The FCPA Guidance specifies that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry.”
Therefore compliance programmes that do not just exist on paper, but are followed in practice, will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programmes and not allow them to become stale.
The three components of an effective compliance programme
Continuous improvement requires you not only audit but also monitor whether employees are staying with the compliance programme. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three components are what enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programmes.
Monitoring vs auditing
One activity that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing.
Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your programme on a regular and consistent basis across a wide spectrum of data and information.
Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust programme should include separate functions for auditing and monitoring. Although unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.
Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. Many compliance practitioners understand you should be checking in routinely with local Finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.
An ongoing monitoring approach
Ongoing monitoring is not limited to the financial component of compliance. The Red Flag Group have developed an ongoing monitoring approach for the human part of the compliance equation. This is through a cost-effective approach to email review through email sweeps. The concept is straightforward; at regular intervals you can sweep through your company email database for identified key words that can be flagged for further investigation, if required. The beauty of this approach is that does not require an extensive eDiscovery software tool or license purchase. It can be accomplished generally in two days or less. Also it is not limited to anti-corruption compliance but any of the risk factors identified for your company – and you are only paying for the services when you need them and as they are delivered.
The objective of this approach is to ‘find the smoke’ which may be the evidence of a compliance breakdown (and related fire) by sweeping through emails to uncover those that may contain real issues. From this starting point, you can assess and prioritise, by checking and verifying that there are issues worth investigating. From here you can identify the issues you want to investigate first. Further, and if warranted, you can invoke your investigation protocol, with all the requisite protections and securities.
Finally, as the regulators continue to evolve in their understandings and appreciation of a best practice compliance programme, you will evolve your compliance programme to a new level of detection that could allow you to have more robust prevention. When your compliance programme has a strong prevention arm it can be an effective way to stave off issues from Foreign Corrupt Practices Act (FCPA) violations.
How to show continuous improvement
Continuous improvement through continuous monitoring will help keep your compliance programme abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance programme is a continuously evolving organism, just as your company is continually improving its business processes. The FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance programme if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organisation, the idea behind such efforts is the same: continuous improvement and sustainability.”