Rich Kando and Sean Dowd are Managing Directors, and Robert Coffey is Director at AlixPartners. This post is based on their AlixPartners memorandum.
I. Introduction
Business leaders of companies operating outside of the financial services industry (“corporates”) are more frequently asking their legal and/or compliance departments a variation of the following question: “Is our company’s compliance program good enough?”. This is a simple question with a complicated answer, and there is no one-size-fits-all approach. However, there are certain attributes, based on previous Department of Justice (“DOJ”) resolutions and our historical compliance experience, that are necessary for a compliance program to be “good enough.” “Good enough” sets a floor that corporates will want to meet or exceed as their compliance programs mature.
This question is discussed more often because of (1) the September 2022 release of additional guidance from the DOJ regarding corporate criminal enforcement policies and (2) recent actions by the DOJ against corporates. We evaluate these two items as well as how to enhance corporates’ compliance program to be “good enough” leveraging the framework outlined in a June 2020 DOJ publication regarding the evaluation of corporate compliance programs (the “DOJ Compliance Guidance”).
II. Context for the question posted by senior leaders
In September 2022, Deputy Attorney General Lisa Monaco spoke about, among other things, weakness in the compliance culture and companies with historical criminal enforcement actions. The DOJ also released a memorandum with the subject line of “Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group” (the “Monaco Memo”). Certain items covered in the Monaco Memo may be beyond the current control of a company and its compliance department, but other aspects, in combination with the DOJ Compliance Guidance issued in June 2020, provide a roadmap for a corporate compliance program to reach “good enough” status. For example, the Monaco Memo outlines that the DOJ provides additional detail on how the agency will evaluate a company’s history of misconduct. The history of misconduct cannot currently be managed by the corporate compliance department in place.
There is also evidence available in past criminal enforcement actions regarding what the DOJ views as important. The table below outlines four recent criminal enforcement actions against corporates:
Company | Summary of Action | Corporate Compliance Issues |
Lafarge SA, a French cement company
Paid $778,000,000
October 2022 resolution |
Paid millions of dollars to the Islamic State and the Nusra Front to allow the company’s business operation in northern Syria to continue operating during the country’s civil war | Larfage SA’s senior executives participated in and concealed payments to terrorist organizations demonstrating a failure of its corporate culture and “tone at the top”; Larfage lacked a robust anti-corruption compliance program, including an adequate anti-corruption policy and employee training; Larfage failed to monitor business communications on non-firm devices and communications platforms which employees used to discuss and execute the scheme; and Lack of M&A due diligence by Holcim during its merger with Lafarge failed to uncover the illicit payments. |
Stericycle Inc., an international waste management network
Paid $84,000,000
April 2022 resolution |
Resolved parallel investigations by authorities in the U.S. and Brazil in the bribery of foreign officials in Brazil, Mexico, and Argentina | Stericycle engaged in extensive remedial measures, including commencing remedial measures based on internal investigations of the misconduct prior to the commencement of the Government’s investigation, strengthening its compliance organization by hiring additional compliance personnel, including an experienced new Chief Ethics and Compliance Officer who reports directly to Stericycle’s Chief Executive Officer and Chair of the Audit Committee of the Board of Directors, updating its code of conduct, policies, procedures and internal controls, and enhancing its internal reporting, investigations and risk assessment processes, overhauling its compliance training and communications. |
SAP SE, a global software company
Paid $8,000,000
April 2021 resolution |
Fined for thousands of illegal exports of its software products to Iran | SAP implemented significant changes to its export compliance and sanctions program, including (1) implementing GeoIP blocking, (2) deactivating thousands of individual users of SAP cloud-based services based in Iran, (3) transitioning to automated sanctioned party screening of its Cloud customers, (4) auditing and suspending SAP partners that sold to Iran-affiliated customers, and (5) conducting more robust due diligence at the acquisition stage by requiring new acquisitions to adopt GeoIP blocking and requiring involvement of the Export Control Team before acquisition. |
G4S Secure Solutions NV, a security firm
Paid $15,000,000
October 2021 resolution |
Fined for role in a conspiracy to rig bids for defense-related security services. | G4S failed to oversee the competitive bidding process for military contracts. G4S compliance failures included a lack of monitoring and lack of a comprehensive antitrust compliance policy and regular antitrust training for employees. Due to the undetected employee misconduct, employees were able to conspire with competitors and submit artificial, non-competitive bids to allocate customers, rig bids, and fix prices for certain contracts. |
All four actions reference enhancements necessary for policies and/or procedures. Three actions reference enhancements for training, two cases reference poor pre-acquisition due diligence, and one matter references a failure of corporate culture.
III. Enhancing a compliance program to be “good enough”
Before answering what is “good enough”, we will discuss the difference between being “good enough” and being “great” at compliance. The appendix below details the attributes of a “Good” and “Great” compliance program. In our experience, the difference between “good enough” and “great” is expensive and turns primarily on two measurable items: (1) the depth and/or frequency of compliance processes and (2) the risk management culture of the company. Both items can be developed (and evaluated) using gradual scales and can be updated to meet the changing needs of a corporate. “Good enough” as a goal may be better than “great” for many corporates because a goal of achieving a “great” program can stifle realistic progress due to the pursuit of perfection. Said another way, perfection should not be the enemy of the good (enough).
One may point to the development of complex technology and deployment of digitalization initiatives as the hallmark of a successful program. However, this approach shows a misunderstanding of the key components that need to be in place before the benefits of machine learning, predictive analytics, and increased digitalization can be realized for a “great” compliance program. Secondly, an appropriate risk-management culture can provide a safety net for a corporate that may have an evolving compliance program. Creating an effective risk management culture, where employees are held to clear behavioral expectations and are encouraged to raise issues and concerns within the course of their work, can help bring to light compliance failures or misconduct before they balloon into larger issues. If issues are identified which require disclosure to the DOJ, it positions the company to potentially benefit as the Monaco Memo specifically states that, “absent the presence of aggravating factors, the Department will not seek a guilty plea where a corporation has voluntarily self-disclosed, fully cooperated, and timely and appropriately remediated the criminal conduct.”
We outline below examples of what could make a compliance program “good enough” using the DOJ Compliance Guidance from June 2020 as our framework.
A. Design of the Compliance Program
The first question posed by the DOJ Compliance Guidance is, “[i]s the corporation’s compliance program well designed?” Leaders must first focus on establishing basic key program components and this requires an understanding of the risks posed to the corporates and associated with the corporates’ employees, stakeholders, and activities. For a compliance program to be “good enough”, it must be risk-based; a risk assessment allows the corporates to provide evidence to support its risk-based decision-making.
Corporates must also have documented policies and procedures. For corporates with less mature compliance programs that have not experienced a specific compliance-related event, we recommend those policies and procedures be documented at a high level (including those relating to third-party risk management and pre- and post-acquisition due diligence). Of course, there should be statements about what is required of employees and stakeholders (and potentially what will not be tolerated), but the operational processes may evolve over time and documentation should allow for that flexibility until processes become more mature.
Corporates of any significant size with “good enough” compliance programs have mechanisms in place to allow for employees to report concerns confidentially and/or anonymously. Corporates with evolving compliance programs also usually execute annual compliance training for all employees to establish a compliance baseline. Many corporates use the annual training to promote the ability of employees to use a confidential reporting mechanism to report concerns. As compliance programs mature, additional role-based training may be necessary (e.g., training for the sales force operating in countries of higher corruption risk).
B. Compliance Resourcing and Culture
The second question posed by the DOJ Compliance Guidance is, “[i]s the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?” To address this question, leaders must focus on demonstrating a commitment to a culture of compliance, including aligning employee incentives, such as compensation, bonuses, and other non-financial incentives (e.g., office space, parking spots, lunch with the CEO), with good behavior. Additionally, this is specifically referenced in the Monaco Memo where it states, “Corporations can help to deter criminal activity if they reward compliant behavior and penalize individuals who engage in misconduct. Compensation systems that clearly and effectively impose financial penalties for misconduct can incentivize compliant conduct, deter risky behavior, and instill a corporate culture in which employees follow the law and avoid legal “gray areas.””
Corporates with a “good enough” culture of compliance develop evidence of that culture and how it is promoted (sometimes referred to as tone at the top). This includes not only disseminating messaging about the importance of compliance, but also demonstrating the appropriate behaviors expected of all employees. An example of this is ensuring leaders and middle managers complete their compliance training and remind employees to do the same.
Corporates with evolving compliance programs should continue to evaluate the budgetary needs of the compliance function and consider if their compliance program has the adequate stature and authority within the organization to act as needed. To evidence the stature of the compliance program, some companies choose to establish a direct reporting line for the leader of the compliance program to the CEO or Chief Legal Officer. Stature could also be evidenced by compliance holding regular standing meetings with senior leaders to ensure compliance risks are known and considered when key business decisions are made.
C. Execution of Mandate
The third and final question posed by the DOJ Compliance Guidance is, “[d]oes the Corporation’s compliance program work in practice?” To address this question, companies with a “good enough” compliance program know that the program will have to continue to evolve with the business and mature over time. This generally occurs through continued risk analysis, testing of relevant controls, and investigating and responding to investigative matters.
An annual risk assessment is a key attribute of a strong compliance program. It serves as a reminder for the compliance and business teams to “take stock” of any changes in business operations and conduct risk-based testing of controls to understand whether important controls are working effectively. Corporates should continue to evaluate and evolve their compliance program as the corporate learns from past events, enters new markets, or expands their employee footprint.
Leaders should also focus on the timely and thorough investigation of any allegations or suspicions of misconduct by the company or its employees. The company should conduct a root cause analysis of the incident and appropriately remediate the issues identified in a timely manner when an investigation confirms misconduct occurred.
IV. Conclusion
The DOJ Compliance Guidance from June 2020 provides some flexibility for the enhancement of a compliance risk management program, but there are certain foundational elements that are required for a program to be “good enough”, including a risk assessment, documented policies and procedures, and a focus on continuous improvement. Only after ensuring the foundational elements are in place should a company begin thinking about developing a “great” compliance program, which will require longer-term sustained effort and significant resourcing.
Appendix: Attributes of a “Good” and “Great” Compliance Program
The table below outlines attributes of a “good” and “great” risk management and compliance program leveraging the DOJ Compliance Guidance as the framework for evaluation. Practically, a strong risk management and compliance program may include attributes from both the “good” and “great” columns as the program will need to be tailored to the corporate and the risk it faces. The table is based on the collective experience of our consultants who have worked on teams that assisted companies with the enhancement of compliance programs and served in compliance and in-house risk management roles. The appendix also assumes that any legal requirements regarding the setup of the compliance program for a particular corporate, such as establishing and maintaining a hotline pursuant to the 2003 Sarbanes-Oxley Act, have been met.
Evaluation of Corporate Compliance Programs (Department of Justice, June 2020) | ||||
Components | DOJ Expectation | Good | Great | |
Compliance Program Design | Risk Assessment | · How the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks | · Understanding of the laws, rules, and regulations the firm and employees must adhere
· Annual risk assessment process to evaluate the risks facing the firm and the effectiveness of controls to offset those risks · Issues identified via the risk assessment process are tracked, remediated, and used for business planning activities |
· Documented inventory of the laws, rules, and regulations the company and employees must adhere to. Proactively identify upcoming rule changes and relevant enforcement actions to understand how they impact the company’s risk profile
· More often than annual/trigger-based risk assessment process to evaluate the risks facing the organization in a dynamic, ongoing way. Issues identified are tracked and remediated in a timely manner. Risk assessment results are utilized for resource planning (ex. hiring, IT spend) · Application of a “lessons learned” process that reviews internal and external events to identify remediation activities |
Policies and Procedures | · Policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process | · Policies and procedures are documented at a high level (including those relating to third-party risk management and pre- and post-acquisition due diligence), are accessible by all employees, and periodically reviewed for changes (at least annually)
· Violations of policies and procedures are addressed when they occur |
· Policies and procedures are clearly written and document the spectrum of risks the organization faces, including guidance regarding applicable laws, rules, and regulations the firm and employees must adhere to. Policies and procedures are readily available and accessible by all employees in a centralized, searchable repository
· Centralized policy and procedures design process · Violation disciplinary process is documented and consistently applied. Violations and disciplinary actions are documented in a centralized repository for analysis |
|
Training and Communications | · Steps taken by the company to ensure that policies and procedures have been integrated into the organization, including through periodic training and certification
|
· Training curriculum developed to communicate the Firm’s policies and procedures and employee expectations
· Reference in training regarding how to raise ethical concerns · Attendance/completion of training is tracked · Avenue exists for employees to ask questions and raise concerns about training content and ethical considerations · Annual communication from senior leadership regarding the importance of risk management, compliance, and training |
· In addition to clearly communicating the Firm’s policies and procedures, training and communication activities are risk based, informed by the Risk Assessment and Lessons Learned programs, and include case studies and real-life examples of policy violations. Training includes consequences for misconduct
· Training courses are documented and tracked to 100% completion in a centralized learning management system · Courses are a mix of in-person and computer-based training modules · Training courses include an employee assessment to ensure content is understood · Role-based training is available for riskier areas of the business |
|
Confidential Reporting Structure and Investigation Process | · The existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct | · Formal ethics program and process for employees to report potential violations of laws, regulation, internal policies and procedures or general misconduct issues
· Reports are tracked, investigated, and responded to in a timely manner by appropriate and independent resources (ex. HR, Legal, Risk, Compliance) · Clearly defined anti-retaliation policy |
· Reporting platform is available to employees and other outside stakeholders (ex. vendors, clients, etc.) and reports can be submitted anonymously, if so desired. Platform includes a telephonic and a web-based reporting option. Company utilizes a third-party provider to ensure confidentiality of reports
· Investigations are tracked, independently investigated by qualified personnel, and responded to in a timely manner. Investigation outcomes are analyzed for thematic trends and reported to senior leaders or committee for awareness |
|
Third Party Management | · Apply risk-based due diligence to its third-party relationships… assess the extent to which the company understands the qualifications and associations of third-party partners | · Vendor management and procurement processes that assess the business rationale for use of a third party
· Periodic reviews of third-party relationships to ensure misconduct is not occurring and any reputational due diligence issues are identified and mitigated · Anti-bribery and anti-corruption expectations are documented in policies and procedures |
· Third-Party Risk Management program established to evaluate new third-party relationships and monitor existing relationships (including whether the third party is being appropriately compensated for the work performed)
· Third-Party specific training, policies, and procedures for relationship managers with an emphasis on internal anti-bribery and anti-corruption policies · Evaluate on ongoing performance of third parties, including monitoring for red flags and, if identified, take appropriate actions, up to and including termination of the relationship |
|
Mergers and Acquisitions (M&A) | · Comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls | · Establish a pre-M&A due diligence process to understand the risks associated with an acquisition target
· Post-acquisition, ensure the timely integration of the entity into the existing risk management structure (including training) and evaluate and monitor new business risks that may arise due to the acquisition · Conduct remediation for newly identified issues as necessary |
· Post-merger integration plan includes specific steps for risk and compliance functions
· Post-acquisition audit and testing to evaluate and remediate any control environment deficiencies that may exist |
|
Resourcing and Empowerment | Commitment by Senior and Middle Management | · The effectiveness of a compliance program requires a high-level commitment by company leadership to implement a culture of compliance from the middle and the top | · Senior leaders and managers create an effective “Tone at the Top” by demonstrating the appropriate behaviors expected of all employees
· Senior leaders and managers, through their actions and words, encourage compliance and discourage misconduct, and communicate the importance of adhering to policies and procedures · Senior leaders and managers consider compliance risks when formulating business strategy |
· Senior leaders and managers do not tolerate unmanageable compliance risks in the pursuit of new business or increased revenue and are rewarded for their commitment to risk and compliance initiatives in the face of competing interests and business objectives
· Senior leaders and managers identify “culture carriers” at all levels to hold up as examples of good behavior to be modeled · Senior leaders and Boards of Directors receive relevant management information to evaluate the risk posture of the Company and examine instances of misconduct |
Autonomy and Resources | · Effective implementation also requires those charged with a compliance program’s day-to-day oversight to act with adequate authority and stature | · Compliance function is established within the organization and personnel have appropriate experience and qualifications to fulfill their responsibilities
· Sufficient staffing and funding available and commensurate to the risk profile of the company · Data access and IT resources are available to fulfill compliance’s oversight and challenge mandate · Company actively manages and oversees any outsourced compliance functions |
· Compliance function is established, including appointment of a Chief Compliance Officer, who is included in key business strategy discussions and helps guide Firm strategy (reporting line to CEO/Chief Risk Officer/Chief Legal Officer)
· Risk and compliance resource needs are considered before embarking on new business initiatives or business strategy shifts
|
|
Incentives and Discipline | · Establishment of incentives for compliance and disincentives for non-compliance | · Defined disciplinary process with participation from appropriate stakeholders/business areas
· Compensation and incentives, both financial and non-financial, align with good behavior |
· Discipline is consistently applied across the company and recidivism is considered when determining disciplinary consequences
· Root cause of misconduct is analyzed, and themes identified are reported to senior leaders and managers for remediation · Company considers an employee’s behavior before awarding incentives and utilizes cancellation and clawback contract provisions to recoup incentives/compensation if they are earned due to misconduct · Company considers non-financial risks when making changes to the Corporate’s incentive and compensation structure |
|
Execution of Mandate | Continuous Improvement, Periodic Testing and Review | · Effective compliance programs have the capacity to improve and evolve… A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards | · Established cadence for conducting risk assessment activities and updates to policies and procedures
· Control testing performed periodically to ensure the control framework is performing effectively, and if not, remediation plans are developed · Audit function performs audits on non-financial risk management program and processes · Basic dashboard tracking key risk and performance indicators and trends |
· Culture of compliance is measured and evaluated on an ongoing basis; employees of all levels are engaged to determine their perception of senior leaders and managers adherence to compliance best practices
· Risk-based control testing is performed on a periodic basis to evaluate the effectiveness of controls; control testers have access to all necessary employees and data sources · Control testing results are tracked in a central repository, findings are analyzed to identify thematic issues and guide remediation actions, and program findings are reported to an established risk and compliance oversight committee and senior leaders and managers · Program progress and findings are reported to a senior oversight committee (e.g., Board Audit Committee) · Advanced dashboards tracking key risk and performance indicators and trends in close to real time and leveraging machine learning/predictive analytics |
Investigation of Misconduct | · The existence of a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or age | · Investigators are appropriately qualified and independent to conduct the review
· Defined scope of investigation is appropriate for the incident and the investigation is properly documented · Findings of investigations are reported and actioned as appropriate |
· See below | |
Analysis and Remediation of Misconduct | · Extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes | · Root cause analysis performed to determine if systemic issues exist; weak or failing controls are identified and remediated | · Analysis of misconduct information is performed to identify thematic issues and potential pockets of misconduct
· Analysis of misconduct incidents is performed to identify recidivist employees, underperforming supervisors/managers, and underperforming business areas for review |