DOJ’s Compliance Program Evaluation: Risk Assessment, Policies and Procedures and Third-Party Risk Management (Part III of IV)
To design and implement an effective ethics and compliance program, companies have to conduct a risk assessment and tailor its policies and programs to its risk profile. DOJ’s Compliance Evaluation reinforces this framework for a compliance program.
At the outset, a company has adopt a specific methodology for its risk assessment, the types of information it will collect and analyze, and the metrics it will use to inform its compliance program.
No longer can a company avoid such a requirement by claiming that such an analysis is “obvious” or that it is part of the internal audit function given the different objective of an internal audit risk profile.
A company should commit to a fulsome risk assessment, preferably every three years, with annual check ups or analyses to address potential changes in risk profiles.
Design of Policies and Procedures
With this foundation in mind, the DOJ Compliance Evaluation asks how a company designs and implements its compliance policies and procedures, who has been consulted in the process, and what role, if any, businesses units play in the design of such policies and procedures.
DOJ’s Compliance Evaluation continues to inquire how the company assesses whether its procedures have been effectively implemented, and whether the function with ownership of the policies and procedures has been held accountable for supervisory oversight.
Once again, DOJ has emphasized the importance of “operationalizing” a compliance program. A company can craft policies and procedures, and can announce and adopt them, but companies must also ensure that the policies and procedures are implemented and that they are being adequately supervised. In this regard, DOJ underscored the importance of communicating company policies and procedures “to employees and third parties.”
This typically requires that important gatekeepers and policy owners collaborate and communicate with each other to implement policies and procedures and identify potential red flags that may occur.
DOJ’s Compliance Evaluation looks to the issue of “operational Integration” for compliance programs and raises several important issues.
As an initial matter, companies have to examine an individual(s) who are responsible for integrating policies and procedures into the overall business operation. This requires creation and oversight of compliance controls.
In focusing on important functions in this area, DOJ points to the role of: (1) payment systems; (2) approval/certification process; and (3) vendor management. DOJ is highlighting the bread and butter issues of compliance implementation.
In the anti-corruption context, DOJ asks the critical issue, how was the misconduct or bribery funded? In other words, follow the money – was it false purchase orders? Petty cash? Employee reimbursements? Discounts? These are very typical sources of funds for illegal bribery and DOJ wants companies to create robust controls around these specific areas.
Similarly, DOJ wants companies to examine who approved a particular expenditure, third party or vendor who was part of an illegal scheme. If the process did not work in the past, companies have to remediate these controls to make sure they work in the future. Finally, if vendors were involved in the misconduct, companies have to review how vendors are selected and how they are paid.
Third-Party Risk Management
In a clear reflection of the importance of third-party risk management, DOJ’s Compliance Evaluation outlines important issues, some old and some new, to managing third-party risks.
At the outset, DOJ brings a fresh approach to reviewing how companies manage their third parties and incorporate identified risk into the process. DOJ underscores the importance of integrating third-party risk into the procurement and vendor management process. Those companies that have failed to bring together third-parties and its procurement function are woefully behind in this area.
Third-party risk controls have to address basic issues, including the business justification for the third party; the contact management and drafting process to ensure accurate description of services to be performed; agreement to appropriate payment terms; verification of third-party work performed pursuant to a contract; and confirmation that the amount paid is commensurate with the work to be performed.
In reviewing and approving a third-party relationship, a company has to analyze the incentives created by the relationship, and how the company will monitor the third party’s activities.
In this area, DOJ has injected a fairly new inquiry and requirement. Companies have to train those “responsible persons” on the compliance risks and how to manage those risks. Additionally, DOJ asks how a company created, if any, incentives for compliance and ethical behavior by the third party.
DOJ’s Compliance Evaluation repeats many well-known requirements for companies to identify and resolve specific red flags during the due diligence process. In a new twist, however, DOJ asks if “similar” third parties ever been “suspended, terminated or audited as a result of compliance issues?” DOJ seeks to ensure that companies ensure that risky vendors are not reauthorized or used again to provide services. While this risk may appear to be relatively minor in comparison to other areas, recent enforcement actions have focused on situations where prohibited third parties reappeared or continued to be used by companies.