Chief compliance officers have a lot of issues to balance on their plate. Experienced CCOs know that it is not possible to complete every objective, balance every changing risk, and continuously improve their respective compliance programs on a real-time basis.
If you review the Department of Justice’s Evaluation of Corporate Compliance Programs, there is more than a mouthful of requirements designed to ensure that CCOs are monitoring the performance of their programs, ensuring effective operation of each element, while simultaneously testing and auditing the compliance program to ensure that it is nimble and capable of adjusting to new circumstances or performance weaknesses.
We have numerous examples of how rapid the risk environment for companies can change and the need for CCOs to respond. When COVID-19 hit, companies faced enormous operational challenges, ranging from business disruption to workplace safety, and eventually balancing remote working risks into the mix. Or consider Russia’s invasion of Ukraine and the immediate aftermath of reputational, operational and sanctions compliance risks. Given these external events, CCOs have struggled to maintain stability in the face of these challenges while addressing their own internal challenges of maintaining an effective compliance program.
The Justice Department and various regulatory agencies continue to emphasize the importance of continuous improvement, testing and review as part of robust assessment procedures in an effective compliance program. The Treasury Department’s Office of Foreign Asset Control has specifically stated that a sanctions compliance program should include “a comprehensive, independent, and objective testing or audit function” so that a company can determine “how their program [is] performing and should be updated, enhanced, or recalibrated to account for a changing risk assessment or sanctions environment.” The Health and Human Services — Office of Inspector General has made similar statements underscoring the need to conduct compliance audits and testing.
An important part of every compliance program focuses beyond the design and operation of the program to the important issue of whether the program itself is working. In this respect, DOJ and regulatory agencies have noted that CCOs should be striving to develop “continuous” monitoring systems and avoid “snapshots” in time. In order to execute such monitoring, compliance has to maintain broad access to operational data across all key functions in a company. This data has to be used to update regularly risk assessments, compliance policies and procedures and financial controls.
In this framework, DOJ expects companies to maintain compliance programs that constantly evolve. By definition, an effective program will uncover compliance program weaknesses or even deficiencies that require swift responses to mitigate and restore the program to effectiveness.
A good way to summarize DOJ expectations is to focus on the key elements of a “proactive” compliance program in contrast to a “reactive” compliance program. A “proactive” program focuses on six consistent principles:
- Detection and prevention of misconduct;
- Collection and monitoring of real-time compliance and financial data;
- Identification of risk factors;
- Monitoring incidents, reporting, transactions and control compliance;
- Interventions; and
- Remediation and prevention.
These principles, if implemented, stand in stark contrast to reactive compliance priorities, which boil down to: (1) responding to potential misconduct; (2) investigation of misconduct; (3) audits that focus on conduct that occurred years in the past; and (4) post-event assessments and remediation. While these are all laudable goals, the primary objective of a proactive compliance program focuses on the need to prevent misconduct before it occurs or is completed.