In our last posting, we outlined the key changes from the DOJ’s Revised Guidance of Evaluation of Corporate Compliance Programs, June 2020. We now step back and take a look at it from a practical standpoint. What do these changes, and the Guidance overall, mean to ethics and compliance programs? One thing is for certain – the DOJ has placed the use of technology and access to data at the center of their evaluation criteria.
The revised guidance specifically calls out “Data Resources and Access” as a key factor in determining whether or not the corporation’s compliance program is adequately resourced and empowered to function effectively.
Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?
As the DOJ’s expectations increase in this constantly changing environment, the days of disconnected solutions and manual processes are over. Relying on email, spread sheets, Word documents, and PowerPoint presentations will not deliver a program that stands up to the DOJ’s nor other key stakeholder’s expectations. It also won’t allow your program to deliver connected processes, integrated data and effective use of limited resources. With today’s challenged budgets, the need to leverage technology and data is more important than ever to improve productivity and maximize resources, while reducing risk and minimizing non-compliance.
To meet these heightened expectations in a constantly changing environment, you must leverage technology and data in ways that support and empower effective processes and productive teams. What does this look like in practice?
- Structure. You must be able to show that your program is well designed, applied earnestly and in good faith, adequately resourced and empowered to function effectively, and works in practice. The foundation of a well-designed and effective program is a consistent program structure. Whether based on the US Sentencing Guidelines, ISO37001, or the Defense Industry Initiative, all well-designed programs have common elements that tie the program together. The right technology can help structure, map and track changes associated with each element of your program.
- Risk Assessment. The DOJ has also substantially raised the bar for risk assessments. The Guidance emphasizes the need for ongoing compliance risk assessments in conjunction with continuous access to operational data and information across functions. The DOJ further linked those assessments to reviews and updates of policies, procedures, and controls. In order to deliver a simple and effective risk assessment process, automated systems can be used to gather the data in a consistent quantifiable manner, cross reference it with operational data and supplement it with qualitative data from surveys and other sources. Based on this information, risks can be identified and prioritized on an ongoing basis. Action plans can then be created to mitigate those risk and to continuously improve the program. Taken together, the data can provide a 360˚ view of the “full spectrum” of risks facing the company. With configurable dashboards and reports, metrics and key performance indicators can be delivered in real-time to better understand trends and evolution of the program.
- Consistent Implementation and Application. Automated solutions tied to your underlying program structure and risks deliver multiple benefits to a compliance program, including greater consistency in program implementation, more structured data, and the elimination of tedious manual tasks. They also allow you to analyze the data to identify trends and to ensure the program is being applied consistently. Where it is not, audits and assessments can be conducted to determine the issues and proactively acted upon applying the lessons learned and continuously improving the program. Effective systems also provide an audit trail to demonstrate the actions taken to evolve the program.
- Data Use and Access. As noted above, the DOJ emphasizes the increasingly important role data plays in the effective management of compliance programs. They proactively call out the need for access to relevant sources of operational data and information. This allows for timely and effective monitoring and testing of the effectiveness of an organization’s policies, procedures and controls.
Simply put, data and technology empower you and your program. To be effective however, your data needs to be accurate and consistent. Data that is appropriately mapped and integrated provides better visibility into your company’s risks and the actions you are taking to address them. As you build out your solutions you should work to continuously improve the data you are collecting. You can also upgrade/replace your underlying systems allowing you to evolve and continuously improve your program with an eye toward the metrics and key performance indicators you are working to achieve.
- Tracking Improvement. A consistent theme throughout the guidance is the need to evolve and continuously improve your compliance program. As outlined above, the right data and technology can provide the ability to track and demonstrate how your program has evolved and matured over time. Effective solutions can deliver more consistent and structured data, increase visibility into program implementation and application, and produce a clear audit trail through which to track improvement. Without it, significant resources are wasted, and insights lost increasing risk and liability for the company and those responsible for ensuring compliance.
Technology and data empower a compliance program to deliver greater efficiency and insights, allowing leaders to better use their limited resources to reduce risk and issues of non-compliance.
As you consider technology and data to support your program under the new normal, ask the following questions:
- Can you get it up and running quickly to start delivering value immediately?
- Is your solution an “empty box” or does it contain best practice forms and processes?
- Can you consistently identify, prioritize and act on the risks that can impact your business?
- Is your system flexible enough to manage complex workflows and processes?
- Can you integrate and analyze data from multiple sources?
- Can it track and monitor the structure, evolution and performance of you program?
- Can your technology scale and be easily configured to meet your needs?