- What efforts has the company made to implement and monitor policies and procedures that reflect and address the range of risks it faces, including changes to the legal and regulatory landscape?
- Has the company taken reasonable steps to ensure its compliance and ethics program is followed, including monitoring and auditing to detect criminal behavior? Has the organization’s program effectiveness been evaluated periodically?
- How does the company engage in the permanent control of its third parties?
These are the questions that prosecutors are responsible for asking when assessing and assessing how comprehensive, responsive and effective a compliance program is during a corrupt practices abroad act (“FCPA“) investigation. The FCPA is not the only cross-border anti-bribery law that emphasizes the importance of oversight. The UK Bribery Act also identifies compliance oversight as one of its six principles and recommends that organizations monitor to prevent corruption, but what exactly is compliance monitoring and where does it fit into compliance programs?
What is compliance monitoring in general? Why is this needed?
Due to the FCPA’s clear stance on the need for effective and comprehensive ethics and compliance programs, many international companies have already designed and implemented their programs. They have allocated significant resources to identify their needs and create tailor-made programs that work honestly and effectively in practice. As a result of these efforts, the FCPA also expects an appropriately designed compliance program to mitigate and control risks and respond quickly to prevent misconduct and non-compliance before those risks turn into harmful situations. for a company. But how can businesses tell if their compliance programs are working effectively? How can they detect weak points that require improved control mechanisms? How can they ensure that their employees fully understand and correctly apply company policies and procedures? This is exactly what compliance monitoring is designed for.
Compliance monitoring is the most essential mechanism of compliance programs as it allows companies to recognize whether their compliance program has been implemented in practice and whether it is feasible, responsive and tailored to the characteristics of the business. business.
Compliance monitoring, as the most effective tool in compliance programs, concisely means “monitoring” the operations and activities of the company, both in light of local and binding cross-border regulations and local and global corporate policies, procedures and ethics. A compliance monitor should initially monitor whether a company’s activities comply with local and cross-border laws, regulations and practices, and if necessary, should seek cross-border legal support to ensure regulatory compliance. However, a single regulatory compliance check will not be enough, as companies typically operate in a dynamic business environment. Business activities and services can change quickly; for example, companies may engage in mergers and acquisitions, enter into new business with public entities and / or cooperate with new private business partners. For this reason, the effectiveness of risk assessment and monitoring should be reviewed periodically to ensure that compliance programs remain relevant in the face of changing business conditions.
Corporate policies and procedures, especially in multinational companies, may be more stringent than applicable laws or may require higher standards. Therefore, it is first essential to understand a company’s internal policies, principles and standards and to monitor its operations against these standards in order to detect any unexplained deviations and unapproved concessions. The consistency of policies and principles with the factual situation and characteristics of a company must also be monitored. The controller should consider that a company’s policies, procedures and standards may not be adaptable or responsive depending on its size, operations, location, jurisdiction, etc. During an audit or investigation, both the audited firm and the authorities primarily check whether the company’s own policies and procedures have been ignored or non-compliance has been authorized. If such shortcomings were detected at this stage, a defense that “company procedures have been abolished and do not apply to company operations” would not be accepted. Therefore, in light of the “do what you write” principle, compliance monitors must act proactively if they realize the need for a company to change its policies and procedures. Sometimes these changes may not be accepted globally and may force subsidiaries to apply different practices locally. In such situations, to prevent self-directed practice, certain sui generis actions and decisions may be taken by management to ensure compliance with local standards and not to allow out-of-specification activities. This is a point that differentiates monitoring compliance from an audit; compliance monitors are put in place to detect both the non-compliance and its root cause. They don’t monitor to punish a business, but rather to take the right steps to ensure compliance before an audit.
Understanding the relevant industry is also crucial for monitoring compliance. Compliance oversight requires oversight of operations and decisions with a general business mindset, business logic, industry specific needs, relevant compliance software, and operational rules. Indeed, certain non-conforming practices can be hidden behind completely legal activities; however, when monitoring with a broader perspective and a business mindset, such activities may be found to be unreasonable for a business or industry. Therefore, we strongly recommend that compliance professionals unfamiliar with an industry receive the assistance of an industry experienced monitor. In almost every industry there are gray areas and unregulated activities that require further monitoring to prevent non-compliant practices that can be easily hidden.
Monitoring results provide a roadmap
“Prosecutors should also verify whether a company has taken ‘reasonable steps’ to’ ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal behavior. And “periodically assess the effectiveness of the organization’s program”.”
The DoJ’s compliance program assessment refers to the above provision to emphasize the purpose and importance of compliance monitoring.
Business leaders can demonstrate their determination in implementing a compliance program through; (i) carry out ongoing compliance monitoring; (ii) allocate sufficient budget, staff and resources; (iii) empower the monitoring function by taking the monitoring results seriously; and (iv) set the tone and take immediate action to correct the monitoring results. Employees should be educated and encouraged to support compliance controllers in order to achieve accurate and transparent results. Compliance monitoring is not an audit, so monitoring results that demonstrate poor compliance can be addressed with a remediation program. A worst-case scenario, which could have more serious consequences, would be inaccurate control results concealing a fault which is then revealed during an audit or investigation.
The “continuous” nature of monitoring is critical. It must be considered that the “non-conforming” characteristics of certain practices result from their recurring nature, and they can therefore only be revealed through regular and permanent control.
Compliance monitoring is the central tool of all ethics and compliance programs, enhancing their effectiveness and practicality. Companies can only ensure compliance with national and / or international regulations (both for on-site and internal operations) with an effective compliance monitoring process. Well-designed compliance oversight should be tailored to reflect a company’s characteristics, size, country of operation and the unique dynamics of its industry. Compliance monitoring should be carried out on an ongoing basis and its consistency and effectiveness should be assessed periodically. It should be noted that enforcement authorities will not only consider whether there is a compliance program; they will focus on its implementation, its enterprise-wide application, supporting and overseeing senior management in creating a culture of compliance within the company, and the appropriate allocation resources and budget.