THE NEW DOJ GUIDANCE EXPLAINED - Red Flag Group
Transcript of THE NEW DOJ GUIDANCE EXPLAINED - Red Flag Group
www.redflaggroup.comwww.redflaggroup.com
THE NEW DOJ GUIDANCE EXPLAINED
Webinar
April 5 2017
www.redflaggroup.com
Presenters
About The Red Flag Group
The Red Flag Group is a global professional services firm specializing in integrity and compliance risk. We have completed over 500,000 due diligence reports for thousands of companies in the past 10 years and work with many Fortune 500 companies.
Christopher SindikDirector of MarketingThe Red Flag Group
Paul JohnsonProduct Director
The Red Flag Group
www.redflaggroup.com
Agenda
What are the guidelines?
What changes and stays the same?
Where are the rest of the guidelines?
Why did the DOJ release these?
Examination of questions and related best practices
Questions?
www.redflaggroup.com
What are these guidelines?
“Evaluation of Corporate Compliance Programs” –What the DOJ asks companies when they become aware of misconduct
Released on February 8, 2017
8 pages of 119 questions
Focus on bribery and corruption via references
Not so much guidelines as questions
“Sample questions that the Fraud Section has frequently found relevant in evaluating a corporate compliance program”
www.redflaggroup.com
What changes and what stays the same?
There aren’t any new major guidelines in this document but there are finer details from large strokes. Insight into what is “effective”
Not much has actually changed but this is more detailed guidance into areas of focus What you might hear from the DOJ
Many references to other materials by DOJ and others
www.redflaggroup.com
Where are the rest of the guidelines?
The 8 pages they released are it but there are other documents referenced
Plenty of other information in:
The FCPA Guide (pages 57-66)
US Attorneys’ Manual 9-28.800 Comment
US Sentencing Guidelines § 8B2.1
OECD Handbook
All have varying degrees of robustness and practical guidance
www.redflaggroup.com
Why did the DOJ release these guidelines?
Did not give an exact reason
Wanted to provide specific questions to think about and real example of where they have looked
Increase enforcement action on the horizon?
In response to compliance failures Able to say “did you read the guidelines?”
Compliance is part art and part science
No one size fits all programme
www.redflaggroup.com
Contents of the guidelines
119questions
asked when the DOJ learns of misconduct
www.redflaggroup.com
Contents of the guidelines
Processes
Look at what should be in place at corporate compliance programmes:
Systems Authority Resources
www.redflaggroup.com
Contents of the guidelines
Lessons learned from past failures
Major themes
Ownership and who is involved
Resources and how it is done
Concrete examples
www.redflaggroup.com
What are the 119 questions?
What does this mean?
Looking at what you are doing and how it is done. Existence and effectiveness.
Concrete examples
34%
7%7%
16%
36%
Have or has…?
How…?
What…?
Who…?
Other
34% of questions are “What…?”
36% of questions are “How…?
16% of questions are “Have or has…?”
7% of questions are “Who…?”
7% of questions are other types
TYPES OF QUESTIONS
www.redflaggroup.com
Why questions with no answers?
No “one-size-fits-all” compliance programme
Much depends on the industry, size and risk profile of the company
Much harder to provide the answers
They want companies to examine this on their own
Even if they could provide an answer “you should do x to evaluate third parties” it would not be the correct answer for every company
The exercise of answering the questions can expose compliance weaknesses
www.redflaggroup.com
11 Sections of the guidelines
Analysis and remediation of underlying conduct
Senior and middle management
Autonomy and resources
Policies and procedures
Risk assessment
Training and communications
Confidential reporting and investigation
Incentives and disciplinary measures
Continuous improvement, periodic testing and review
Third party management
Mergers and acquisitions
www.redflaggroup.com
One very special section
All of the sections are referenced to the USSG, FCPA Guide, OECD Handbook, USAM except one…
Analysis and remediation of underlying conduct
Why is this the only one? Why is it so special?
Specifically focuses on what the company has done to improve their program in the face of adversity:
What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future?
Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues?
What is the company’s analysis of why such opportunities were missed?
www.redflaggroup.com
Senior and middle management
Leading by example and buy-in
www.redflaggroup.com
Senior and middle management
Regular communications at all levels of the company
Endorsements, signatures of policies and code
Budget and headcount for compliance
What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts?
Discipline at high levels (compliance over profits)
Time with compliance
Growth of compliance in the company over time
Consistency and not just symbolic gestures
www.redflaggroup.com
Senior and middle management
Information can’t be kept in a silo
Use of big data, analytics, AI in the compliance function
Cross departmental meetings and involvement of compliance at the middle manager and executive level
How is information shared among different components of the company?
Frequency (real time, weekly)
Quality of data that is shared (both supportive and problematic)
Avoidance of a paper programme
www.redflaggroup.com
Autonomy and Resources
Qualified, capable and funded
www.redflaggroup.com
Autonomy and resources
It is a huge question
What role has compliance played in the company’s strategic and operational decisions?
Compliance needs to be ingrained into operations
Not just a roadblock to doing risky business
Seat at the decision making table
• M&A, third parties, new markets, investigations, audits, hiring, firing, GTE, COI, training, policies, sustainability, etc.
• All need to have some oversight by compliance
www.redflaggroup.com
Autonomy and resources
Have there been times when requests for resources by the compliance and relevant control functions have been denied?
• Great to see this on the list as a compliance professional
• Not just people but tools and personnel resources.
• There are times that it is reasonable to deny compliance’s request for resources but they are looking to see that the company didn’t starve compliance.
Poll question
www.redflaggroup.com
Policies and procedures
Practical and understandable
www.redflaggroup.com
Policies and procedures
What has been the company’s process for designing and implementing new policies and procedures?
Every company needs to make a policy on how to make a policy
Benchmark it against others in the industry
Example: GTE amount less than $150
Easily understood by the target audience
Comprehensive
Include learning aids
Have some style to make it more memorable and approachable
www.redflaggroup.com
Policies and procedures
How have they been rolled out (e.g., do compliance personnel assess whether employees understand the policies)?
The best written policies do nothing if they aren’t read, remembered or understood
Need a bit of fanfare for new or updated policies
Policies regarding social media, human rights, political dealings, sanctions
Replace the old policies in all locations
Verify new policies are being followed
Certifications and training to go along with key topics
www.redflaggroup.com
Risk assessment
Methodology and follow up
www.redflaggroup.com
Risk assessment
Inside and outside effort for objectivity and benchmarking
Rank risks in terms of likelihood and severity
What methodology has the company used to identify, analyze, and address the particular risks it faced?
Need to look at all 3 elements: Identify, analyse and address
Methods can include
Culture and knowledge surveys
Interviews, onsite audits, document review
Process review and workflow
Follow-up plan, heat maps
ID risks, rate them, establish controls
OECD compliance handbook (pages 10-14)
www.redflaggroup.com
Training and communications
Curriculum and disclosures
www.redflaggroup.com
What analysis has the company undertaken to determine who should be trained and on what subjects?
Training and communications
Not done by job title necessarily
Look at actions
Locations of high risk
(see Risk Assessment process)
Where have failures been or reports been made?
Companies need to show that they gave the right people the right training
• How much is enough? Depends on the risk of that employee
• Resourcing constraints
www.redflaggroup.com
What communications have there been generally when an employee is terminated for failure to comply with the company’s policies, procedures, and controls
(e.g., anonymized descriptions of the type of misconduct that leads to discipline)?
Training and communications
Public name and shame
Could be used as case study training
Compliance newsletter or space in other company comms.
Learning from your lessons
People know that policies are being enforced
• Constant theme with these guidelines
Don’t give a how-to on breaking the rules
www.redflaggroup.com
Confidential reporting and investigation
Analysis and investigations
www.redflaggroup.com
Reporting and Investigations
How has the company collected, analyzed, and used information from its reporting mechanisms?
Standard methods: phone, email, website, postal, fax
New mapped: text, social media, App, automated, AI
Escalation process in place to audit committee and board if needed
Metrics to examine trends:• What percent are substantiated
• What are the outcomes of the reports? (discredited, disciplinary action, etc.)
• Type of misconduct
• Location and functions involved
Root cause analysis
www.redflaggroup.com
Reporting and Investigations
How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented?
Objectivity – Using outside help, language capabilities, avoiding COI
Look at an investigations team with cross function capabilities
Forensic accounting, fraud examiners
Issues must be addressed
www.redflaggroup.com
Incentives and disciplinary measures
Accountability and setting examples
www.redflaggroup.com
Incentives and disciplinary measures
Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations?
POSSIBLE PUNISHMENTS FOR: not completing training, missing certifications, poor supervision of others, lack of guidance
POSSIBLE REWARDS FOR: setting example, training others, compliance champion or duties, certifications or training
Shows that the company is looking at compliance and has some concrete benefits/discipline associated with it
www.redflaggroup.com
Incentives and disciplinary measures
Appropriate in some cases but not mandatory
Yes – pressure for profits, encouraged, concealed or turned a blind eye
No – procedures followed, training given, voluntary disclosure, cooperation, “bad apple”
Examine communications, training and available tools
Setting the tone from the middle and top
Turning a blind eye to misconduct
Institutional misconduct
Were managers held accountable for misconduct that occurred under their supervision?
www.redflaggroup.com
Continuous improvement, periodic
testing and review
Good is never good enough
www.redflaggroup.com
Improvements, testing and review
What types of audits would have identified issues relevant to the misconduct?
Financial audits, on-site, interviews, GTE, COI, real time transactional monitoring, third party audit, predictive analytics
Compliance audit
New business units, subsidiaries, decentralized BUs
Getting out of silos (ABAC, COI) and looking at other functions (HR, Procurement, IT, etc.)
On-the-ground
Third party assessments – due diligence
www.redflaggroup.com
Improvements, testing and review
Depends on the state of the programme in many cases
If a programme is deficient, as soon as possible
If a programme is in relatively good shape:
Risk assessment: at least every 2 years
Policies: each year
Procedures: each year
Practices and activities: real time
How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices?
www.redflaggroup.com
Third party management
Their risks are your risks
www.redflaggroup.com
Third party management
Asking if the remediation process matched the risk presented
Any combination of:
Questionnaire, approvals, documentation, certification
On-site audits, interviews, training and added processes
Risk score all third parties
Look at not only country and industry but spend, work being done, volume, etc.
Can’t rely on reputation of company or “clean” countries (i.e. S. Korea)
How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company?
www.redflaggroup.com
Third party management
Look beyond just ABAC and consider a wide variety of risk areas
Not just red flags but looking deeper in yellow flags
Know what type of risks for research third party
Reputational, media, legal and watch list screened
Were red flags identified from the due diligence of the third parties involved in the misconduct and how were they resolved?
Poll question
www.redflaggroup.com
Mergers and acquisitions (M&A)
Acquiring a company and all its baggage
www.redflaggroup.com
Mergers and acquisitions
Looking at risks in supply chain
What has been the M&A due diligence process generally?
Running thousands of parties through a DD process
• Segment
• Risk rank
• Address yellow and red flags
• Review serious issues
• Set up remediation tactics
• Monitor, measure, manage
Some both pre- and post-acquition DD
• There is a window for post DD
www.redflaggroup.com
Mergers and acquisitions
Understand culture of new companyWhat has been the company’s process for implementing compliance policies and procedures at new entities?
Centralized versus decentralized process
• Trust but verify
Look for best of both programmes(policies, procedures, processes)
Larger programmes typically are more robust than smaller companies
New certification, training, visits, audits
www.redflaggroup.com
Conclusions
The evaluation guidelines provide very clear insight into what questions will be asked if the DOJ comes around
Are you prepared?
Good exercise to see if you know the answers to these questions
Reinforces focus that regulators have
Major themes
• Lessons learned from past failures
• Ownership and who is involved
• Resources and how it is done
• Concrete examples
www.redflaggroup.com
UPCOMING WEBINAR
Finding the unexpected: How to effectively build and manage your Gifts,
Travel and Entertainment policy
Thursday, April 20th
9 am PDT, Noon EST
Managing your Gifts, Travel and Entertainment (GTE) is no easy task. It is one of the most common ways for compliance failures to occur, particularly in the areas of bribery and corruption. However, providing reasonable GTE to customers, vendors and suppliers is a part of any business. The government expects clear controls to be in place to prevent irresponsible, unreasonable and lavish GTE from companies to government officials or even other businesses.Register Here
www.redflaggroup.com
QUESTIONS?
www.redflaggroup.com
Integrity due diligence reports
Compliance screening
Investigations
Proactive monitoring
Professional services
Compliance technology solutions
Supply-chain risk management
Compliance training
Compliance outsourcing
www.redflaggroup.com
Connect
Websitewww.redflaggroup.com
[email protected]@redflaggroup.com
Webinar schedule and recordings www.redflaggroup.com/webinars
Follow us Twitter: @redflaggroup LinkedIn: The Red Flag Group
Email your feedback and comments to [email protected]