What does a regulator want from compliance - Every senior business leader should spare 10 minutes to read this speech
No matter your location, every senior leader in a corporate should spare 10 minutes to read and digest a speech by Kenneth Polite [KP] - it is packed full of nuggets for Chief Compliance Officers, CEOs and GCs –
One cannot miss the clarity with which KP sets out the DOJ's [REGULATORS], expectations, and the following extract [along with the whole speech as a point of principle] applies to anyone anywhere
- Today, I want to describe in detail about how we evaluate corporate compliance programs to ensure that companies are designing and implementing effective compliance systems and controls, creating a culture of compliance, and promoting ethical values.
- As our Evaluation of Corporate Compliance Programs guidance makes clear,
- We expect an effective corporate compliance program to be much more than a company's policies, procedures, and internal controls.
- We expect companies to implement compliance programs that:
- (1) Are well designed,
- (2) Are adequately resourced and empowered to function effectively, and
- (3) Work in practice.
First, when we say that we expect a company's compliance program to be well designed,
- We closely examine the company's process for assessing risk and building a program that is tailored to manage its specific risk profile.
- We want to see whether the company has implemented policies and procedures that are designed to address the key risk areas identified in its risk assessments, and that those policies and procedures are easily accessible and understandable to the company's employees and business partners.
- We want to know how the company is training employees, management, and third-parties on the risk areas and responsibilities applicable to those individuals. Policies, training, and other processes should address relevant high-risk elements of the company's business model, such as third-party relationships or mergers and acquisitions.
- We want to see that the company has established a process for reporting violations of law or company policy that encourages employees to speak up without fear of retaliation, and that those reports are taken seriously, appropriately documented, investigated, and—if substantiated—remediated.
Second, when we are evaluating whether a compliance program is adequately resourced and empowered to function effectively,
- We want to know more than dollars, headcount, and reporting lines.
- We will review the qualifications and expertise of key compliance personnel and other gatekeeper roles. We want to know if compliance officers have adequate access to and engagement with the business, management, and the board of directors.
- We seek to understand whether and how a company has taken steps to ensure that compliance has adequate stature within the company and is promoted as a resource. A company's commitment to promoting compliance and ethical values at all levels—from the chief executive on down to middle and lower-level managers—is critical.
Third, we want to see evidence that the compliance program is working in practice.
- We look at whether the company is continuously testing the effectiveness of its compliance program, and improving and updating the program to ensure that it is sustainable and adapting to changing risks.
- We want to know that a company can identify compliance gaps or violations of policy or law. Equally importantly, we want to see how the company addresses the root causes of these gaps or violations and finds ways to improve its controls and prevent recurrence of issues.
- We want to see examples of compliance success stories— the discipline of poor behaviour, the rewarding of positive behaviour, the transactions that were rejected due to compliance risk, positive trends in whistleblower reporting, and the partnerships that have developed between compliance officers and the business.
- We are also interested in how a company measures and tests its culture—at all levels of seniority and throughout its operations—and how it uses the data from that testing to embed and continuously improve its ethical culture.
Link to full speech ➡️
Assistant Attorney General Kenneth A. Polite Jr. Delivers Remarks at NYU Law's Program on Corporate Compliance and Enforcement (PCCE) - New York, NY ~ Friday, March 25, 2022
Meet the team of industry experts behind ComsureFind out more
Keep up to date with the very latest news from ComsureFind out more
View our latest imagery from our news and workFind out more
Think we can help you and your business? Chat to us todayGet In Touch
As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email firstname.lastname@example.org.