June 4, 2019
June 4, 2019
With the recent release of their expectations for corporate compliance programs, the U.S. Department of Justice (DOJ) and U.S. Department of Treasury, Office of Foreign Assets Control (OFAC) have provided a detailed roadmap for companies, their management, and directors to follow in implementing and operating compliance infrastructure. In particular, DOJ and OFAC have made clear that oversight of corporate controls developed on the basis of robust and documented risk assessment, subject to testing and reporting to the board, is an essential component of governance.
Is your company’s compliance program meeting the outlined roadmap’s demands? A list of areas for the company and board to assess follows.
The frameworks set out in the DOJ and OFAC guidance emphasize five key control elements against which every board of directors should evaluate compliance:
It is worth noting that the DOJ guidance breaks some of these elements out into multiple parts, where the OFAC guidance discusses them at a higher level. Notwithstanding differences in organization, the two documents provide a consistent vision as to the agencies’ expectations of corporate compliance programs.
While the guidance coming from both agencies is consistent with the principles of risk-based controls, what has changed is the expectation of U.S. authorities to use the examination of corporate compliance programs as the roadmap of choice when making enforcement decisions (including decisions to decline to pursue enforcement). As such, where a company may be subject to U.S. jurisdiction, the board should carefully scrutinize the adequacy and responsiveness of its compliance program against this framework.
Notably, the guidance released by both DOJ and OFAC stress the importance of vigorous director and senior management oversight as a critical component of effective compliance infrastructure. U.S. enforcement agencies have long underscored the importance of striking an appropriate “tone from the top” with regard to compliance and have highlighted the significance of direct reporting to the board and senior management with regard to compliance and audit matters.
This guidance provides further insight into the importance regulators place on active compliance oversight. For instance, the DOJ guidance directs prosecutors to evaluate the compliance expertise available to the board and what specific information the board and senior management have examined in fulfilling their oversight role. The message is clear: real oversight requires substantive evaluation of compliance controls and sustained monitoring of their continued efficacy.
There is no ambiguity in the guidance regarding the value DOJ and OFAC place on thoughtful, formalized risk assessment as a foundational element in building and maintaining compliance infrastructure. As OFAC explains, a risk assessment should represent “a holistic review of the organization from top-to-bottom” to “assess its touch points to the outside world,” evaluating the risk profile of the company’s customers, agents and intermediaries, and suppliers, as well as industry and geographical risks raised by the company’s operations.
An effective risk assessment requires consultation with stakeholders across the enterprise to understand the risks posed across the company’s operations and functions. It will serve as the foundation of the compliance program and inform the design of controls and allocation of resources to ensure the effective targeting of risks faced across its operations, as well as the development of an appropriate testing protocol (as discussed below). Moreover, it demonstrates the organization’s commitment and good faith, in the event controls are circumvented and DOJ or OFAC initiate an inquiry.
A documented risk assessment is also a vital tool for those with an oversight role, providing a basis for evaluation of a company’s controls. Given its foundational nature, directors and senior management should take an active role in overseeing an organization’s risk assessment, receiving detailed briefings on the review process and results as well as periodic updates to ensure that the company’s controls address the growth and evolution of its operations and (particularly in the context of sanctions) changes in U.S. law and regulatory guidance. In this regard, the discussion of effective risk assessment in the new guidance should be carefully studied to inform the design of an appropriate process.
A protocol for periodically testing controls to prove their efficacy is one of the central expectations DOJ and OFAC set out in their guidance. Moreover, that testing function must be accountable to senior management. Indeed, based on this guidance, boards should expect DOJ prosecutors to ask “what types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis?” and “how have management and the board followed up?”
A compliance audit should be designed to take an independent, critical look at the company’s controls in light of its risks (as identified in its thorough and up-to-date risk assessment). For instance, testing should assess whether compliance departments are conducting check-box reviews or are substantively engaging in due diligence protocols. The assessment should confirm whether compliance-driven decisions are being made to decline business, decline to hire particular potential employees, or decline to engage with particular third parties.
A strong testing protocol of this nature will encourage compliance departments to maintain a practice of documenting the good work they are doing, an essential (and too often overlooked) element of implementing a program that will stand up to scrutiny in the event of an inquiry. Audits should also probe the efficacy of vendor solutions—such as hotlines and screening tools. A hotline that never receives a call or a vendor screening tool that never produces a false match is difficult to defend to U.S. authorities, but in the absence of an audit, holes in the implementation of such tools are often missed.
The results of a regular and comprehensive compliance audit should provide the board and senior management with the ability to evaluate the program and consider necessary enhancements in light of changes to the business, including whether the program is grounded in the company’s culture, the right resources have been allocated, and the systems and technologies that supplement those resources are adequate. Moreover, there should be constant evaluation of the testing protocols to ensure they are well designed and implemented consistent with the DOJ and OFAC guidance.
DOJ and OFAC have detailed their expectation that directors and senior management overseeing compliance programs—particularly those of a sophisticated and international nature—are substantively and actively engaged in their oversight role and are documenting the basis for relying on their organization’s controls through risk assessment and regular testing. The question is whether boards of directors and management will now make the continuing commitment to build and sustain such programs.
Michael Mann is a partner and Jamie Schafer is an associate at Richards Kibbe & Orbe LLP. David Massey and Audrey Ingram, both partners at the firm, contributed to this article.