Compliance beyond the corporate perimeter: Department of Justice guidance on evaluating compliance program effectiveness emphasises third-party due diligence
Is your corporate compliance program up to scratch? That question will be top of mind for global organisations as they analyse recent guidance from the U.S. Department of Justice (DOJ) on evaluating the effectiveness of compliance programs. The detailed guidance explains the features of robust compliance programs, highlighting factors from the importance of Board-level engagement to third-party due diligence.
A strong compliance program is good for business. It demonstrates ethical operations and helps manage financial, strategic, operational and reputational risk. One of the most tangible benefits, however, is the role compliance plays in meeting regulatory obligations.
This DOJ guidance is designed for prosecutors investigating cases brought under legislation such as the Foreign Corrupt Practices Act (FCPA). Under the related Corporate Enforcement Policy, companies demonstrating an effective program at the time of the infringement, or one that has been established since, may be offered leniency in the form of reduced fines or lower monitoring requirements
The cross-border reach of the FCPA and growing trend of collaboration between international enforcement agencies means businesses worldwide need to know what “effective” looks like to prioritise a culture of ethical operations and minimise penalties for misconduct.
“Fundamental questions” to evaluate compliance program effectiveness"
The DOJ guidance focuses on what it terms “three fundamental questions” that indicate a compliance program is functioning as a strong ongoing control over the risk of corporate corruption:
1. Is the corporation’s compliance program well-designed?
The program must accurately reflect the risks associated with the business. Policies and procedures must be comprehensive and consistently applied. Employees should receive training using relevant examples with access to a confidential system for reporting abuses. Misconduct reports must be investigated by a competent, well-resourced team. Crucially, the guidance states that “a well-designed program should apply risk-based due diligence to its third-party relationships…and comprehensive due diligence of any acquisition targets.”
2. Is the program being applied earnestly and in good faith?
Commitment to compliance must start with the Board, supported by senior and middle management. Appropriate resources and well-qualified personnel should be devoted to managing compliance and they should have the authority to act with autonomy. Incentives and deterrents should be in place to encourage compliance and ethical behaviour.
3. Does the program work?
The guidance recognises that the existence of misconduct does not mean that a program was ineffective. Investigators will explore how the misconduct was detected, what analysis of root cause has taken place and what action has been carried out. Evidence of audit, testing, investigations and accountability are taken into account.
Third-party risk management
The DOJ guidance is very clear that an effective compliance program extends beyond the corporate perimeter.
Global businesses do not operate in a vacuum, but in an ecosystem of thousands of interconnected customers, partners and suppliers across multiple geographies. Each has potential to introduce risk to an organisation and the company has explicit responsibility to identify, monitor and control that risk. This third-party risk management is a challenging aspect of anti-corruption compliance as it involves entities beyond the organisation’s direct control.
The FCPA blog notes that “Almost one in two enforcement actions concluded since the OECD Anti-Bribery Convention came into force in 1999 was the result of bribery through sales agents, intermediaries, distributors or brokers.”
The DOJ guidance emphasises that the organisation must understand the qualifications and associations of third-party suppliers and agents, particularly as these relate to foreign officials. There must be a clear business rationale for engaging with the third party and robust visibility of relationships and associations.
There are a variety of tools that can be used to achieve this ranging from subjective—supplier questionnaires and interviews—to objective—using independent intelligence platforms to access global data about the organisation and screening prospective partners against watchlists and politically exposed persons (PEPs) lists. A strong compliance team needs to employ internal and external sources to verify third-party claims and uncover any links or weaknesses that could pose a risk.
It is also important to recognise that third-party risk is constantly evolving. Compliance teams must establish a system of continuous monitoring that raises red flags as new risks are identified.
With complex supply chains and partner numbers in the thousands, this is a significant piece of work and organisations need to be efficient in allocating resources to the task. By taking advantage of automated risk monitoring where possible, the burden on compliance teams can be reduced and time unlocked for higher-value activities.
Setting the compliance bar high
The DOJ guidance provides excellent clarification on what is expected of today’s global corporations, leaving little doubt that compliance must be a watchword that starts with the Board and extends out through the partner and supply chain ecosystem. Implementing an effective corporate compliance program that covers third-party risk is a challenging undertaking, but with appropriate resources and tools, organisations can reap commercial benefits while reducing regulatory exposure.