulators have now come to expect continuous monitoring of key risk areas to mitigate the severity of compliance issues and limit their frequency.
- Investigation management drives reputation management: The rigor with which a business investigates misconduct allegations can demonstrate a company’s commitment to ethical conduct. Organizations that do not disclose all facts may lose credibility with regulators, enforcement agencies and their employees. By enhancing employee awareness of confidential reporting hotlines and other resources, including whistleblower protection rights, reputational harm can be mitigated by all employees within the organization.
- Consequence management: Finally, the objectives of any compliance and investigation effort should include limiting financial and reputational impact on the business. If a violation occurred, swift and meaningful action, based on the severity of the conduct and the pervasiveness of the issue, illustrates the thoughtful and strategic manner in which your organization has created an environment of compliance in spirit and practice.
Help to integrate
There are a variety of ways your organization can look to mature your compliance and investigations efforts with the help of external experience and insight.
Compliance program review and continuous improvement
An effective compliance program should evolve and adapt to the changes in the business, industry and any other relevant external circumstances. To that end, companies may periodically engage with external advisors to independently review and update their existing compliance program. Experience from outside your organization brings lessons learned from competitors, other industries and geographies to leverage against the specific compliance needs at issue, limiting risks of noncompliance with new industry standards, regulations and laws.