In part two of this series, we discussed the step-by-step process of how to properly assess COIs and identify risks based on a scale of severity and how that COI may or may not impact the business. In this post, we will discuss how to take the findings of your assessment to make adjustments and improve controls in your compliance program and become more predictive in your approach.
It’s every compliance officer’s dream to be proactive in writing policies or conducting training to prevent non-compliant behavior; however, effective monitoring requires on-going and near to real-time analysis of traditional (i.e. hotline) and non-traditional (i.e. HR data overlay) data sources as they relate to business activities and controls, which can be an entire job within itself. To be responsive to potential red flags, so to speak, and to become more predictive in your approach, a compliance program must have investigations, policy adaptation and enhanced training in place as monitoring is a direct result of these activities. And with increasing regulatory pressure, it’s more and more important to find the time to look at your compliance program in a different way.
Regulators are focusing on monitoring
Regulators are taking a closer look at these activities within your program. With stronger expectations coming from regulators across sectors from the Office of the Inspector General (OIG) to the Department of Justice (DOJ), your program must have effective means of monitoring compliance with high-risk areas. Not only are regulators honing in on this, but the penalties can also be hefty, to say the least.
For example, if an employee offers a $1 million bribe to get a $20 million contract with a 50 percent margin, the government might demand the company disgorge the $10 million profit on the contract and pay up to three times that amount in fines. This has resulted in excess of a billion dollars in significant matters,” according to Deloitte.
When managing COI in your organization, consider the following as outlined by the non-profit think tank OCEG.
RUN PROACTIVE CONTROLS
- Policies and training – Use these data points as a guide and not an end all. You shouldn’t rely on typical internal processes/controls and training as the data may be ineffective in detecting or predicting misconduct. Take for example an employee who is paying bribes – that’s not something they’re willing to come forward about and tell the truth. They could falsify statements or documents, pay off external “witnesses” to tell a different story or try to downgrade the impact. While internal training is useful, for say anti-corruption, when it comes to internal protocol and its consequences, they alone do not prevent illegal activity, according to Deloitte.
- Disclosures and declarations
- Decision-making rules and guidance
- Enhanced controls
- Disclosure declinations – Keep track of when employees tell you they don’t have conflicts to disclose. That way, you can easily distinguish between employees without conflicts and those who have yet to make their disclosures, and protect your organization if something goes wrong with easily accessible, auditable records of disclosure and declination history.
ACTIVATE RESPONSIVE CONTROLS- can you see trends in the structured data? Can you dig to the next layer using unstructured data?
- Incident reports
- Expense reports
- Employee surveys and feedback
MAINTAIN DETECTIVE CONTROL MONITORING
- Investigations and responses
- Source of information that disclosed the COI
Data focus: best practices
- Collect both unstructured (free-form) and structured (picklist) data. Unstructured data will give you a detailed understanding of specific issues or disclosures while structured data allows you to conduct trend analysis and benchmarking.
- Get real-time results. Don’t rely on ad hoc, flat file exports.
- Integrate data systems wherever possible to avoid manual data reconciliation.
- Get alerts when there are threats, anomalies or breaches.
To learn more about COI management, attend the upcoming webinar on Thursday, April 28th hosted by OCEG with speakers from Convercent.