Bob Conlin is the president and CEO of NAVEX Global, the leader in integrated risk and compliance management software and services.
There was big news in the risk and compliance regulatory space earlier this summer. Many of those in executive leadership may have missed the headlines, but your corporate compliance and legal staff certainly did not. In June 2020, the U.S. Department of Justice (DOJ) published an unexpected update to its Evaluation of Corporate Compliance Programs guidance, just as its author announced his departure from the DOJ. It is the third version since 2016 and the second update in a year.
What’s important about this update?
Managing the intricacies of risk and compliance may seem like a distraction from the core business. However, as both an executive and a team member at a company focused on risk and compliance, I can tell you that couldn’t be farther from the truth. New regulations, evolving customer and societal expectations, and brand-new risks demand board and executive time as well as attention. Consider also that the DOJ and Securities Exchange Commission (SEC) together levied more than $2.75 billion in corporate fines last year alone. Not only is this most recent DOJ guidance descriptive about how federal prosecutors will approach charging and settlement decisions (read: financial impact to your business), but it is also prescriptive.
The guidance lays out a blueprint of what prosecutors expect to see concerning a company’s compliance program. If you haven’t done so already, now would be a good time to discuss these changes with your chief compliance officer and general counsel. In addition to the explicit direction given, it’s clear the DOJ will be looking at the integrity and robustness of the compliance program in place at any company under investigation.
Perhaps the most debated addition to the guidance is that programs must be “adequately resourced and empowered to function effectively.” In the meantime, my three key takeaways are:
• This guidance provides a blueprint for what the DOJ considers a solid risk and compliance program and its expectations for it to be dynamic versus static.
• If a company is under investigation, federal prosecutors will consider the strength and efficacy of the compliance program when determining individual (bad actor) fault versus system irresponsibility.
• Third parties do not shield you from risk; they magnify it.
It’s this last point I want to cover in a bit more depth.
The risk is yours whether you like it or not.
The DOJ guidance is transparently clear on this issue when it comes to your supply chain and other third parties — vendors, suppliers, contractors, distributors, partners or some other agent. As a business, you assume the risk that third parties introduce to your business when acting on your behalf, regardless of the type of work they perform. Therefore, it is your responsibility to look for and mitigate that risk.
The DOJ essentially directs companies to apply risk-based due diligence to their third-party relationships — and the guidance further suggests they should be able to explain the business rationale for needing the third party at all. This adds an extra layer of consideration when bringing on outside vendors.
The DOJ expects companies to know not only why they require this third party, but the risks they might pose — including third-party company reputations and relationships with foreign officials.
There are compelling business reasons to remain in the center of your company’s core-competency lane and outsource everything else. But supply chains are inherently just that — chains. The DOJ guidance offers a critical reminder: We must evaluate and ensure the integrity of this chain. You don’t need to look very far to see how third parties can introduce risk to your business. What happens when a disgruntled employee of your data processing vendor compromises customer data? Or when your supplier breaks child labor laws? The possible risks are endless.
This prompts another question: How often should a company evaluate the third parties they rely on? According to the DOJ, evaluation should be ongoing, not just once at the time of first engagement. In the guidance update, the DOJ lists a number of ways to monitor third party relationships, including due diligence, training, audits, and even annual compliance certifications from the third party.
Most companies have some level of third-party risk assessment and due diligence in place. However, it must be more than a box-checking exercise. Data security questionnaires, credit checks and other legal background checks are still essential and are crucial to do before contracting. But in today’s environment, and according to the justice department, it’s not enough.
Here are some questions to ask yourself and your leadership team when evaluating your risk assessment and due diligence practices:
• What is the true scope of our use of third parties, and what do they do? The total number might be surprising.
• When is the last time we applied any security checks or due diligence?
• How do we evaluate and document their performance and look for red flags?
• Are we regularly monitoring their business risk — and by extension, our own — with ongoing external intelligence?
• Do their employees have a way to report issues and red flags to us? What are we doing with that information?
• Do we train third parties on our compliance expectations?
Companies have long relied on third parties for critical functions. And as we have seen in the time of Covid-19, third party performance failures directly impact business continuity. Increasingly, these outsiders are so integral to the business that they are indistinguishable from internal operations — so much so that you have to view them as part of the business. It’s clear the U.S. DOJ sees it that way, too.