For corporations today, just having a compliance program is no longer enough. In the event of an incident, they must prove to U.S. Department of Justice (DOJ) prosecutors that their program is effective.
Fortunately, tips on how to deliver such proof can be found from the same source. In 2020, the DOJ released updated guidance for evaluating the design, implementation and operation of compliance programs. This guidance centers around three fundamental questions. Is the program:
- Well designed?
- Applied earnestly and in good faith, given sufficient resources and empowerment?
- Functioning in practice?
To provide additional clarity, the DOJ then issued the Seven Elements of an Effective Compliance Program, evaluating an organization’s ability to:
- Implement written policies and procedures
- Designate compliance leadership
- Train and educate
- Communicate and report
- Monitor and audit
- Enforce standards
- Respond to issues
Yet even with these further guidelines for support, thorough, timely and effective compliance is easier said than done for busy teams facing expanding workloads and increasingly complex regulations.
This is where the right technology plays a crucial role. Why? It all comes down to the data.
The DOJ’s latest guidance for compliance programs emphasizes concrete metrics as proof of implementation as well as continual, data-driven improvements. Robust tools for tracking and monitoring and advanced analytics can save a compliance team time — and give them an edge. Here’s how.
Implementing written policies and procedures
For this element, the DOJ’s guidance adds two new questions. One asks whether “policies and procedures [were] published in a searchable format for easy reference.” Referring to data analytics, the other question asks whether companies “track access to various policies and procedures to understand what policies are attracting more attention from relevant employees.”
With the right compliance management solutions, organizations can enable quick and efficient updates to standards of conduct guides and ethics policies. They can also add ease and security to how they share and track these policies.
Designating compliance leadership
Here the DOJ focuses on investigating a corporation’s commitment to “fostering a culture of ethics and compliance by senior and middle management,” along with appropriate oversight by the board of directors. This means compliance should be structured as autonomous from management, including direct access to the board of directors or its audit committee.
Compliance management tools can help teams get the right information to the right people at the right time, while streamlining communications and oversight between officers and committees.
Training and educating
The updated guidance covers how a company invests in continued training and development for compliance teams and other control roles. Prosecutors should assess “the steps taken by the company to ensure that policies and procedures have been integrated into the organization, including through periodic training and certification.”
The update also notes that employees should have ways of “asking questions arising out of the trainings,” whether online or in-person, and if “the company evaluated the extent to which the training has an impact on employee behavior or operations.”
A compliance management solution streamlines the process of creating and sharing resources — and lets teams easily track training progress and status.
Communicating and reportingAdhering to the other six elements won’t have as much impact if communications and reporting aren’t effective. DOJ guidance is clear in this regard, asking “whether the company has relayed information in a manner tailored to the audience’s size, sophistication, or subject matter expertise.”
In the case of a reporting hotline, the latest update asks “whether employees are aware of the hotline and feel comfortable using it” and if “the company periodically test[s] the effectiveness of the hotline, for example by tracking a report from start to finish.”
For streamlined and secure communications, data sharing and more, the right technology follows through with comprehensive options.
Internal monitoring and auditing
The DOJ recommends that companies hold thorough, periodic reviews of compliance measures. “Is the periodic review limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures and controls?”
A comprehensive compliance management solution delivers visibility — with confidence-building trackability and reporting — into:
- Internal and external audits
- Peer reviews
Enforcing standardsGoing beyond the usual disciplinary guidelines, the DOJ calls for “Consistent Application”: “Does the compliance function monitor its investigations and resulting discipline to ensure consistency?”
A comprehensive compliance management solution, with real-time tracking, visibility and reporting, helps teams handle standards and investigations in a consistent and objective manner, while communicating clearly.
Responding to issuesIn addressing problems, “Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions?”
The updated guidance also asks for “Evolving Updates,” as to whether “the company review[s] and adapt[s] its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks[.]”
With a compliance management solution, teams get the visibility they need to detect and address issues promptly, and escalate them as needed.
Discover how Diligent’s compliance management solutions can help your organization tackle the DOJ’s 7 Elements and more.