Welcome to a special five-part podcast series, entitled Corporate Case Management in the Era of the DoJ’s Monaco Memo, sponsored by i-Sight Software Solutions (i-Sight). Over this series, Jakub Ficner, Director of Partnership Development, and I consider how the Monaco Doctrine and Monaco Memo have impacted compliance in several key areas. We not only detail the changes wrought by the Monaco Memo but how compliance professionals can respond to these new challenges. In our concluding Part 5, we consider how data and data analytics are even more critical after the Monaco Memo and how using data can drive prevention.
The Department of Justice (DOJ) has now said they are going to evaluate a company’s overall culture of compliance if they find themselves in an investigation. But prior to this announcement by Deputy Attorney General Monaco, back in June 2022, the DOJ said, in the 2020 Update to the Evaluation of Corporate Compliance Programs, that your compliance program should assess your risks and reassess them when they change. From there, create your risk management strategy and then monitor those risks and then use that information to improve your program.
Properly used, your investigation protocol is another form of monitoring. It is monitoring when something has potentially gone wrong, but it gives you the opportunity to get a significant amount of information through the investigation process and then through a root cause analysis you will have additional data. Ficner said that by having a system in place that enables an organization to structure their investigative process, an organization can provide data to back up the claims. “Through the data that is collected throughout the initiation, the assessment, the investigation, and the outcome at each level, you get a new layer of data. Ultimately the data that comes from this investigative process is where organizations find the most value of having a case management reporting system.”
We then turned to red flags. Here it may be helpful to use other terms such as outliers or anomalies to define red flags. When you view red flags in such terms you begin to see how data generated from the investigative process can be used. Such an approach allows you to see red flags “through multiple different lenses.” For a Chief Compliance Officer (CCO) you can look for different outliers and use your reports to clearly identify potential risk areas. This can allow “real time analysis to be able to drill anywhere or drill into the outlier to be able to see what the under underlying issue is and potentially be able to action it from there.”
Once again, by using such an approach, you demonstrate your overall culture of compliance if the DOJ or another regulator comes knocking. Ficner phrased it as, “We are stating we have a process in place, we prove we have that process in place and we followed it efficiently at each step” A CCO then gets useful information from a holistic basis. The DOJ also references root cause as a Hallmark of an effective compliance program, the data generated in your investigation allows you to follow that stricture as well. A robust investigative case management software system allows an organization to be able to articulate your process and be able to more importantly prove that you followed that process. Ficner stated that it allows an organization to say, “We did our root cause analysis. Here are the cases, here’s the information, and it is auditable and defensible.”
Such a process also allows an organization to move from continuous monitoring to continuous improvement, as laid out in the 2020 Update to the Evaluation of Corporate Compliance Programs, as ultimately, “it comes down to the data being able to prove where you should be focusing your time, what processes need to be improved.” For instance, such an approach allows an organization to associate “at the outcoming phase, the specific policies and procedures, organizational policies and procedures that were violated, that provides data over which ones are working, which ones are not working.” You can then take the appropriate remediation or corrective actions to be able to continuously improve the culture and ethics of your organization ultimately using data.
Ficner noted, “We have a lot of risks. We have a lot of initiation initiatives, I should say. And something that we hear organizations tell us time and time again is that for me to action an actual policy change, I need to be able to articulate to my leadership why we should action or change this. And data is ultimately the best way. As we said, data is neutral. It’s a fact. This is what we did. This is the outcome, this is the risk to the organization, this is what we’re doing to remediate it, and this is why we should do it. And you supplement each one of those with data throughout your investigative process. It’s more likely that your policy or procedural change will be implemented.”
Ficner concluded that the overall compliance landscape is shifting. It is moving away from a siloed approach. By incorporating your overall internal investigative function into a centralized process, it not only is more efficient, but it is also auditable and defensible. You can now get data from multiple departments and functions to “demonstrate yes we are taking this seriously, we are taking proactive measures, and here is the data to back that up.” At the end of the day, this may be the most key benefit.