the new doj guidance explained - red flag group

www.redflaggroup.comwww.redflaggroup.com

THE NEW DOJ GUIDANCE EXPLAINED

Webinar

April 5 2017

www.redflaggroup.com

Presenters

About The Red Flag Group

The Red Flag Group is a global professional services firm specializing in integrity and compliance risk. We have completed over 500,000 due diligence reports for thousands of companies in the past 10 years and work with many Fortune 500 companies.

Christopher SindikDirector of MarketingThe Red Flag Group

Paul JohnsonProduct Director

The Red Flag Group


Agenda

What are the guidelines?

What changes and stays the same?

Where are the rest of the guidelines?

Why did the DOJ release these?

Examination of questions and related best practices

Questions?


What are these guidelines?

“Evaluation of Corporate Compliance Programs” –What the DOJ asks companies when they become aware of misconduct

Released on February 8, 2017

8 pages of 119 questions

Focus on bribery and corruption via references

Not so much guidelines as questions

“Sample questions that the Fraud Section has frequently found relevant in evaluating a corporate compliance program”

https://www.justice.gov/criminal-fraud/page/file/937501/download


What changes and what stays the same?

There aren’t any new major guidelines in this document but there are finer details from large strokes. Insight into what is “effective”

Not much has actually changed but this is more detailed guidance into areas of focus What you might hear from the DOJ

Many references to other materials by DOJ and others


Where are the rest of the guidelines?

The 8 pages they released are it but there are other documents referenced

Plenty of other information in:

The FCPA Guide (pages 57-66)

US Attorneys’ Manual 9-28.800 Comment

US Sentencing Guidelines § 8B2.1

OECD Handbook

All have varying degrees of robustness and practical guidance

https://www.justice.gov/criminal-fraud/fcpa-guidance

https://www.justice.gov/usam/usam-9-28000-principles-federal-prosecution-business-organizations#9-28.800

http://www.ussc.gov/sites/default/files/pdf/guidelines-manual/2014/CHAPTER_8.pdf

http://www.oecd.org/corruption/Anti-CorruptionEthicsComplianceHandbook.pdf


Why did the DOJ release these guidelines?

Did not give an exact reason

Wanted to provide specific questions to think about and real example of where they have looked

Increase enforcement action on the horizon?

In response to compliance failures Able to say “did you read the guidelines?”

Compliance is part art and part science

No one size fits all programme


Contents of the guidelines

119questions

asked when the DOJ learns of misconduct



Processes

Look at what should be in place at corporate compliance programmes:

Systems Authority Resources



Lessons learned from past failures

Major themes

Ownership and who is involved

Resources and how it is done

Concrete examples


What are the 119 questions?

What does this mean?

Looking at what you are doing and how it is done. Existence and effectiveness.

Concrete examples

34%

7%7%

16%

36%

Have or has…?

How…?

What…?

Who…?

Other

34% of questions are “What…?”

36% of questions are “How…?

16% of questions are “Have or has…?”

7% of questions are “Who…?”

7% of questions are other types

TYPES OF QUESTIONS


Why questions with no answers?

No “one-size-fits-all” compliance programme

Much depends on the industry, size and risk profile of the company

Much harder to provide the answers

They want companies to examine this on their own

Even if they could provide an answer “you should do x to evaluate third parties” it would not be the correct answer for every company

The exercise of answering the questions can expose compliance weaknesses


11 Sections of the guidelines

Analysis and remediation of underlying conduct

Senior and middle management

Autonomy and resources

Policies and procedures

Risk assessment

Training and communications

Confidential reporting and investigation

Incentives and disciplinary measures

Continuous improvement, periodic testing and review

Third party management

Mergers and acquisitions


One very special section

All of the sections are referenced to the USSG, FCPA Guide, OECD Handbook, USAM except one…

Analysis and remediation of underlying conduct

Why is this the only one? Why is it so special?

Specifically focuses on what the company has done to improve their program in the face of adversity:

What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future?

Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues?

What is the company’s analysis of why such opportunities were missed?



Leading by example and buy-in



Regular communications at all levels of the company

Endorsements, signatures of policies and code

Budget and headcount for compliance

What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts?

Discipline at high levels (compliance over profits)

Time with compliance

Growth of compliance in the company over time

Consistency and not just symbolic gestures



Information can’t be kept in a silo

Use of big data, analytics, AI in the compliance function

Cross departmental meetings and involvement of compliance at the middle manager and executive level

How is information shared among different components of the company?

Frequency (real time, weekly)

Quality of data that is shared (both supportive and problematic)

Avoidance of a paper programme


Autonomy and Resources

Qualified, capable and funded



It is a huge question

What role has compliance played in the company’s strategic and operational decisions?

Compliance needs to be ingrained into operations

Not just a roadblock to doing risky business

Seat at the decision making table

• M&A, third parties, new markets, investigations, audits, hiring, firing, GTE, COI, training, policies, sustainability, etc.

• All need to have some oversight by compliance



Have there been times when requests for resources by the compliance and relevant control functions have been denied?

• Great to see this on the list as a compliance professional

• Not just people but tools and personnel resources.

• There are times that it is reasonable to deny compliance’s request for resources but they are looking to see that the company didn’t starve compliance.

Poll question



Practical and understandable



What has been the company’s process for designing and implementing new policies and procedures?

Every company needs to make a policy on how to make a policy

Benchmark it against others in the industry

Example: GTE amount less than $150

Easily understood by the target audience

Comprehensive

Include learning aids

Have some style to make it more memorable and approachable



How have they been rolled out (e.g., do compliance personnel assess whether employees understand the policies)?

The best written policies do nothing if they aren’t read, remembered or understood

Need a bit of fanfare for new or updated policies

Policies regarding social media, human rights, political dealings, sanctions

Replace the old policies in all locations

Verify new policies are being followed

Certifications and training to go along with key topics


Risk assessment

Methodology and follow up


Risk assessment

Inside and outside effort for objectivity and benchmarking

Rank risks in terms of likelihood and severity

What methodology has the company used to identify, analyze, and address the particular risks it faced?

Need to look at all 3 elements: Identify, analyse and address

Methods can include

Culture and knowledge surveys

Interviews, onsite audits, document review

Process review and workflow

Follow-up plan, heat maps

ID risks, rate them, establish controls

OECD compliance handbook (pages 10-14)



Curriculum and disclosures


What analysis has the company undertaken to determine who should be trained and on what subjects?


Not done by job title necessarily

Look at actions

Locations of high risk

(see Risk Assessment process)

Where have failures been or reports been made?

Companies need to show that they gave the right people the right training

• How much is enough? Depends on the risk of that employee

• Resourcing constraints


What communications have there been generally when an employee is terminated for failure to comply with the company’s policies, procedures, and controls

(e.g., anonymized descriptions of the type of misconduct that leads to discipline)?


Public name and shame

Could be used as case study training

Compliance newsletter or space in other company comms.

Learning from your lessons

People know that policies are being enforced

• Constant theme with these guidelines

Don’t give a how-to on breaking the rules


Confidential reporting and investigation

Analysis and investigations


Reporting and Investigations

How has the company collected, analyzed, and used information from its reporting mechanisms?

Standard methods: phone, email, website, postal, fax

New mapped: text, social media, App, automated, AI

Escalation process in place to audit committee and board if needed

Metrics to examine trends:• What percent are substantiated

• What are the outcomes of the reports? (discredited, disciplinary action, etc.)

• Type of misconduct

• Location and functions involved

Root cause analysis


Reporting and Investigations

How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented?

Objectivity – Using outside help, language capabilities, avoiding COI

Look at an investigations team with cross function capabilities

Forensic accounting, fraud examiners

Issues must be addressed



Accountability and setting examples



Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations?

POSSIBLE PUNISHMENTS FOR: not completing training, missing certifications, poor supervision of others, lack of guidance

POSSIBLE REWARDS FOR: setting example, training others, compliance champion or duties, certifications or training

Shows that the company is looking at compliance and has some concrete benefits/discipline associated with it



Appropriate in some cases but not mandatory

Yes – pressure for profits, encouraged, concealed or turned a blind eye

No – procedures followed, training given, voluntary disclosure, cooperation, “bad apple”

Examine communications, training and available tools

Setting the tone from the middle and top

Turning a blind eye to misconduct

Institutional misconduct

Were managers held accountable for misconduct that occurred under their supervision?


Continuous improvement, periodic

testing and review

Good is never good enough


Improvements, testing and review

What types of audits would have identified issues relevant to the misconduct?

Financial audits, on-site, interviews, GTE, COI, real time transactional monitoring, third party audit, predictive analytics

Compliance audit

New business units, subsidiaries, decentralized BUs

Getting out of silos (ABAC, COI) and looking at other functions (HR, Procurement, IT, etc.)

On-the-ground

Third party assessments – due diligence


Improvements, testing and review

Depends on the state of the programme in many cases

If a programme is deficient, as soon as possible

If a programme is in relatively good shape:

Risk assessment: at least every 2 years

Policies: each year

Procedures: each year

Practices and activities: real time

How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices?



Their risks are your risks



Asking if the remediation process matched the risk presented

Any combination of:

Questionnaire, approvals, documentation, certification

On-site audits, interviews, training and added processes

Risk score all third parties

Look at not only country and industry but spend, work being done, volume, etc.

Can’t rely on reputation of company or “clean” countries (i.e. S. Korea)

How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company?



Look beyond just ABAC and consider a wide variety of risk areas

Not just red flags but looking deeper in yellow flags

Know what type of risks for research third party

Reputational, media, legal and watch list screened

Were red flags identified from the due diligence of the third parties involved in the misconduct and how were they resolved?

Poll question


Mergers and acquisitions (M&A)

Acquiring a company and all its baggage



Looking at risks in supply chain

What has been the M&A due diligence process generally?

Running thousands of parties through a DD process

• Segment

• Risk rank

• Address yellow and red flags

• Review serious issues

• Set up remediation tactics

• Monitor, measure, manage

Some both pre- and post-acquition DD

• There is a window for post DD



Understand culture of new companyWhat has been the company’s process for implementing compliance policies and procedures at new entities?

Centralized versus decentralized process

• Trust but verify

Look for best of both programmes(policies, procedures, processes)

Larger programmes typically are more robust than smaller companies

New certification, training, visits, audits


Conclusions

The evaluation guidelines provide very clear insight into what questions will be asked if the DOJ comes around

Are you prepared?

Good exercise to see if you know the answers to these questions

Reinforces focus that regulators have

Major themes

• Lessons learned from past failures

• Ownership and who is involved

• Resources and how it is done

• Concrete examples


UPCOMING WEBINAR

Finding the unexpected: How to effectively build and manage your Gifts,

Travel and Entertainment policy

Thursday, April 20th

9 am PDT, Noon EST

Managing your Gifts, Travel and Entertainment (GTE) is no easy task. It is one of the most common ways for compliance failures to occur, particularly in the areas of bribery and corruption. However, providing reasonable GTE to customers, vendors and suppliers is a part of any business. The government expects clear controls to be in place to prevent irresponsible, unreasonable and lavish GTE from companies to government officials or even other businesses.Register Here

https://attendee.gotowebinar.com/register/5537935885887350273


QUESTIONS?


Integrity due diligence reports

Compliance screening

Investigations

Proactive monitoring

Professional services

Compliance technology solutions

Supply-chain risk management

Compliance training

Compliance outsourcing


Connect

Websitewww.redflaggroup.com

[email protected]@redflaggroup.com

Webinar schedule and recordings www.redflaggroup.com/webinars

Follow us Twitter: @redflaggroup LinkedIn: The Red Flag Group

Email your feedback and comments to [email protected]

the new doj guidance explained - red flag group

Documents