This article was featured in Issue 5 of Orbit TRC Magazine, Global Relay’s exclusive publication focusing on Technology, Risk, and Compliance.

“Chief compliance officers and their functions should have true independence, authority, and stature within the company.” That was the message from Assistant Attorney General Kenneth A. Polite Jr. to students on NYU Law’s Program on Corporate Compliance and Enforcement. He said that, to empower chief compliance officers (CCOs) further, his team at the US Department of Justice (DOJ) is considering requiring both the CEO and the CCO to certify that their company’s compliance program is working effectively.

The DOJ is also considering requiring the CEO and the CCO to certify that all compliance reports submitted during the term of a resolution are true, accurate, and complete when organizations must provide annual reports on the state of their compliance programs.

“We are ensuring that chief compliance officers receive all relevant compliance-related information and can voice any concerns they may have prior to certification,” Polite said. “It makes it clear that you should and must have appropriate stature in corporate decision-making. It is intended to empower our compliance professionals.”

The challenges of being a CCO

Polite told his audience that he had been a prosecutor, defense attorney, and CCO during his career, and his CCO role had been the most challenging. “I know the resource challenges,” he said. “You are called upon to be a resource for information, an enforcer of law and policy, and somehow the primary architect of your company’s ethical culture. I have seen first-hand how a strong compliance program can ward off misconduct and empower ethical employees.

“Having served in these three positions, I know that your compliance role is perhaps the most impactful, because you have a direct role in utilizing the most effective tool in addressing crime – you are trying to prevent it in the first place.”

That’s why the DOJ “closely” evaluates corporate compliance programs during its investigations and following resolutions, and gives credit to companies that develop strong programs.

Polite explained how the DOJ evaluates corporate compliance programs to ensure that organizations are designing and implementing effective compliance systems and controls, creating a culture of compliance, and promoting ethical values. “We expect an effective corporate compliance program to be well designed, adequately resourced and empowered to function effectively, and to work in practice,” he said.

The DOJ examines the company’s process for assessing risk and building a program tailored to manage its specific risk profile. This is to ascertain whether the company:

• has implemented easily accessible and understandable policies and procedures to address the key risk areas identified in its risk assessments

• is training employees, management, and third parties on relevant risk areas and responsibilities

• has established a process for reporting law or company policy violations that encourages employees to speak up without fear of retaliation, and is taking those reports seriously, documenting and investigating them, and remediating them if they’re substantiated.

The DOJ reviews key compliance personnel’s qualifications and expertise. It examines whether compliance officers have adequate access to and engagement with the business, management, and the board of directors. It also investigates whether and how a company is ensuring that compliance has “adequate stature” and promotes it as a resource.

“A company’s commitment to promoting compliance and ethical values at all levels – from the chief executive on down to middle and lower-level managers – is critical,” Polite said.

Working in practice

Polite explained that the DOJ looks at whether the company is continuously testing the program’s effectiveness. It wants to be satisfied that companies can identify compliance gaps or violations of policy or law, and address their root causes. And it wants to see how companies use data to improve cultural ethics.

He added: “There is a separate question of whether a company is demonstrating an ethical culture in practice. Do employees feel empowered to bring issues and questions to the management’s attention? Are managers and compliance officers providing ethical advice to salespeople even though such advice may mean loss of business?

“Just as we use data analytics to detect and combat criminal schemes, we urge corporations to consider what data analytic tools they can use to monitor compliance with laws and policies in their operations and to ferret out wrongdoing when it occurs.”

Orbit TRC, offers a unique blend of perspectives for corporates and regulated entities on the latest developments that impact technology, risk and compliance.