What does a regulator want from compliance - Every senior business leader should spare 10 minutes to read this speech
No matter your location, every senior leader in a corporate should spare 10 minutes to read and digest a speech by Kenneth Polite [KP] - it is packed full of nuggets for Chief Compliance Officers, CEOs and GCs –
One cannot miss the clarity with which KP sets out the DOJ's [REGULATORS], expectations, and the following extract [along with the whole speech as a point of principle] applies to anyone anywhere
- Today, I want to describe in detail about how we evaluate corporate compliance programs to ensure that companies are designing and implementing effective compliance systems and controls, creating a culture of compliance, and promoting ethical values.
- As our Evaluation of Corporate Compliance Programs guidance makes clear,
- We expect an effective corporate compliance program to be much more than a company's policies, procedures, and internal controls.
- We expect companies to implement compliance programs that:
- (1) Are well designed,
- (2) Are adequately resourced and empowered to function effectively, and
- (3) Work in practice.
First, when we say that we expect a company's compliance program to be well designed,
- We closely examine the company's process for assessing risk and building a program that is tailored to manage its specific risk profile.
- We want to see whether the company has implemented policies and procedures that are designed to address the key risk areas identified in its risk assessments, and that those policies and procedures are easily accessible and understandable to the company's employees and business partners.
- We want to know how the company is training employees, management, and third-parties on the risk areas and responsibilities applicable to those individuals. Policies, training, and other processes should address relevant high-risk elements of the company's business model, such as third-party relationships or mergers and acquisitions.
- We want to see that the company has established a process for reporting violations of law or company policy that encourages employees to speak up without fear of retaliation, and that those reports are taken seriously, appropriately documented, investigated, and—if substantiated—remediated.
Second, when we are evaluating whether a compliance program is adequately resourced and empowered to function effectively,
- We want to know more than dollars, headcount, and reporting lines.
- We will review the qualifications and expertise of key compliance personnel and other gatekeeper roles. We want to know if compliance officers have adequate access to and engagement with the business, management, and the board of directors.
- We seek to understand whether and how a company has taken steps to ensure that compliance has adequate stature within the company and is promoted as a resource. A company's commitment to promoting compliance and ethical values at all levels—from the chief executive on down to middle and lower-level managers—is critical.
Third, we want to see evidence that the compliance program is working in practice.
- We look at whether the company is continuously testing the effectiveness of its compliance program, and improving and updating the program to ensure that it is sustainable and adapting to changing risks.
- We want to know that a company can identify compliance gaps or violations of policy or law. Equally importantly, we want to see how the company addresses the root causes of these gaps or violations and finds ways to improve its controls and prevent recurrence of issues.
- We want to see examples of compliance success stories— the discipline of poor behaviour, the rewarding of positive behaviour, the transactions that were rejected due to compliance risk, positive trends in whistleblower reporting, and the partnerships that have developed between compliance officers and the business.
- We are also interested in how a company measures and tests its culture—at all levels of seniority and throughout its operations—and how it uses the data from that testing to embed and continuously improve its ethical culture.
Link to full speech ➡️
Assistant Attorney General Kenneth A. Polite Jr. Delivers Remarks at NYU Law's Program on Corporate Compliance and Enforcement (PCCE) - New York, NY ~ Friday, March 25, 2022