The guidelines clearly clarify that the department does not believe in putting a ‘one size fits all’ approach and is only putting across relevant aspects to consider in respective areas.
- By Sundar Narayanan
Corporate compliance has been evolving with regulations, enforcements, and expectations from regulators are progressing. Regulators ante their expectations by setting requirement and standards based on enforcement learnings. The recent publication of the Department of Justice (DoJ) guidelines for evaluation of corporate compliance programs is one such effort. The guidelines clearly clarify that the department does not believe in putting a ‘one size fits all’ approach and is only putting across relevant aspects to consider in respective areas. The guidelines not only focus on the anti-corruption landscape but also on the overall general level of compliance program evaluation.
The relevant aspects to consider are put across as questions, which a compliance or ethics officer shall consider and evaluate. These questions are mostly open-ended, aiming at deeper introspection from the responder. For instance, a question on risk assessment inquiries, “Whether the company spends disproportionate time on policing, prioritizing low-risk areas instead of high-risk areas?” Such a question will require layers of responses that address the core issues raised by it.
In this post, we are considering five areas from the DOJ guidance for a more in-depth analysis, namely are – risk management and resource allocation, role and guidance for the gatekeepers, risk-based training, disciplinary process and consistency therein, along with monitoring mechanism around the investigation process.
Risk management and resource allocation
Risk assessments are aimed at identifying risks and rating them with reference to the level of risk, the impact of the risk, and the probability of occurrence. Risk assessments are done through multiple approaches by organizations, including the detailed process study and self-assessment process. E&C risks in the process are a part of the overall identified risk, and a period of compliance monitoring effort can help in assessing the change in the level of risks, along with the effectiveness of the mitigation if any.
- Risks can be addressed by accepting, avoiding, transferring, and mitigating the risk. In theory, the risk that is accepted will have lesser probability, but a higher impact. However, in practice, the risks transferred and mitigated take most efforts towards compliance and control monitoring, as there is a definitive way in which such risks are addressed.
- In a given risk, you may have a certain portion transferred, a certain portion mitigated, and a certain portion accepted. E. g., Risk of bribery by the third party is acceptance, due diligence of the third party is mitigation, and contractual compliance obligation is a mode of risk transfer. While due diligence and contractual compliance obligations will be validated through reviews, the risk that is accepted may not be tested at all times, due to its inherent limitations.
- Within resources and compliance teams, most often, the efforts towards assessing or validating compliance for risks accepted is a challenging proposition.
Key pitfalls to avoid:
- Compliance reviews considering and measuring the effectiveness of mitigated risks and ignoring other risks i.e., accepted, avoided, and transferred risks.
- Compliance team considering risks with a low possibility of occurrence as risks with “no” possibility of occurrence.
Role and guidance of gatekeepers
Gatekeepers are personnel within the organization who have a role or responsibility to ensure compliance with the policy or the procedure. Gatekeepers may include staff in the compliance team, accounting and finance teams, or HR teams. The guidance seeks to understand if the gatekeepers are trained and guided about the control activity they have to perform. It also extends to understand if they are aware of what to look for (as a red flag) in this process.
- The control expectations are driven by the policy, procedure, and SOD. These control expectations may not necessarily translate into red flags that need to be looked at in detail. For instance, the finance personnel, may not necessarily enquire as to why an invoice is raised from a tax haven entity for a service rendered in India.
- The level of people who are performing this control activity may not necessarily recognize the implications of not validating certain aspects. In most cases, this is also because of the TAT under which they end up working. E.g., a payments team member may not necessarily look for unusual frequency of reimbursement for one of the sales employees in a government business segment, with a focus on anti-corruption. He/she would look after the completion of transactions within the given TAT he/she has.
Key pitfalls to avoid:
- Compliance, assuming compliance requirement as Gatekeeper’s priority perspective
- Not having risk-driven segregation of transaction processing (for accounting)
Training is one of the critical activities taken up by the compliance teams in driving a program. It includes training at the time of induction, e-learning modules, and other in-person compliance training conducted across the organization. The guidelines attempt to put a perspective on risk-based training and seek clarity on how a decision to undertake a mode of training is concluded.
- An e-learning model is considered to be a way to extend the training alongside tracking compliance. Such a model is a part of mandated training in many organizations. In most cases, the decision for e-learning is based on reach, ease of access, ability to track, and the cost associated with it. While many organizations attempt to customize training for different geographies and different functions, these are aimed at reach, not necessarily classified based on risks involved.
- Organizations also conduct senior management training/awareness communications. Such training is scheduled at regional/functional levels. Like in the previous case, the attempt to risk-classify content and training mode is a steep task.
Key pitfalls to avoid:
- One size fits all approach for training across geographies and functions.
- Lack of clearly documented approach/strategy notes that explain the basis for selecting a mode for training.
Disciplinary process and the consistency therein
The disciplinary process includes reviewing recommended actions out of an investigation and concluding on the same. Organizations have either a disciplinary committee or a management representative to be an anchor for this process. A disciplinary committee consists of representatives from multiple functions. The guidelines explore the way the disciplinary process and its decisions work.
- Consistency in decision-making is associated with the nature of the decision/action proposed and also the timing of such an action. Consistency across geographies on such factors may be challenging for decentralized geo-specific investigation functions.
- Case management tools may have flags for tracking or analyzing the type of cases, and the decisions arrived. However, even for cases that have been “substantiated” or “partially substantiated,” there are a variety of factors that could end up resulting in an action (termination, warning letter, canceling increment/progression, counseling, etc.)
- Further, in several organizations, there may not be a structured culpability matrix to guide decision-making associated with the disciplinary process. A culpability matrix helps identify the type of action that is most appropriate for the type of outcomes of an investigation.
Key pitfalls to avoid:
- Lack of tangible evidence for the misconduct of senior people becomes a bottleneck in action against them. Companies should consider exploring the approach of the role and awareness of such senior management personnel or even a possibility of awareness thereof for the issue in question while taking a decision on disciplinary actions therein.
- Lack of a centralized approach for proposing disciplinary action (regional action/approaches)
- Inadequate analysis of the case trends and the relevant evidence to gain perspective on precedence.
Monitoring mechanism around the investigation process
Companies do have a threshold for the lead time for investigation and reporting mechanism around the said threshold. Many companies consider a threshold of 45 days on an average as a reasonable time frame for closing investigations. This is followed up by tracking of actions, including tracking of disciplinary and process recommendations coming out of the investigations.
- Disciplinary actions are tracked to a greater extent by companies and are also a part of the reporting requirement to the board. However, the aspect of process recommendations and recommendations to the function, to prevent or detect future occurrence, may not necessarily feature on trackers or management reports.
Key pitfalls to avoid:
- Lack of documented process recommendations shared with functions/business, based on the investigation that got concluded.
- Lack of quarterly feedback session with functional/business heads to share how trends evolve with reference to ethics and compliance violations in their function and expecting them to put measures to address or prevent them.
In summary, some of the expectations laid out in the guidelines are in the right direction and require more focussed efforts by an organization to enhance its compliance quotient. However, each of these efforts would have to wield through a stream of challenges. An attempt towards avoiding critical pitfalls, as an organization proceeds towards raising the effectivity of its compliance program, can be a good start.
The author is Director-Forensics at SKP Business Consulting LLP. Views expressed are the author’s personal.