Organizations with a presence in the US are being urged to get their compliance house in order in anticipation of a crackdown on corporate ethics and compliance violations by the Biden Administration.
In an article published this week, Michael Volkov of the Volkov Law Group, warned that the Department of Justice (DOJ) would be “tough on corporate crime and compliance,” and advised companies to “redouble their efforts to implement an effective ethics and compliance program.”
Previous Democratic Administrations have set a precedent of aggressive prosecution of white-collar crime and the Justice Department is pushing companies to elevate the importance of ethics and compliance programs with an emphasis on incorporating corporate culture, continuous monitoring and improvement of the program, and appropriate allocation of resources to ensure the program’s effectiveness.
Volkov also notes that a DOJ focus on COVID-19 pandemic issues will continue “with an increased emphasis on health and safety violations.”
In a recent podcast where Volkov speaks with Tom Fox, the two experts remind us that the Justice Department has provided extensive guidance on ethics and compliance programs and the key update in June 2020 really shifted the focus from a compliance program that looks good on paper to one that is actually effective in practice.
“The one people point to the most is the data requirement that Chief Compliance Officers have to have access to data literally across the corporation,” said Fox. “If you don’t you have to explain why the data is siloed and the CCO doesn’t have access to it.”
Fox notes that this data is just part of the information needed to monitor and improve compliance programs and instead of doing a risk assessment every two or three years you need to do one every time your risk changes and have that flow into your cycle.
There is an acknowledgment that corporate risk profiles are expanding rapidly – The Biden Administration and the Securities and Exchange Commission (SEC) have already fired warning shots over their growing interest in Environment, Social, and Governance (ESG) issues. But one of the key challenges many compliance officers have is exposing these risks, which may have emerged in the silos the regulators are so intent on breaking down.
According to the DOJ, a “hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct.”
The two main reasons employees do not report misconduct are: lack of confidence action will be taken; and fear of retaliation. A common challenge that often occurs in parallel with businesses that have a disconnect between conduct and culture is that the infrastructure is not in place to enable the transition to a more positive culture. Drawing more attention to the Code of Conduct won’t have the desired effect if the tools in place to expose and resolve misconduct are ineffective.
So, Ethics & Compliance officers are encouraged to ask:
- Is the reporting channel designed, established, and operated in a secure manner that ensures the confidentiality of the reporter’s identity and that of any party mentioned?
- Have you considered alternatives to traditional hotlines that might be more accessible (apps such as Vault Platform)?
- Is a confirmation of receipt of the report given to the reporting person within an appropriate time frame (even anonymous reporters)?
- Does a competent person or department follow up on the reports? Can this person maintain communication with the reporting person and provide feedback (even anonymous reporters)?
- Is a careful follow-up investigation carried out on the report by the designated person or department?
- Is a reasonable time limit set for giving feedback or closing the loop on the report from the acknowledgment of receipt?
- Does your case management and resolution system give you real-time data on the status of ongoing investigations and specific categories of incidents?