Just what is a “compliance-first” company?
How does a company describe and demonstrate its commitment to compliance? And how does it prove to regulators and law enforcement it cultivates, monitors, and encourages a proactive, compliance-first company culture? If, heaven forbid, the Department of Justice (DOJ) came calling with questions about a particular legal issue, how would the company describe its efforts to comply with the relevant law or regulation?
Mia Reini, senior manager, corporate compliance and enterprise risk management at The Home Depot, wanted to be proactive. The Home Depot, headquartered in Atlanta, is the world’s largest home improvement retailer. With approximately 500,000 employees in more than 2,300 stores across North America, the company is supported by a robust compliance program.
But how could the company prove its compliance bona fides to a regulator, should one ever come knocking on its door? Reini said The Home Depot decided to create a document that would answer questions the DOJ or another agency might someday have about the company’s compliance program. After reading the DOJ’s “Evaluation of Corporate Compliance Programs” last updated in June 2020, she said she thought, “We should really write out our answers to these questions.”
The resulting document, “The Home Depot Compliance Program Overview,” pegged answers to the questions posed by the DOJ guidance. Point by point, the 30-page internal report laid out how The Home Depot had baked compliance into its daily activities.
The Home Depot agreed to share its report with Compliance Week but is not distributing it publicly.
Although this did not figure into The Home Depot’s decision-making, there is another reason firms might consider formally mapping out their compliance program. The DOJ has indicated it will consider the strength of a company’s compliance program, and the support it receives from the top, in determining potential enforcement actions like fines, mitigation measures, and whether to assign a monitorship.
“Companies that make a serious investment in improving their compliance programs and internal controls will be viewed in a better light by the Department of Justice and by my Criminal Division,” said Assistant Attorney General Kenneth Polite Jr. at Compliance Week’s National Conference in May. The risk of prosecution will be significantly greater for organizations that do not invest in compliance, Polite said.
The Home Depot describes its compliance program
Using The Home Depot’s annual environmental, social, and governance (ESG) report as a guide, Reini said she asked a technical writer and graphic designer to help develop a compliance program overview report that described the design of the company’s compliance program and the resources invested in it. The report would explain how the programs engage and empower associates in ongoing compliance and how they work in practice.
“We mapped our report to the DOJ compliance guidance,” Reini said. Headers in the report related directly to sections of the DOJ guidance, like “Risk Assessment,” “Policies and Procedures,” and “Training and Communications.”
The report is peppered with “spotlight” stories on how The Home Depot’s Foreign Corrupt Practices Act compliance program incorporates elements of the DOJ guidance, “because we know that the FCPA compliance area is important to the DOJ,” Reini said.
Spotlight examples included targeted FCPA risk assessments within the report’s risk assessment section, the whistleblower hotline test call program in the confidential reporting structure section, the company’s FCPA training program in the training and communication section, and the FCPA third-party monitoring program in the third-party management section.
“The report also features stand-alone Q&As straight from the DOJ compliance guidance, ‘did you know’ compliance fast facts, ‘compliance in action’ business examples, and ‘compliance programs in practice’ brief case summaries,” Reini said. “We also included pictures of representative compliance materials throughout.”
The report opened by describing the importance of compliance to The Home Depot.
“The foundation of corporate responsibility is compliance with laws and regulations that govern business activities. For The Home Depot, that compliance goes beyond simply following the rules. It aligns with our core values and is integrated into how we operate at every level,” the report said.
The report described in detail how the compliance function works at The Home Depot, like its support from the top, governance, resources allocated, training, policies and procedures, and more. Here are some takeaways for compliance professionals:
The company embeds compliance associates in the business. The associates, called compliance leads, are embedded across the business to “provide guidance for the front lines and monitor compliance-related risks” and “engage directly with front-line associates,” the report said. The leads specialize in 19 distinct areas of compliance at The Home Depot and are empowered to monitor compliance-related data collected by the business units to which they are assigned.
The company oversees two compliance hotlines, with an internal monitor for action. In addition to reporting issues to a manager or human resources partner, front-line associates can utilize the company’s whistleblower hotline and website, AwareLine.
A second hotline and website, the Supplier AlertLine, “enables suppliers, vendors, service providers, and their employees to report any situation that appears to compromise our Home Depot values or compliance with the law,” the report said.
Both hotlines are run by a third-party vendor, but the company’s compliance team members “have full access to all AwareLine and AlertLine reports and are automatically alerted to serious, high-risk cases,” the report said. “Compliance team members advise on escalations and monitor the progress of investigations.”
On the Supplier AlertLine, Reini said, “We feel it is very important to have a separate, dedicated, 24/7/365 hotline for the employees of our vendors, suppliers, and service providers to tell us if they are ever asked or directed to do anything that violates law or The Home Depot’s compliance standards or ethical expectations. We believe having our Supplier AlertLine helps us better meet the DOJ compliance guidance on ‘Confidential Reporting Structure and Investigation Process.’”
Hotline cases are generally opened and under review in a matter of days and monitored for timely resolution. Associates, past associates, or suppliers who submit reports receive tracking information and passwords to follow up on their submissions.
The Home Depot has an investigations council, described in the report as “a cross-functional working group that serves as a leadership-level forum” that ensures engagement and awareness of compliance investigations at the highest levels of the company. Membership on the council includes The Home Depot’s general counsel and executives leading corporate compliance and internal audit teams. The council meets quarterly “to share updates, resources, benchmarking data, and best practices for compliance investigations.”
Commitment to third-party compliance programs. The Home Depot conducts on-site audits of factories in countries around the world that supply private brand and direct import products to the company. These facilities must maintain and provide access to on-site documentation about compliance and allow full access to production facilities and worker and production records.
If a compliance issue is identified, the supplier is expected to remedy the situation and present a corrective action/preventative action plan to The Home Depot. The company performed more than 1,400 on-site factory audits and more than 1,500 follow-up visits in 2020, the report said.
The Home Depot launches uniform review processes and risk-based due diligence on compliance-sensitive service providers (CSSPs), which are “agents or third-party service providers who perform services in areas such as finance and global sourcing that are likely to involve interaction with foreign government officials on the company’s behalf,” the report said. CSSPs must be recertified each year and are subject to reviews by The Home Depot’s internal audit team.
Use of data analytics and artificial intelligence (AI) to monitor compliance risks. According to the report, The Home Depot uses data analytics tools to conduct annual compliance audits in areas like FCPA compliance, nonmerchandise vendor fraud, and fraud monitoring in gift cards and markdowns.
The company also uses AI tools in its third-party management platform, which allows it to track compliance risks in real time with its CSSPs.
“We got to know much more about our compliance areas through working on this project,” Reini said.
- Data Analytics
- Department of Justice
- Evaluation of Corporate Compliance Programs
- Foreign Corrupt Practices Act
- Home Depot
- Internal Controls
- Mia Reini
- Regulatory Enforcement
- Risk Management
- Supply Chain
- Surveys & Benchmarking
- The Home Depot
- The Home Depot Compliance Program Overview
- Third Party Risk
- United States
- Whistleblower Hotline