Speaking at a New York University Law Program on Corporate Compliance and Enforcement, Assistant U.S. Attorney General Kenneth A. Polite Jr. of the Department of Justice (DOJ) made a series of announcements that merit close attention by company chief compliance officers and their colleagues. Mr. Polite emphasized the need for chief compliance officers (CCOs) to be aware of the DOJ's Evaluation of Corporate Compliance Program Guidance and the DOJ's policy to give "significant credit to companies that build strong controls to detect and prevent misconduct."
Mr. Polite also reiterated the criticality of root cause analysis involving violations, misconduct, and compliance escapes - "It is important to demonstrate how a compliance program has been upgraded to address the root cause of the misconduct, and how it is being tested and updated to ensure that it is sustainable and adaptable to changing risk."
With respect to monitorships, he separately re-enforced the messaging from Deputy Attorney General Lisa Monaco from October 2021 that the DOJ will continue to impose independent corporate monitors whenever appropriate to ensure a company complies with its compliance and disclosure obligations. He noted that one factor the DOJ uses to determine whether a monitor is required is whether the company has been able to test its controls and demonstrate they are effective.
Demonstrating the importance of internal controls, he added: "Our message is clear - companies that make a serious investment in improving their compliance programs and internal controls will be viewed in a better light by the [DOJ]. Support your compliance team now or pay later."
He also discussed two potential new certifications to be included in settlement agreements, designed in part to strengthen and empower CCOs. These certifications will require the Chief Executive Officer (CEO) and CCO to confirm that:
- The compliance program is reasonably designed and implemented to detect and prevent violations of the law
- The compliance program is functioning effectively
For companies that do not have an imposed monitor, the certification may require the CEO and CCO to certify in annual self-reports required in settlement agreements that all reports submitted are true, accurate, and complete. Summarizing the proposed certifications, Mr. Polite explained that they are "intended to empower our compliance professionals to have the data, access, and voice within the organization to ensure...that your company has an ethical and compliance focused environment."
Ankura Capabilities
Whether or not an independent monitor is appointed, CCOs should be aware of these potential new requirements and ensure that they have adequate verifiable bases to support their certifications. Having an adequately designed and tested system of internal controls should provide additional mitigation and may avert the need for a monitorship in cases where compliance escapes have occurred.
Ankura's professionals have supported companies in the design, implementation, testing, and remediation of compliance controls in the context of anti-corruption/anti-bribery, export controls, CFIUS national security agreements, sanctions, and other compliance settings. Regardless of the underlying regulations, our approach leverages a structured approach that engages compliance as well as business stakeholders:
Design: Ankura professionals will work with you to identify the applicable regulatory requirements and necessary internal controls (policies, processes, training, systems, etc.) to ensure that the organization and applicable stakeholders understand and are complying with the relevant requirements. For each control, Ankura will assist in ensuring that the controls as designed not only fully align with the requirements but are integrated with applicable business processes to maximize compliance assurance while minimizing redundancy and inefficiency.
Implementation: Once the design is complete, Ankura professionals can work with you to implement the controls. Whether drafting policies or processes, or creating a training plan or content, Ankura professionals seek to make controls easy to understand, accessible, and aligned to and integrated with other organizational controls (e.g., financial reporting). Effective implementation of the controls typically involves robust engagement with the range of business stakeholders to solicit their feedback and minimize unnecessary disruption to the business.
Testing: Upon completion of implementation, Ankura professionals work with internal stakeholders, including internal audit, to prepare for controls testing. This controls testing, typically reviewing the design, implementation, and subsequent operation of the control, provides a basis for the identification of necessary refinements as well as gaps that might increase risk to the organization. This controls testing can also identify potential or actual violations of applicable requirements.
Remediation: Should control testing identify potential gaps or an actual violation, Ankura will work with the compliance team to conduct relentless root cause analysis, pinpointing all relevant root causes. Once root cause analysis is complete, Ankura can work with your team to assess the range of applicable mitigation and remedial measures necessary to prevent a recurrence of the same or similar violation. Ankura's approach focuses on the engagement of all stakeholders and the solicitation of varied perspectives to cover the full range of root causes and the spectrum of effective corrective actions.
Certification: Independent or third-party verification or support for certification can lend additional credibility and assurance that the testing meets regulator or agency expectations. Ankura professionals routinely prepare reports for submission to regulators concerning all aspects of controls design, implementation, testing, and remediation. Should additional testing be required, Ankura professionals can work with you to provide verification that identified gaps and violations have been addressed and that remedial and mitigation measures have addressed the root cause(s) of violations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.