On April 30, 2019, the Department of Justice (DOJ) Criminal Division published an updated Evaluation of Corporate Compliance Programs Guidance Document (the guidance) for prosecutors to use in evaluating corporate compliance programs. The guidance, which provides a window into the DOJ’s evolving enforcement expectations, lays out three principal areas prosecutors should explore when faced with evaluating a corporate compliance program in the context of a criminal investigation.
- Is the corporation’s compliance program well-designed?
- Is the program being applied earnestly and in good faith?
- Does the corporation’s compliance program work in practice?
While the application of data analytics and periodic monitoring can provide valuable insights into a range of issues raised by the first two questions, this article will focus on how those charged with implementing and testing compliance programs can incorporate data analytics, and monitoring protocols to evaluate the efficacy of their program.
Does your organization’s compliance program work in practice?
The guidance points to several factors that companies should focus on in order to assess whether a compliance program works in practice, including:
- Continuous improvement, periodic testing and review
- Investigation of suspected misconduct
- Gap analysis and remediation of underlying misconduct
To address each of these factors, organizations can incorporate analytics and periodic monitoring into their suite of forensic protocols. Organizations generate and maintain tremendous amounts of data. The power to harness this data and apply analytical tools and procedures to identify problematic trends, uncover high-risk relationships and detect noneconomic transactions can facilitate the early identification of fraud schemes that require investigation, and assist in the process of remediation—two of the stated goals contained in the guidance.
Below we have outlined a suggested protocol for applying data analytics and periodic monitoring to assist boards, general counsel, compliance professionals and external counsel in mitigating risk, reducing exposure and testing the efficacy of an organization’s compliance programs.
We will explore the concept of monitoring, the use of monitoring as a risk mitigation solution, and discuss program implementation procedures and common hurdles.
What is periodic monitoring?
As depicted in Figure 1 below, a monitoring program integrates data analytics with sound forensic practices to detect the following in a timely fashion: high-risk transactions, undisclosed conflicts of interest, internal control and compliance failures, and potential collusive behaviors.