Decades to Build, Seconds to Destroy: Proactive Compliance to Avoid Enforcement Action

How Proactive Compliance Reduces the Risk of Governmental Enforcement Actions

It can take decades to build a business, but only seconds to destroy its reputation.

When tasked with avoiding a government enforcement action, many organizations start with the question, “How much is this going to cost me?”

To be sure, creating a demonstrably effective compliance program is no small order, and maintaining that program can be even trickier. However, there’s an even more important piece of information to consider:

If you think compliance is expensive, try non-compliance. – Former US Deputy Attorney General, Paul McNulty

The costs go beyond dollars and cents, too. When the Department of Justice (DOJ) raids an organization’s office, the fear it instills in employees is immeasurable. There are also reputation-based costs to consider — once confidence in a brand and what it stands for is eroded, it’s incredibly hard to fix that image, especially in today’s hyper-connected society. This mistrust infiltrates the organization, customers’ perceptions, and can even erode stock values.

On November 29, 2017, the Department of Justice released its new Corporate Enforcement Policy for prosecutions of corporate cases under the Foreign Corrupt Practices Act (FCPA). This policy is an extension of the 2016 FCPA Pilot Program, providing companies with incentives to self-report, cooperate, and remediate. The new policy has gone further than the pilot program by granting “a presumption that the [qualifying] company will receive a declination absent aggravating circumstances …”

That’s why taking a proactive approach to government actions is absolutely vital. Even if the government moves toward an enforcement action on your organization, having a comprehensive and effective compliance program in place can mean the difference between a staggering fine and a declination.

In recent years, in line with the updated policy, we’ve noticed that more U.S. companies are receiving non-prosecution or deferred prosecution agreements, all because they could show that they have effective programs and have undertaken other concrete actions.

In fact, governments around the world are increasingly looking for alternatives to settling regulatory cases. When determining their course of action, they’ll look at the company’s ethics and compliance program as a means of judging whether a company will be subject to more serious and costly sanctions… and they want to see something that does more than just “check the box”.

What leads to a government enforcement action?

One common trait companies that have experienced enforcement actions seem to share might be surprising to some: There is a workforce that is afraid to speak up. Employees are hesitant to report misconduct, they don’t have faith and confidence in their senior leadership, and this fear permeates throughout the entire organization.

This is one of the reasons hotline metrics aren’t particularly helpful when trying to assess a compliance program, and why third party metrics are critical. The DOJ wants to see objectivity, and here are some of the key metrics they assesS include anti-corruption controls, plus the corporate ethics and compliance program, which includes a focus on:

  • High Level Commitment: Are the company’s senior-level officials dedicated to maintaining an effective compliance program, and what actions have they taken to instill that commitment into the company culture?
  • Policies and Procedures: Are they understandable, and are employees reading them? Regarding the code of conduct, was it written by a law firm for lawyers, and is it applicable to the workforce? Your code of conduct is the “window to the soul” of your company — don’t neglect it.
  • Periodic Risk-Based Review
  • Proper Oversight and Independence: Is the Chief Compliance Officer independent, do they report directly to the Board, and do they have access to the Board and CEO?
  • Training and Guidance: Is there a mix of live and online training that cascades down the organization, including real-world examples that employees can learn from
  • Internal Reporting and Investigations: Companies must have an investigations policy and written process in place.
  • Enforcement and Discipline: Are these factors consistent across the organization, or is preferential treatment doled out?
  • Third-Party Relationships: This is one of the biggest, and toughest, areas of compliance. To what extent are suppliers, vendors, joint venture partners, and others being vetted?
  • Mergers and Acquisitions: Oftentimes, there’s poor integration of companies after a M&A event, so there must be a plan for culture integration.
  • Monitoring and Testing: Investigators also want to see the company’s own monitoring and testing of compliance within the organization.

If it sounds like a lot to consider, that’s because creating and maintaining the type of compliance program that will keep the government from knocking at your door isn’t easy (especially if your tools aren’t integrated, or you’re stuck using Excel to manage everything). Taking a proactive approach makes this task immeasurably easier and more efficient.

Taking a proactive approach to government actions

When the Department of Justice’s Corporate Enforcement arm scrutinizes an organization, they’re looking for demonstrably effective compliance programs. Many organizations have the elements of an ethics and compliance program, like a code of conduct and policies and procedures documentation, but regulators are asking questions that go well beyond paperwork.

This is why organizations absolutely must get their programs in working order before the government ever comes knocking at their doorstep.

The Department of Justice Corporate Enforcement Policy states:

  • If a company voluntarily discloses wrongdoing, the DOJ will not require appointment of a monitor if the company has implemented an effective compliance program.
  • There will be an evaluation to determine whether there is an appropriate compliance program, and the hallmarks of an effective compliance and ethics program include:
    • Fostering a culture of compliance,
    • Dedicating sufficient resources to compliance activities, and;
    • Ensuring that experienced compliance personnel have appropriate access to management and to the board.

What is an effective ethics and compliance program?

Effective is the key phrase that regulators investigate, but do you know what that truly means? Even if you’ve read the official enforcement policy, it’s not always clear what everything looks like in practice.

When asked how they know if their compliance programs are effective, many companies will say something like, “Hotline calls are down, so we know it’s working.”

But let’s take a closer look at that assertion: Are calls down because there are fewer incidents to report, or because employees are afraid to report wrongdoings? Are calls down because the hotline interface is difficult to use? Or, perhaps employees think that reporting an incident won’t lead to any solutions.

So, how do you prove that a compliance program is effective? The right tools and technology simplify the process, and some companies even engage Independent Monitors (this is particularly common amongst companies who have settled a deferred prosecution agreement (DPA) or have negotiated a resolution through a Civil Settlement or Administrative Agreement with a Government Agency), but proactive, voluntary monitoring is also an option.

Engaging an Independent Monitor to demonstrate proactive compliance

When an Independent Monitor (like Affiliated Monitors) assess an organization’s compliance efforts, these are the tools they might use:

Employee focus groups and interviews

These employee-led interviews illuminate things the company may not know about, such as culture, training, reporting, trust, and credibility. Individual interviews show what types of processes are being used and whether compliance efforts are truly independent.

Ethics surveys

These surveys represent another method of measuring culture and awareness. There’s a massive emphasis on corporate culture, employee concerns over retaliation, comfort level in raising concerns, and other related topics.

Fraud risk assessment

This type of assessment helps management identify and understand weaknesses in the business, with the goal of developing an action plan to reduce those risks and prevent fraud.

Incident response

Here, the goal is to determine if there is consistency and fairness in disciplinary actions. In some instances, top performers or those with connections to management are protected from disciplinary action, and the DOJ won’t look kindly upon that type of environment.

Using Independent Monitoring to develop best practices

These are just four of the tools that can be used, though many others exist. At its core, the goal of Independent Monitoring is to develop an organizational program that adheres to best practices for a company of your size, industry, and location.

If you think your company might benefit from this type of proactive compliance planning, we recommend getting in touch with Affiliated Monitors to learn more.

Using cloud technology for benchmarking, issue tracking, and improving efficiency

Convercent’s Cloud solutions represent one of the most powerful tools available to help you fight the good fight, and our powerful suite of software supports companies in their ethics and compliance efforts. These solutions can help align compliance and ethics programs with corporate culture, all while reducing the likelihood of ever being involved with governmental agencies.

For example, Convercent Insights pull data internally and externally to help you understand what’s going on within the organization, making it much easier to maintain a proactive compliance program. The hotline and case management system features streamline the process of identifying misconduct and trends, and you can even outsource your whistleblower hotline if needed.

Corporate culture and the risk of misconduct

As ethics and compliance professionals, our goal isn’t just to understand individual behavior. We must also ask why good people are making bad decisions.

Is the culture conducive to allowing this behavior to occur?

The most commonly known way to analyze this is with the Fraud Triangle, which offers a framework we can use to identify high risk populations that are more likely to engage in misconduct:

  • Pressure: This includes both internal pressure within the organization, and external pressures regarding factors like emotions, personal finances, and much more.
  • Opportunity: Are there opportunities for people to act unethically? These could be loopholes in process and controls, little oversight, and similar issues.
  • Rationalization of Behavior: Do employees have a means of justifying their behavior? Employees who feel they’re undervalued, aren’t paid enough, won’t be noticed, and a myriad other sentiments are more likely to make bad decisions.

The Fraud Triangle is useful, but I think we need to add another section to make it a “Misconduct Square”: Additional external pressures due to the company culture. Assessing this involves asking questions like, “Is the culture conducive to allowing this behavior to occur?” and, “Do employees think we value ethics within the company?”

Analyzing data about your compliance program

And, like so much else within compliance, you need data to answer these questions and make an action plan. With an integrated tool that puts all of your data under one roof, pulling this data is an efficient process, so you can spend more time coming up with a game plan.

Learn more about the Convercent Ethics Cloud Platform here, and don’t hesitate to reach out to us with any questions. We’re more than happy to help you understand all of the options available so that you can make the best decision for your organization.

To learn more about avoiding government enforcement actions through proactive compliance, you can also listen to this insightful webinar. In the webinar, Convercent’s Autumn Sanelli (Global Director Solution Consultant) and Eric Feldman, Senior Vice President and Managing Director at Affiliated Monitors, provide a deeper look into the topic.