The Justice Department and the SEC are tired of investigating companies with “paper” compliance programs. It is easy to spot a “paper” compliance program – as the saying goes, you can smell it a mile away.
The key distinguishing feature of an effective compliance program and a “paper” program can be distilled down to the question of whether the program is “operational.”
Hui Chen, the new DOJ Compliance Counsel, listed this as one of four key inquiries in assessing a company’s compliance program.
A compliance program is operational when its policies and procedures and its internal controls are implemented. In the anti-corruption compliance arena, the inquiry focuses on important controls relating to:
- Senior leadership support and communications;
- Periodic risk assessments;
- Foreign government interactions;
- Third-party risk management (e.g. agents, distributors, vendors, and suppliers);
- Gifts, meals, entertainment and travel;
- Charitable contributions;
- Training and certifications;
- Audits and monitoring programs; and
- Continuous improvement of the compliance program.
Each of the above-listed categories includes a number of related functions and activities. Even so, many companies do not even operationalize basic functions such as prospective review and approval of expenditures for gifts, meals, entertainment and travel. An effective GMET program requires some level of review outside of the business and approval of expenditures above that level.
Another common example of a paper versus operational program is whether a company has a robust due diligence system for screening, monitoring and auditing third party intermediaries, as well as vendors and suppliers. A recent NAVEX Global Survey on Third-Party Risk Management (here) revealed that only 41 percent of the respondents conducted open source intelligence screening of their third parties as a preliminary step in the due diligence process. That is shocking.
Most companies have secured licenses for access to a screening database that usually involves a flat monthly fee or minimal per search costs. It is hard to understand how a company with such a license would not screen every third party for sanctions lists, PEPs, watch lists, anti-corruption allegations or media reports. The non-compliant companies usually have not devoted adequate resources to support the due diligence function.
Another telltale sign of a “paper” compliance program is a check-the-box mentality to CEO and senior management support of the anti-corruption compliance program. A CEO is critical to a compliance program and CEO statements and conduct are important avenues to communicate the company’s commitment to an ethical culture.
A CEO who records a video for distribution about the importance of ethics and compliance, along with a signed letter at the front of the company’s code of conduct, are only basic preliminary steps. A real commitment to ethics and compliance requires consistent and innovative communications techniques. The message of compliance is not one for a form, nor is it one for repetitive messages.
When conducting a risk assessment, a question on CEO and senior executive internal communications on ethics and compliance will quickly reveal whether the company’s compliance program is operational. I do not mean to suggest this is the only reliable measure but for each category listed above once you scratch the surface of the company’s efforts it is easy to conclude that the program is not operational.