The Evaluation of Corporate Compliance Programs was revised, making it important for your company to evaluate its DOJ corporate compliance program. These revisions aim at making sure that your company’s compliance program is well designed, it’s following and being implemented earnestly, and to determine if it’s working in practice.
Besides, the revisions review several areas of a well-designed program that relates to company policies, risk assessment, third-party management, and many more. This article explains how you can evaluate the DOJ corporate compliance program.
With the coming of the updated version of the Evaluation of Corporate Compliance Programs, it means you need to prove the effectiveness and value of the risk assessment process. You see, the DOJ needs more clarity on how your compliance program has changed and there should be proof that this program is indeed risk-based.
Further, the DOJ corporate payment compliance program wants more information on this process that is used to do risk assessment. Your company also needs to provide evidence that your company is allocating enough resources to the right risks and not just those low-risk areas.
Additionally, your company needs to demonstrate its efforts to align the outcome of the risk assessment with your company’s procedures, policies, and controls. It also needs to take some measures to track and monitor these risks to make sure that they are rightly mitigated.
Policies and procedures
Any well-designed corporate compliance program involves policies and procedures that provide content and effort to some ethical standards. The program should also address and even reduce the risks your company identifies as part of the risk assessment process.
The updated guidance also needs your company to provide policies that incorporate the company’s culture and are risk-based. Your company also needs to take steps to improve the awareness and make sure there is accessibility of the policies.
It also encourages your company to give the right risk-based training to the people responsible for the policies and procedures. This is because these people play a crucial role in detecting and deterring compliance failures affecting your company.
Training and communications
Prosecutors tend to assess the steps taken by your company to make sure that policies and procedures are incorporated into the company. This also includes regular training and certification of all officers, directors, relevant staff, and where necessary, business partners and agents.
Therefore, the updated guidance needs your company to show that it has made efforts to communicate with its stakeholders the features of the compliance program through targeted training, risk-based, and awareness. This training needs to consider the roles as well as responsibilities of those attending the training.
Therefore, there should be relevant content that has a reflection of previous events, case studies to show lessons learned, and results of the root cause analysis.
This can be a discussion of some disciplinary actions your company took and remedial efforts for verified cases of misconduct and fraud. The DOJ requires your company to test your employee’s understanding of the content and even assess the effectiveness of the training program.
Also, it seeks various ways to do the training utilizing techniques that allow employees to ask important questions and even interact with the trainers.
Your company needs to implement a reliable and efficient system in which employees can confidentially or anonymously report allegations of a potential breach of the company’s policies, code of conduct, or actual or suspected misconduct. Prosecutors are also encouraged to check the process that is utilized to investigate these complaints.
No doubt, this guidance improves expectations for testing employees’ awareness and tracking of the results of these processes. Additionally, you need to assess the results of investigations to discover the patterns or trends of misconduct and put the results of the assessment in parts of the compliance program.
Here is the deal, if your employees are not happy with the reporting system, then it’s useless. You have to make sure that your employees are happy to do their part. The regular tracking of any allegation from sorting to the issuance of the final report and action on the complaint gives evidence of either effectiveness or ineffectiveness of your program.
Third-party risk management
A good compliance program needs to use risk-based due diligence for third-party relationships. Therefore, prosecutors must assess the level to which your company understands the associations and qualifications of third-party partners, such as the agents, distributors, and consultants.
These third-parties are usually used by some companies to hide misconduct, such as concealing the payment of bribes to certain foreign employees in international business transactions.
Hence, the guide needs your company to give more details around this process because most compliance failures usually involve the third-parties. It means your company must track supported cases of misconduct and find out if third parties are involved in the issue.
Also, your company needs to prepare to explain the business idea for deciding to use third parties. It should also provide these third parties with incentives and training to show ethical and compliant behavior.
In other words, third parties need to become a part of your company’s ongoing risk management process. So there should be efforts to review third-party transactions for inappropriate or unusual activity regularly. The third-party risk management process must happen throughout the entire relationship and not only during the onboarding process.
Mergers and acquisitions
An effective compliance program needs to include due diligence for any acquisition targets. It means there should be pre-acquisition due diligence and orderly and timely integration of the acquired company into the present compliance program process.
After all, due diligence is important because it allows your company to assess more accurately the value of the target and negotiate for the costs of misconduct or corruption to be owned by your potential target.
Incomplete or flawed pre-acquisition or post-acquisition due diligence can encourage misconduct to continue at the potential target company. This can lead to harm to your business’s reputation and profitability and you also risk getting criminal and civil liability.
So your company needs to show that your merger and acquisition due diligence process was effective.