The Department of Justice’s “Evaluation of Corporate Compliance Programs” underscores the risks and rewards of comprehensive remediation and enhanced compliance programs in the wake of serious corporate misconduct. Prosecutors and regulators across the globe deliver the same message: Companies that demonstrate comprehensive efforts to remediate misconduct earn substantially reduced penalties and stand a good chance of avoiding criminal charges and a government-imposed monitor. Conversely, companies that cannot prove an effective remediation approach face indictment, higher fines, collateral penalties (e.g., suspension, debarment), and a monitor.
About Jonny Frank
Jonny Frank is a partner based in the New York office of global advisory firm StoneTurn, where he focuses on remediation and compliance monitoring.
He serves as the DOJ-appointed Independent Compliance and Business Ethics Monitor to Deutsche Bank, the SEC-approved ethics and compliance adviser to the independent consultant of a Big Four auditing firm, the DOJ-appointed independent auditor to a top 5 automotive manufacturer, the remediation consultant to a Northern European Bank, the SEC-approved independent consultant to a Big Three credit rating agency, and as forensic adviser to the independent compliance monitor of one of the world’s largest institutional alternative asset managers. He formerly served as an Executive Assistant United States Attorney.
While expectations are high, prosecutors and regulators provide little detail on the criteria for effective remedial efforts. Here are 10 proven tips based on the successful efforts of organizations in industries ranging from financial services to healthcare to oil and gas to public accounting.
1. Start immediately. Speed is critical. Remediation of serious misconduct takes months, if not years, particularly when it requires changes in corporate culture. It is one thing to demonstrate completed remediation; it is quite another if the company can assert only that it plans to take, or has just taken, corrective actions.
Delayed remediation suffers from investigation and fee fatigue. Internal investigations are emotionally taxing and expensive. Companies that wait are often too emotionally and financially spent to devote proper attention and resources to remediation.
2. Organize separate work streams. Separate factfinding and remediation workstreams enable compliance practitioners to avoid the distraction of the investigation. Separate workstreams also help counsel protect privileged communications. A separate remediation workstream, particularly if styled as a “remediation consultant” or “self-imposed monitor,” affords the company an independent third-party opinion, which can be invaluable evidence in a regulatory inquiry.
3. Dig deep and wide. Root cause analysis underpins remediation efforts. For serious or pervasive misconduct, root cause analysis must dig deeper and wider than the specific misconduct. Cressey’s Fraud Triangle and the COSO Integrated Controls Framework offer a head start. For example: What incentives and pressures motivated the misconduct? How did the perpetrators—typically people of integrity—rationalize their behavior? What control weaknesses did they exploit? Did the company’s risk assessment process identify the risk—why not and, if so, what preventive and detective measures did the company take? What did prior internal audits show? What red flags did the company fail to spot?
4. Audit across businesses and geographies. Wrongdoers typically engage in a range of unethical behavior. Comprehensive root cause analysis enables companies to determine “Who and what else?” Effective remediation considers the potential for other misconduct by the same perpetrator(s) and similar misconduct by others in the organization.
Extended inquiries take the form of a forensic audit, not forensic investigation. Investigators work to prove or disprove suspected misconduct. Forensic auditors, conversely, apply audit procedures (e.g., process walkthroughs, transaction testing) to search for red flags, which, depending on type and number, can give rise to investigation.
5. Enhance control activities. Root cause analysis informs necessary improvements in “control activities,” that is, policies, processes, and controls companies rely on to mitigate risk. Risks and controls experts differentiate between design and operating effectiveness deficiency. Design effectiveness refers to whether the control activities, if they operate as prescribed by competent persons possessing necessary authority, can effectively prevent or timely detect misconduct. Operating effectiveness refers to whether the control activities operate as designed and the adequacy, competency, and authority of the persons performing the control activity.
Keep in mind that, as the DOJ acknowledges: “No compliance program can ever prevent all criminal activity.” If prevention is not practical, the company must implement detective control activities. The root cause analysis should identify the red flags the company failed to spot. These red flags form the basis for key risk indicators to provide an early signal of increasing risk exposure.
6. Discipline secondary wrongdoers. Meeting government expectations for disciplining perpetrators is relatively straightforward if the company can document it applied the process fairly and consistently. But, what about secondary wrongdoers? Will the company also be able to demonstrate appropriate disciplinary measures were taken against supervisors for negligent certification or bystanders for failing to report the wrongdoing?
7. Audit the effectiveness of the remediation and compliance program. Periodic testing to assess remediation effectiveness is a fundamental government expectation. To be credible, the audit must come from an independent source. Counsel lacks independence because lawyers serve as company advocate. Internal audit can provide independent assurance provided it is not reviewing its own work and is knowledgeable, skilled, and experienced in auditing remediation and compliance programs.
8. Obtain a third-party opinion. A growing trend is for the government or company to engage an independent third party to opine like an independent auditor’s Sarbanes-Oxley audit of management’s assessment of the effectiveness of internal control over financial reporting. Rolls-Royce and Airbus, for example, which avoided U.K. and U.S. government-imposed monitors, voluntarily retained independent third parties to review and speak to the effectiveness of remediation. After all, it is not enough to assert. Only an objective third party can provide independent evidence to “prove” the effectiveness of remediation efforts and/or compliance program improvements.
9. Ask senior management to certify. Senior management are accustomed to issuing certifications (e.g. Sarbanes assertion to the effectiveness of internal control over financial reporting.) These certifications require a framework and evidence to support the certification and typically involve a waterfall of sub-certifications. Management certification to the effectiveness of the compliance program controls, particularly when voluntary, speaks loudly to the organization’s commitment to a culture of integrity and compliance.
10. Go public. Organizations are increasingly transparent about efforts to remediate misconduct. Airbus, for example, posted a detailed summary and chronology of its remediation efforts on its Website.
Regulatory enforcement agencies reward comprehensive remedial efforts with leniency. Therefore, companies must incorporate, and top management must support and enforce, a comprehensive and ongoing remediation process―one woven into the fabric of the organization to prevent further misconduct. Following these 10 tips may not only mean remediation credit, but more important, restore reputation and avert larger problems down the line.