On May 21 - 23, 2018, Compliance Week held their annual conference in Washington D.C., and one of the highlights from their speaker line-up was Rod Rosenstein, Deputy Attorney General at the U.S. Department of Justice. Both our colleagues in attendance and the wider compliance community online were buzzing about his remarks, comments on new policies, and Q&A session with the audience.
Set aside 40 minutes and watch Compliance Week's recording of the session, embedded below for your convenience (the prepared remarks run from 0:00 to 22:30, and the Q&A runs from 22:31 to 39:25).
You can also read a full transcript of his prepared remarks. We've summarized some of the key takeaways and ideas from his keynote for your convenience.
Regulators hope that compliance programs will focus on more than just traditional training and improve their year-round communications.
“I think one of the most significant issues is the ongoing and continuing reminders. Often, companies will put into place a compliance program, maybe people get trained on the first day of the job, maybe they sign a piece of paper or a training program, but what kind of follow up is there? Companies have constant turnover. People are coming and going. It requires a regular update...making it not just a onetime event, but a continuing responsibility of folks in your organization.”
The cost of compliance is money well-spent. The cost of non-compliance is an expensive missed opportunity.
“When a company creates and fosters a culture of compliance, it creates value. Compliance is an investment. Ethical, law-abiding companies can better attract investors and partners. People want to do business with companies that they perceive as honest and reliable. Compliance mitigates risk, making companies more valuable and less likely to encounter unanticipated costs that may result from protracted investigations and penalties.”
Compliance must be operationalized and integrated into your business goals, decisions, and organizational culture.
“Compliance should not be treated as separate and distinct from other business goals. A culture of compliance must be fully integrated into corporate culture. Employees should be trained and encouraged to think about compliance issues in making business decisions.”
The compliance and risk functions within an organization should work together and help each other to truly succeed.
“A company that properly manages its risks through a robust and appropriate compliance function - one that grows along with the rest of the company - will remain ahead of the curve. Our Department does not use a rigid formula to assess the effectiveness of corporate compliance. Each company's risk profile and solutions to reduce its risks warrant consideration. We make an individualized determination in each case.”
Compliance officers should be prepared to answer two fundamental questions if they ever come under investigation, and have data to support their answers.
"First, what was the state of the compliance program at the time of the improper conduct? Second, what is the current state of the compliance function, after remediation to address any lessons learned?"
There are four significant factors the DOJ will weigh when they conclude an investigation and evaluate what penalty or punishment to impost on a corporation:
1) How egregious was the nature of the conduct and violation?
2) Did the company voluntarily disclose the violation?
3) Did the company take appropriate remedial action?
4) Did the company cooperate with the DOJ to help identify the wrongdoers?
If a company expects to be treated like a victim in the wake of employee wrongdoing, they're expected to act like a victim, too.
“Somebody who is a victim of a crime is going to be eager to assist the government in catching the perpetrator, and so, the company that comes in early and discloses misconduct, that cooperates with us in pursuing individual violators, and then takes remedial action to ensure it won't happen again is going to get the most consideration when we determine whether or not to pursue charges and what sort of financial penalty to exact.”
Compliance is a living, breathing component of your culture that needs constant attention and evolution.
“People ought to understand that these policies are not just written there in order to satisfy some bureaucratic requirement but it's actually a reflection of corporate culture. When you go into companies that operate that way, you see that; you see the messaging from corporate CEOs, people hear about it in their interviews, they learn about it in their orientation programs, they see the company take appropriate action when there are violations. So that's what the department is looking for; it's really whether or not there is a compliance program that was designed with the companies risk profile in mind, that evolves to fit new challenges, and is actually implemented in a way that all employees of the corporation understand it.”
Compliance Takes a Front Seat
So what does all of this mean for you? Much of what Rosenstein said is likely aligned with how you feel about the role your ethics and compliance team plays within your organization. Comments like these are valuable tools when you're making the case for more resources, a new hire, or a seat at the table.
- If your colleagues believe that ethical behavior and a compliant culture can't be a differentiator or benefit to your bottom line, the Department of Justice feels it can.
- If your C-suite thinks compliance shouldn't collaborate across functions and be in the board room for strategic meetings, the Department of Justice thinks you should.
- If you've unsuccessfully been trying to justify additional investment in your E&C program to improve it every year and do more than just annual training, the Department of Justice thinks that should change.
One thing is certain: the expectations that regulators and employees have for ethics and compliance programs are evolving. The effectiveness of your program and culture of your organization are dependent upon your ability to adapt.