In June 2020, the US Department of Justice (DOJ) Criminal Division updated its guidance on the factors that prosecutors should consider when conducting an investigation of a corporation. Stuart Meher, Principal Consultant at LEO GRC, talks us through a summary of the changes and what it means for GRC training programs.
What Does the Guidance Focus On?
Primarily, the updated guidance focuses on three key areas:
- The effectiveness and adequacy of an organization’s compliance program at a time that guidelines, regulations, or laws were breached
- If/how this has changed in the time between the breach and the formal charge
- Any ongoing/outstanding efforts from the organization to change or improve its current program
The guidance itself assists prosecutors in determining the appropriate form of resolution or prosecution, monetary penalty (if applicable), and any resulting compliance obligations.
Although this guidance has not been tailored specifically for the financial services industry, we feel that a lot of this could be applicable and relevant to compliance programs adopted by banks, brokerage firms, and other similar institutions.
So, what does this mean for your current compliance program(s)?
Three Fundamental Questions to Ask
The DOJ’s guidance recommends that you ask three questions when evaluating your compliance program:
- Is it well designed?
- Is the program adequately resourced and empowered to function effectively?
- Does the compliance program work in practice?
Let’s take some time to explore each of these questions individually.
1) Is Your Compliance Program Well Designed?
When evaluating your compliance program, it’s important to start with understanding the effectiveness of its design. This evaluation can cover a range of areas, but the guidelines recommend focusing on five in particular:
- Risk assessment - this should account for factors such as industry sector, market competition, business partners, and charitable or political contributions.
- Policies and procedures - essential elements of these should include processes for updating documents as needed, processes and methodologies for review/approval by senior management, and methods for communicating any changes to employees and other stakeholders.
- Training and communications - this includes understanding how well policies and procedures are covered in training, which assessments are used, how tailored your training is to your target audience, and ways to measure its effectiveness.
- Confidential reporting structure and investigation process - this area focuses on whistleblowing processes and procedures, including how well communicated they are to employees, what protections are in place for the whistleblower, and proper documentation of these procedures.
- Third-party management - it’s important to consider whether there’s a clear business rationale for using third parties, your ability to monitor their performance, and how you manage compliance with third-party relationship managers.
2) Is Your Compliance Program Adequately Resourced and Empowered to Function Effectively?
When it comes to resourcing, effective function, and engagement with your compliance training program, the DOJ guidance focuses particularly on three key areas: management buy-in, autonomy and resourcing, and incentives and disciplinary measures.
- Commitment from senior and middle management - this commitment should include clear communication of your code of conduct and ethics, developing and implementing policies and procedures, and a clear demonstration of leadership and oversight of employees.
- Autonomy and resources - you should ensure that the compliance function within your organization has sufficient seniority, resources (especially staff) to undertake audits, documentation, and analysis, and autonomy from management.
- Incentives and disciplinary measures - the process of establishing these measures should include publicizing disciplinary measures where appropriate, identifying who’s involved in the discipline, and whether disciplinary actions or incentives have been fairly applied.
You may also be interested in: ‘The Impact of COVID-19 on GRC Best Practices for Financial Services’
3) Does Your Compliance Program Work in Practice?
The final question to address ultimately looks at how well your compliance program functions within your organization. As the main function of the DOJ’s guidance is to assist prosecutors in determining the appropriate response to breaches of laws, guidelines, and regulations, this section looks mostly at misconduct and how it’s handled.
When answering this question, we must focus on three key things:
- Continuous improvement, testing, and review - it’s important to periodically review the effectiveness of your program, including analysis of compliance data and understanding how frequently and effectively the program is currently audited.
- Investigation of misconduct - investigations of alleged misconduct need to be timely and thorough. The DOJ recommends these investigations are properly scoped, independent, objective, appropriately conducted, and vitally, properly documented.
- Analysis and remediation of misconduct - when conducting this analysis, you should consider if any systemic issues were identified, which controls failed, if any policies and procedures could have prevented the misconduct, and if it involved any third parties.
When testing, reviewing, and analyzing your program, it’s also important to consider what changes were made after any alleged misconduct to prevent it from happening again and the type of disciplinary action taken internally in response to the issue.
More from the blog: ‘Measuring Compliance: A Behavior-Change Focused Approach’
Why Is This Important for GRC Training?
While maintaining an effective compliance program doesn’t guarantee that misconduct will be prevented, the inability to monitor compliance with policies, procedures, laws, and regulations could expose your firm to regulatory sanctions, fines, penalties, reputational risk, and loss of customer trust.
If you would like a closer look at the US Department of Justice’s guidance discussed in this article, you can read it here.