The US Department of Justice (DOJ) provides tangible insights.
The newest DOJ guidelines for prosecutors in evaluating corporate compliance programmes were release in late April — and with them game-changing insights. While it can often feel as if corporate compliance departments teeter on unclear expectations and conflicting legal advice, this guide provides clear insights on how a programme may be considered by a prosecutor should something ever go wrong.
Of course, there is no one-size-fits-all solution, and the guide openly acknowledges this fact. Yet for many compliance professionals, this vindicates genuine efforts to implement well-designed and consistently applied risk-based programs based on evidence. For others, these insights might be the fuel they need — and should use — to win executive buy-in and proper resource investment.
The guide begins by asking three fundamental questions about a corporates compliance programme as a whole.
1. Is the corporation’s compliance programme well designed?
2. Is the programme being applied earnestly and in good faith…[and is it] being implemented effectively?
3. Does the corporation’s compliance programme work in practice?
Together these questions boil down to one expectation:
Your company must have a realistic, well-designed compliance policy that is actually followed — and you must have proof that it is in place, consistently applied, and actually works.
Essentially, the DOJ wants to make one thing clear. It doesn’t matter if you have a gold plated compliance policy if it exists only on a shelf. “Paper programmes” — as they call it — aren’t gonna cut it. A well-designed compliance programme is crucial, but it is not enough, for it must be “implemented, reviewed, and revised, as appropriate, in an effective manner.” The good news? If you are applying these guidelines in earnest — and if you have ready records that show you’re taking steps to ensure that your compliance programme works — the DOJ would likely look at your situation with far more nuance.
This might seem simple in theory, but let’s get down to the practical, granular questions. Our team has reviewed this guidance for the insights it provides specifically for third party compliance programmes, and in doing so, we have designed the following questionnaire to help you to assess the comprehensiveness of your programme and any potential gaps to address.
Key Questions to Assess Your Company’s Third Party Compliance Programme
- Has your company identified, assessed, and defined its risk profile and risk assessment criteria?
- Is your company’s third party compliance programme based off this risk assessment?
- Does your company consider any of the below when conducting third party risk assessments:
- Location of operations
- Industry sector
- Public profile
- Size of transaction/deal
- Relationships with foreign officials
- Impact of relationship
- Type of third party
- Are compliance resources allocated based on the risk level posed? (I.e., Do third parties who pose a higher risk receive higher levels of scrutiny than those who possess a lower risk, as per their assessment?)
- Are your compliance standards consistently applied based on the level of risk?
- Are the applications of these standards recorded against a third party record to demonstrate steps taken to mitigate the risk posed?
- Do you have a process in place that routinely monitors and updates your third-party risk information so it stays current?
- Is third party due diligence integrated into the relevant procurement and vendor management processes at your organisation?
- Is due diligence applied to third parties based on the risk they pose? (I.e., Are higher levels of due diligence being applied on higher risk third parties?)
- Do you have approval and escalation workflow(s) for third parties, based on red flags/risks identified?
- Do you have a process in place to ensure third parties who do not pass due diligence, or are terminated, do not get hired at a later date?
- Do you have specific, documented processes on how to resolve red flags that result from due diligence? Are these consistently applied?
- Has a transaction or deal ever been halted or altered due to compliance concerns that have arisen during the due diligence and onboarding process?
Policies and Procedures
- Do you have the ability to easily communicate relevant compliance policies to both employees and third parties who are involved in day-to-day operations (I.e Code of Conduct, Anti-Bribery & Corruption Policy, etc.)?
- Are policies and codes easily accessible and understandable to both employees and third parties involved in day-to-day operations?
- Are third party and employee attestations (sign-offs) to policies and codes recorded?
- Does your company incentivise compliance and ethical behaviour by third parties?
Training and Communications
- Do you train your third party relationship managers about compliance risks and how to manage them?
- Are key third party business partners trained on your compliance standards?
- Does your company have a single repository for all third-party information — and can it be easily accessed by different departments for all third-party related tasks?
- Does your company record the business rationale for the use of each third party? Can this be readily and easily referenced should the need arise?
- Do mechanisms exist to ensure that the contract terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered by the third party?
- Do you have the ability to record the steps and results of the process undertaken to on-board and manage each third-party?
- Does your company track red flags that are identified from due diligence of third parties and how those red flags are addressed?
- Are systems in place to actively evolve and improve the compliance programme over time based on outcomes and changes over time?
What do all of these questions really mean in practice? To reiterate an earlier point, by instructing prosecutors to consider these areas in conducting an investigation, the DOJ is putting an emphasis on checking to see if your programme “walks the talk”. If regulators come knocking on your door, you must prove that your policies are being put into real practice. Thus, leadership must ensure that compliance programmes include processes that evidence compliance in action — records demonstrating that third-party compliance activities are consistently applied, maintained, and monitored. In essence, the DOJ is telling us that a “paper program” that is not risk-based, consistently applied, and properly evidenced, will not hold water in court.