Companies are constantly evolving their business profiles, geographic footprints, channels to market, and clients served, and compliance programs must adapt as well.
As a result of these organizational and business changes in fast-paced companies, many practitioners are hard-pressed to periodically monitor and test the effectiveness of their anti-corruption compliance programs. The U.S. Department of Justice (DOJ) recently restructured its 2017 guidance document on Evaluation of Corporate Compliance Programs to emphasize the importance of monitoring to determine whether compliance programs “work in practice.”
According to the 2019 Compliance Guidance, the DOJ will consider whether a company has taken “reasonable steps” to “ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct,” and to “evaluate periodically the effectiveness of the organization’s” program. To evaluate effectiveness, the 2019 Compliance Guidance asks two new questions: 1) What testing of controls, collection and analysis of compliance data, and interviews of employees and third parties does the company undertake?; and 2) How are the results reported and action items tracked?
There is little practical guidance on the steps that practitioners can take to monitor their compliance programs and test whether they are effective. In this article, we will describe the steps companies should undertake to design and operationalize anti-corruption compliance monitoring systems. We will begin by outlining an approach for the design of a compliance monitoring system (the why, who, what, how, and when), followed by practical recommendations on how to build and operationalize an effective system. While there are proactive ways to monitor compliance-sensitive areas—such as review and pre-approval of expenditures and payments—this article focuses on retrospective monitoring aimed at detecting compliance violations and identifying trends, outliers, and red flags.
Designing an anti-corruption compliance monitoring system
1. Why monitor? Companies should first determine their overall strategies and goals for monitoring. Some companies may place an emphasis on data analytics, including evaluating trends and outliers, over more granular testing of compliance-sensitive transactions. The monitoring system should also be tailored to the company’s objectives for its compliance program. For example, a company may prioritize the monitoring of its third-party relationships over monitoring of business courtesies, particularly if the company goes to market primarily using channel partners and agents. There are different philosophies of what it means to have a “best in class” compliance program, and the answer will vary from company to company and industry to industry:
- A program that aims at preventing all violations (programs that are heavy on automated controls that inhibit the ability of employees from exploiting loopholes). Typically, such programs are adopted by companies in highly regulated industries that are subject to rules and regulations that can change frequently and would have a potentially existential impact on the company’s operations.
- A program that is layered, rigid, and well-documented (programs that prioritize defensibility of the company’s compliance program against external investigations or actions). Such programs are often adopted by large companies with decentralized operations that are subject to laws and regulations that carry high penalties.
- A program that aims at detecting all violations (programs that put more emphasis on third-line detection of potential violations, sometimes through sophisticated data analytics). These programs are often implemented by companies that are centralized, are subject to regulations with high potential impact, and where the business moves quickly and often requires flexibility.
- A program that is culturally embedded in the company (employees know what the rules are, and the company has communicated its expectations). This type of program tends to be adopted by decentralized companies that are subject to lower-impact regulations.
- A program that is designed to respond quickly to daily challenges (programs that prioritize flexibility of the business). These programs can be adopted by centralized companies that are subject to lower-impact regulations.
For the purposes of this article, we will define an effective compliance program as one that fits the needs—both business and cultural—of the company it serves and is embedded in the company’s sustainability strategy. Therefore, the examples we give for the types of data to monitor will be based on whether the compliance program identifies the appropriate risks, identifies too many risks, applies its controls too broadly, or does not apply them broadly enough. In other words, the key inquiry is whether the compliance program is “right-sized” given the profile of the company at a certain point in time.
2. Who should monitor? Organizationally, companies should determine the level at which monitoring should occur (e.g., by country, region, or business line) and the cadence in which it should occur (e.g., monthly or quarterly), prioritize the countries, regions, legal or financial reporting entities, and/or business lines that should be monitored, and determine who should receive monitoring reports, and who will be responsible for analysis and follow-up.
3. What and how to monitor. The next step is to determine the areas to monitor based on the enterprise risk areas. What are the areas that would be most vulnerable to circumvention or that pose the greatest risks to the company? Within those areas, companies should determine what the appropriate baseline metrics should be. In other words, what is the basis for comparison? How are anomalies identified? Baseline metrics may include projected, estimated, or planned spend, against which deviations can be measured. This will differ from company to company, but some suggestions include:
- Compliance-sensitive payments: Compliance-sensitive payments refer to Accounts Payable (A/P) transactions that create an opportunity for potentially improper payments. Such transactions may include payments made to government entities or payments to commercial organizations that present a corruption risk. Changes or trends in compliance sensitive payments, when compared against other risk indices, may signal increased risk in certain areas. For example, an increase in payments approved after the fact in a certain location may indicate that the local team may need to receive additional compliance training. This type of data may also be valuable (and even surprising) to the business and serve to augment the role of compliance as a trusted business advisor. To monitor, companies could identify and designate high-risk accounts within their financial or accounting systems in a way that allows companies to generate reports on a periodic basis. These reports could be compared against the projected budgets and trends over time for the same designated high-risk accounts.
- Other compliance-sensitive spend: Compliance-sensitive spend refers to non-A/P company spend in areas such as gifts, entertainment, or travel involving government officials or commercial clients. This type of spend is incurred as part of companies’ travel and expense process and is typically reimbursed or incurred on corporate credit cards. Compliance-sensitive spend should be monitored for upticks and changes over time. For example, increased compliance-sensitive spend in certain locations or offices ahead of major deals or bids may indicate inappropriate use of perks used to influence decisions by government officials or by key commercial clients and warrant further investigation. To monitor, companies could earmark compliance-sensitive spend in their financial systems following the pre-approval or approval processes in a way that allows companies to generate reports on a periodic basis.
- High-risk third parties: Third parties are involved in over 80 percent of all Foreign Corrupt Practices Act enforcement actions and present a heightened corruption risk for multinational companies with high volumes of third parties. Evaluating spend on high risk third parties, e.g., those that are likely to interact with government officials or certain commercial clients, by geographical or business lines, can help identify lack of discipline in engaging unnecessary third parties, third parties that are unqualified, and third parties that are not performing services to the level necessary or are compensated in a manner that is not commensurate with the standard compensation in the respective region or industry. This type of data is often valuable in identifying areas where spend could be reduced. To monitor high-risk third parties, companies can look to the number of high-risk third parties engaged, the number and location of high-risk third parties involved in investigations or audits, and actual spend compared against the projected budgets for high-risk third parties.
- New market entry: Expansion into new territories or channels to market can create risks through new regulatory touchpoints, operational restrictions, and new partnerships. Inexperience in new markets could make companies vulnerable to inappropriate requests by local government officials or local commercial partners. Companies can use pre-entry projected timelines for key milestones and projected budgets as a baseline for comparing areas where companies’ expectations of entering a market are inconsistent with the reality of entering the market. Delays in achieving milestones or lower-than-expected financial performance can put pressure on the business to take shortcuts or create workarounds to ameliorate the gaps. Monitoring delays in processes, such as obtaining permits, licenses, or registrations, unexpected issues with commercial or government partnerships or ventures, or lower-than-expected financial performance can help identify potential pressure points that may warrant further examination.
- Investigations: Trends in investigations offer key insights into how companies’ policies are communicated and understood and into the effectiveness of the investigations function itself. For example, increased investigations could indicate a need for enhanced policies or additional or more targeted training, tone at the top issues, or challenges related to disciplinary sanctions imposed for substantiated violations. A decrease in investigations hotline reports may indicate fear of retaliation, issues with identifying potential violations, or a lack of trust that investigations will be handled fairly. Companies can monitor the sources of allegations, number of allegations by country, business line, and region, types of allegations, average time before allegations were identified, number of substantiated versus unsubstantiated allegations, and disciplinary actions imposed as a result of substantiated allegations.
- Training: Data related to companies’ training programs can offer insights into the effectiveness of companies’ communications around policies. Training data can also offer insight into whether management is appropriately communicating or demonstrating its commitment to compliance. Comparing training data against investigations data can offer insight into whether there is a need for more effective or targeted training in specific geographies or on specific topics. Companies can monitor the frequency of the trainings, subject matter and format of training sessions, average time to completion, and the effectiveness of quizzes across various training sessions.
Building and operationalizing the framework
The anti-corruption compliance monitoring system will likely undergo several iterations before reaching maturity. The first step for companies to consider is what data is currently available in their various data systems as well as prospective data that will become available with new systems. An important piece of this process, and one that typically poses the greatest challenge for companies, is determining the sufficiency, completeness, and reliability of the data that exists. Where does the data reside? Are there gaps in the same data between different systems? If there are multiple ERP or legacy systems, do they each capture the same information in different ways? Is some information captured by one system that is not recorded in others? Can the data be aggregated in a uniform way? Companies should also consider whether there are any interim stop-gaps that could capture data that is not captured by any existing systems.
Once companies understand where the data resides and have implemented ways to flag or otherwise earmark the relevant data sets, they can begin to organize the data into components that better allow compliance to analyze and evaluate trends and outliers. As companies improve and refine the ways they capture and present data, compliance monitoring systems will undergo various stages of maturity. Described below are general characteristics of the different levels of maturity and evolution of compliance monitoring systems based on how data is captured, organized, and presented. Testing of compliance-sensitive transactions, along with related remediation measures, is performed as part of each of the three stages on the compliance monitoring maturity spectrum.
- Compliance-relevant data is extracted from various systems, such as companies’ ERP systems, procurement systems, Excel logs (e.g., logs inventorying permits, licenses, or relevant regulations), training systems, and investigations systems, into standard Excel templates for review and analysis by the Compliance team.
- Each data set is presented individually, and basic charts are created for each component of the compliance monitoring system.
- Excel templates are refined into reports and visual dashboards that feed directly from underlying systems data.
- Because companies have determined what is “normal” based on analysis of previous data over time, these reports and dashboards automatically highlight outliers, significant variation in expenses, or spikes across different geographic regions and business lines.
- Standardized reports and data visualization dashboards make it easier for compliance to review and identify trends, but each data set is still presented individually.
- Data is consolidated from various system sources via automatic and timely data feeds into a centralized data warehouse.
- Dashboards built in data visualization tools highlight trends, anomalies, and red flags across the different data sources.
There is no best-in-class standard for compliance monitoring systems. What works for one company may not necessarily work for another. Rather than striving for the most technologically advanced, data analytics-driven approach, practitioners should aim to design and operationalize compliance monitoring systems that accurately and consistently identify the types of risks specific to their companies and mitigate these risks.
Vera Powell is Senior Counsel, Global Compliance for Uber, and Alice Hsieh is a Senior Associate at the law firm Miller & Chevalier Chartered.