The Justice Department's new guidance about how it will evaluate corporate compliance programs takes the form of questions its prosecutors would typically ask about a corporate compliance program during an investigation.
These questions are a welcome addition to the resources compliance officers can use when building programs themselves. The questions are specific and detailed, and span the issues chief compliance officers need to tackle.
One issue, however, stands above the rest: Policies and Procedures. Covered in Section 4 of the guidance, the topic into two sub-sections: one about the design and accessibility of the company's policies. Another about how the policies are integrated into the company’s daily operations.
The Justice Department is clearly sending compliance officers a message with this section -- not so much what prosecutors want compliance programs to do, but rather the behaviors prosecutors want to see. Let’s take a look.
First, think about how your policies are created (Section 4a). The guidance asks several questions about how policies are created, and specifically whether people in the operating units were consulted prior to drafting a new policy.
It asks about whether policies and procedures actually work to discourage the misconduct in question, and whether gatekeepers (for example, the supervisors who review and approve payments) have received clear guidance on how to put policies into practice.
These questions aren’t trying to determine whether an organization has a policy regarding a specific behavior, e.g. prohibiting bribes to foreign government officials. They are instead trying to determine whether the company has geared its operations to discourage improper payments to foreign government officials.
The distinction is important. If the compliance program drafts a policy that essentially says, “This type of conduct is now forbidden as directed by law” -- that’s nothing more than compliance bolted on to the end of your business processes. It’s a checkpoint at the end of the road employees travel to close a piece of business.
And checkpoints at the end of a journey often become something to be evaded, ignored, tolerated or overruled, when they appear. That’s not how effective compliance officers want their programs to be seen.
An effective policy doesn't just forbid misconduct; it guides employees to good conduct. That means it must reflect and acknowledge the company’s natural business processes, insert controls only where appropriate, and give employees the tools they need to comply.
In short, an effective compliance policy matches regulatory requirements to the work flow of the “activity owner” (read: human being) and embeds the desired goal throughout the whole process.
Second, think about how employees are empowered to carry out transactions (Section 4b). This part of the guidance asks questions about policy management and probes at details like: How was the misconduct in question funded? Did employees in a position to approve payments know how to identify questionable payments? How were policies rolled out, so employees would know what’s expected of them?
These questions seek to determine how a company “operationalizes” its policies and procedures: how the company embeds the goals of its policies into the sequence of steps necessary to do some task within the business.
The guidance focuses on improper payments, but the principles in the guidance hold just as true for any compliance goal. By unraveling a process into its component steps, these questions are trying to determine whether the company understood where its risks were -- and then, how the policies and procedures try to intercede and mitigate those risks.
The ability to show a logical sequence is what regulators want to see. The questions in the new guidance are intended to help the Justice Department assess that logical sequence.
* * *
Implicit throughout the new guidance is this question: Why were certain processes developed and used?
A well-constructed policy and procedures framework can go a long way towards illustrating the logic behind a compliance program. In a perfect world, the policies and procedures themselves would be strong enough to prevent transgressions in the first place. Here in the real world, they can at least demonstrate that misconduct was due to a truly rogue employee, rather than careless business processes.
Randy Stephens, pictured above, is a Vice President with NAVEX Global’s Advisory Services team. A lawyer and compliance specialist, Randy has worked in roles with legal and compliance responsibility for over 30 years, including operations in Mexico, China and Canada.