The Department of Justice Fraud Division released the Evaluation of Corporate Compliance Programs in middle of February without any announcement or fanfare. Is it a checklist? It looks like a checklist, but the DOJ says it’s not a checklist or formula. Some of the information in the Evaluation you’ve heard before, but the “checklist” expands on it. If it’s not a checklist, what does it all mean? How can it help you? Eric examines each of the Sample Topics and Questions that the DOJ puts forth in this new guidance.
In this first of what has turned into a three part series, Eric discusses in depth five of the Sample Topics and Questions covered in the Evaluation. In this edition, Eric talks about:
- Remedying Misconduct
- Involvement of Senior and Middle Management in the Program Compliance Autonomy and Resources
- Policies and Procedures
- Risk Assessment
This week, in part two of this special edition, Eric delves into:
- Training and Communication
- Confidential Reporting and Investigations
In part three, Eric will cover:
- Incentives and Disciplinary Measures
- Continuous Improvement, Periodic Testing and Review
- Third Party Management
- Mergers and Acquisitions
If you have a question you want answered on the podcast be sure to reach out below.
Welcome to Compliance Beat, the podcast for compliance and ethics professionals. We provide practical insights and answer your questions about compliance and ethics. Together, we'll stay up to date on current trends so that your program stays effective. Brought to you by Moorhead Compliance Consulting. Here's your host, Eric Moorhead.
Hello and welcome to the second part of what's now going to be a three part special edition of Compliance Beat podcast. We're talking about the checklist that's not a checklist that came from our friends at the fraud division within the division of the Department of Justice. The document known as the Evaluation of Corporate Compliance Programs came out just under a month ago.
And we are walking through the different parts of the guidance that was provided within that document. If you haven't already, please listen to part one, where we talk about the first five. Sections. Also before we go too far, I've been remiss in the past in not saying this on the podcast, but if you haven't already, please, please go to compliancebeat.com or iTunes or wherever you happen to pick us up and subscribe.
We really appreciate it. It means a lot to us and it also helps us Move the podcast forward. And secondly, if you have time, please visit us at moreheadconsulting.com where we have resources related both to this issue and many others for you to take a look at and we recently redesigned our website as well.
So last week, we talked about the introduction and some of the background regarding this new document. And then also walk through the first five sections. Section six of the document talks about training and communication Training in communication obviously is something that's very familiar to everyone who's been building a program based on the guidelines standard for an effective program.
Training and communications are part and parcel of any effective program. I believe in the least of couple of additions before compliance we've talked about training and communication. And also talk about the fact that often times there's a lot of focus upfront on formal training. Not as much typically if you look at the entire spectrum of organizations out there.
Fewer organizations spend as much time on communications as they do on formal training. What's interesting is, right out of the box, the first portion of this section talks about training being risk based. The guidance talks about tailored solutions. It talks about what kind of analysis the company has undertaken to determine who should be train and what they should be train on.
So, this is really important for organizations that in the past have had All hands training, perhaps on what's oftentimes called code of conduct training on an annual basis that's rolled out to everybody regardless of their role, regardless of where they are located in the world and what Particular risks they face.
So this really is talking, not necessarily about training and, although it's not mentioned in here, what you're talking about here is having a training curriculum that is a risk-based curriculum. You're talking about having a training plan. You're talking about having a multitude perhaps depending on your risks of different subjects that are being rolled out to different train in groups and different employees based on where they're located in the world.
What their drop function is and what particular risk they might face based on those criteria's and others. Any good plan for training or communications these days it's going to be re-spaced as any part of a compliance program is going to be re-spaced. The second topic under training and communication, talks about the form content and effectiveness of any training that is Then undertaken by the organization.
So, this is looking at whether the training is reaching its intended audience. So that's going to be language, but that's also going to be how do you train. If it's online training as in Interactive training. Is it training that engages the employee or the person that's being trained?
Is it designed at a level of understanding that's appropriate for the audience? So that's more than just Native language that's complexity. And then the second piece of this puzzle, which is interesting, is how do you gauge the effectiveness of your training? How are you measuring whether the message has been received and the message is leading to differences in conduct?
We've talked about this before in the past. I think a couple of things that spring to mind here is Do you go back and survey or test the employees that have received or sample the employees that received that training at a time different from when they actually received the training?
Doesn't do much good to rely on the quizzes that happen five minutes after they've heard. The information, you would expect that most employees that do pay attention are going to be able to answer those questions effectively in the immediate after math of hearing the answers. So really all those pretext and post text that happen along with online training or other training.
Do as measure whether they are actually paying at that point, not necessarily retention. So what many organizations do and what you can do is do a quick assessment of retention at a different time. Maybe three months, six months, nine months down the road to test To see whether they have retained the information and knowledge you suspect.
The other big thing and important thing that we all must do in all effective programs is audit, have the behaviors that are discussed in the training, the things that you ask them to do or not to do stopped happening or are they happening? So you have to take a sample and audit it and see of for example the training that you're auditing has to do with anti corruption and you have a entertainment registry system.
Has there been an uptake in the number of people that are things into the gift system. Are the entries that are put into the GIS system more robust? Is there more information and more data being provided than prior to the training? Do you see some noticeable objective differences since the training happened based on the criteria of the training?
So you need to be able to show that. That's how you whether the training is effective. You Find out if they retain that information in their head and you find out if the actual conduct that you're asking them not to do, or asking them to do has happened in the wake of that training.
The next one is particularly interesting to me and near and dear to my heart because it's an issue that I talk to organizations a lot about. It's characterize as communications about misconduct but what it really is about is organizational justice. And communicating To the employee base about the actions that have been taken when there has been an issue, when there has been a violation of policy or code and there's been misconduct.
How does the organization react? And even more importantly in some circumstances, how does the organization communicate that? To the employee based, to the stakeholders. This is really important because there's a tension out there and has been for a long time between HR and Legal and compliance In many organizations about revealing information around misconduct and the results of investigations and incidents.
There is a natural tendency in many cases to keep those things as confidential as possible. This is sometimes coming from outside counsel who are advising their clients Based on a fear of litigation around employment issues, but I think that you need to really push back as much as you possibly can and demand answers from the Law Department either internally or externally about why you can't share a certain information about the results of an investigation, how the company handles misconduct.
Because In a vacuum people will determine what happened in their minds, and typically it's not going to be a positive outcome in their minds. So if you have taken action, if there has been a result that's a result that shows the company takes things seriously. That, for instance, it punishes the top performer Equally with the low performer when misconduct occurs you want to trumpet that, you want that to be a headline, you want that to be out there so that people have confidence in the system and confidence that the organization takes these things seriously.
And if you won’t believe me, somebody who's looked into organizations over the last several years believe our friends at the fraud section that they're going to look into that. That if there's a problem, they're gonna look into how you communicate around the results of these investigations and misconduct findings.
The last section under training and communication is what's titled availability of guidance. And it asks two salient questions. First, it asked what resources rea available to provide employees guidance around policies? So it's not talking about, are the policies available, but what guidance is available. Now remember this is housed under a training and communications heading.
So I think what they're talking about is what kind of informal communication and training is out there to help employees understand the policies, the code. What they're supposed to do, what they're not supposed to do, when they're supposed to report. So this is talking about communication. Broadly speaking or training around the policies themselves, not just the policies exist and that they're available, which is important, but how are those policies explained?
How frequently do you go out there and talk about, again, going back to the anti-corruption example, how you use the gift registry system? How's that explained? How's that explained in common sense language to the average employee or the employees that, after you've done your risk-based profile, have determined need to receive that message?
So this is not suggesting that the policies need to be available, which is important, but that there needs to be communication around it. Second question is how has the company assessed or looked into whether employees know when to seek advice and whether they're willing to do so. So this goes to the heart of the most.
Complex and difficult issue around reporting which is retaliation or fear of retaliation. We talked about this before and I encouraged you if you haven't go back and listen to our podcast on this. So, this is delving into whether the company has look into these issues. About how freely people feel about coming forward and raising questions and reporting concerns and seeking advice.
Do they know about the resources? Are they comfortable coming forward? So that's a culture survey. That's going going out and talking to people. That's doing focus groups. That's doing some research into people's perceptions about coming forward, about the resources available to do that and about how comfortable they are doing that.
So those are really salient, important things. Now it's interesting, those are the topics that are under training and communication, not whether you're regularly training, not whether you're hitting certain topics, but whether you're measuring Look at the focus here on measurement and on data. This is very different, I think than what we have done traditionally with training where we put a lot of effort into creating training based on some presumptions.
We push it out there. We insist that people do it or sit through it. But we don't really measure. So if you take one thing away from this section, that's measurement. How are you measuring? How do you do it? It's important. Section 7 is titled Confidential Reporting and Investigation.
There are three salient questions here about your reporting system. And I say system because we're not just talking about hotline here, and I'll all explain what I mean here in a second. So the first question is “How does the company collect and analyze information from its reporting mechanisms?”
So how are you gathering information? Do you have a hotline system? Do you have an incident reporting system? What are the data feeds into that? So that's not just people who happen to Call on the hotline. But how also are you using systems. If there's information that's being collected by HR or up through the management chain, how is that information collected, analyzed.
And, the second question is, once you've got that information, how do you access the seriousness of the allegations? Do you have a system? Do you have a ranking system? How do you handle different types of allegations? Who handles? Different types of allegations. We all know that a lot of the information that typically comes through a hotline or a reporting system is, broadly speaking, HR related.
So how does HR? Handle those particular reports. Do you aggregate and look at the data around HR reports that maybe you as a compliance officer don't typically handle, but do you look at trends? How does HR report back to compliance or more broadly speaking, to the governing authority of the organization around what they look at?
So have a handle on the different feeds of data. And information on reporting and asking questions that come up through the different channels. How do you collect it? How do you analyze it? And how do you rank it, how do you determine seriousness? The last question is, does the compliance function have full access to the information.
And this relates directly back to the first two questions. So if you have sort of different routes that different reports take, if HR is responsible for collecting a lot of information, what do they share? Are there things that they're not sharing around not only just trends, but what types and the volume of certain reports coming from Various parts of the organization are.
So is compliance, particularly, the compliance operation of the organization getting all the data it needs. So this is really data driven just like the prior section. The second topic heading is, focusing on investigations and sort of your investigation protocol. It's asking whether the investigations are properly scoped. And staffed by appropriate qualified personnel and are they independent objective appropriately conducted and document.
So this is looking at your investigation process so how consistent is it? How independent is the investigation process? What triggers an investigation? Who conducts an investigation? How is that determined? Are they independent? Do they have the ability to have objective conclusions and who do they report to? And how is that filtered and not filtered?
So, really go through your investigation protocol and process very carefully and make sure that you can justify that it is independent objective If that there is a process that's appropriate and professional. They're using the term qualified personnel. Do the people who are conducting the investigations have any training at all in investigations?
What's their experience level? It's important to be able to document that and justify the process you have in place. And then, lastly, under confidential reporting and investigations they have a bullet on response. What have you done? What have you done to determine why the misconduct occurred? Are there controls perhaps you could put in place?
Is there an issue with policy or procedure where there's a gap? Is there an issue with monitoring? Did you not find out About this issue and until well after you would've hoped that you would've. So on the front end our controls in place and in the backend is monitoring effective to catch these particular issues And interestingly, they also ask a slew of questions here about how high up do the investigator findings go?
What is the accountability among supervisory managers and senior executives? There's a real focus here, in this last part of part seven, on the involvement of senior management. And what they knew, what they didn't know. I don't think, necessarily, you wanna look at this only narrowly as to the particular issue of misconduct, but But were these managers involved in the lack of controls or lack of process that led to the issue if that was the case.
And the monitoring on the backend. So not only look at the systems, not only look at the Process up front and the monitoring in the back, but how management contributed to either the success or failure of those issues. So I had intended for this originally to only be a two parter, but I gotten the better of myself just talking about two parts of the 11 sections this week.
But I think it's worth spending a little bit of time. And I think we probably actually Maybe come back and examine some of this in more detail later. So join us again next week for the third and final part. I promise, I promise I'll get through it. The checklist is on the checklist
Thanks for listening to Compliance Beat. Check out our website. Compliancebeat.com, this podcast is brought to you by More Head Compliance Consulting. Be sure to check us out at moreheadconsulting.com.