No area has become more challenging in compliance than continuous improvement. The 2012 FCPA Guidance specified that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DoJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”
This was supplemented in the Evaluation of Corporate Compliance Programs with the following area of inquiry under Prong 9 Evolving Updates – How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries?
Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the 2012 FCPA Guidance and Evaluation, two of the seven compliance elements in the U.S. Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.
One tool that is extremely useful in the continuous improvement cycle is ongoing monitoring. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information. It differs from auditing, which is a very deep dive with a much narrower focus.
Your compliance program should use ongoing monitoring to both evaluate and improve your regime going forward. Finally, do not forget the mantra of document, document, document.