This article first appeared on the Diligent Insights blog found here.

If you’re renovating your house, a general contractor is critical. He or she oversees the project and knows what needs to be done to execute the vision. But if the pipes aren’t fitted correctly, the general contractor may not see it until water seeps into the newly laid white oak floors. A general contractor is just that — general. They need the assistance of plumbers and electricians — specialists — to get a real view of the risks to the build.

The same is true in the relationship between enterprise risk (also known as integrated risk) and compliance. There’s currently a debate about whether compliance should be subsumed into a singular risk function. While compliance risk is part of a complete risk function, it needs to be separate and its risk assessment process independently managed.

Compliance Risk Is Distinct

Corporate compliance departments typically deal with a narrow, yet critical, set of risks. These include bribery, antitrust, trade compliance, data privacy, modern slavery, conflict minerals and/or money laundering. In short, the laws managed by compliance have enormous penalties when things go wrong. It’s not uncommon to see fines in the billions and the imposition of a corporate monitor for several years when companies act unethically. This subset of challenges needs its own department, budget and risk monitoring.

Five Best Practices

Enterprise risk management can easily work effectively with the compliance function to ensure compliance risk is understood and responded to appropriately. Here are five best practices to ensure smooth sailing…

Four out of five. Last week, the Anti-Corruption Report quoted the former the Chief of the SEC’s Office of the Whistleblower that four-fifths of 2020’s whistleblower awards went to people who reported internally before going to the regulators.[1] Whistleblowers consistently state that they reported externally when they felt ignored by the company. This means compliance officers need to do everything in their power to help whistleblowers to be confident in their choice to report.

Awards Going Up and Opportunities Expanding

Whistleblower awards continue to reach record heights. In October 2020, a whistleblower was awarded a record $114 million. The SEC’s press release stated, “After repeatedly reporting concerns internally, and despite personal and professional hardships, the whistleblower alerted the SEC and the other agency of the wrongdoing.”[2]

Under the US False Claims Act, $7.8 billion has been awarded to whistleblowers since 1986.[iii]

It’s not just America that’s in the whistleblower reward game. Canada, Korea, Ghana, and Slovakia have awards for certain whistleblowers, and the trend is likely to expand to other countries over time.[iv]

Tips to Keep Reports Internal

While there is no silver bullet for keeping all reports internal, there are numerous ways to ensure that whistleblowers feel heard and safe, thereby comforting them and saving the company millions (occasionally billions) in fines and lawyer fees. To a certain degree, it all comes down to communication – both with whistleblowers themselves, but also with the company. Here are some tips to keep reports internal.

Publish Your Data

Many companies are reluctant to publish statistics about their whistleblowing activities for fear that it will paint the company in a bad light. Nothing could be further from the truth. Forward-thinking companies often annually publish:

• Total number of whistleblower complaints

• Total percentage of complaints that were substantiated

• Percentage of disciplinary actions take for substantiated reports, (e.g., 30% verbal warning, 50% written warning, 20% dismissed)

• Year-on-year statistical changes

When these statistics are published, companies often use the opportunity to celebrate whistleblowers and to reinforce messages about the capacity to report anonymously and about confidentiality. Many would-be whistleblowers don’t report because they feel the company won’t do anything in response. By publishing statistics, employees can see that the company does respond to complaints. Trust comes from knowing that concerns are taken seriously and that action is taken against perpetrators. Transparency creates trust. Speaking of transparency…

Have the CEO Call…

There’s merit in the old cliché, “If it ain’t broke, don’t fix it.” Frankly, it makes sense to leave the pieces of your program that are running effectively alone. After all, there’s always something that needs attention, so why bother reviewing things that are doing just fine?

Why? Because of regulators. In the DOJ’s Evaluation of Corporate Compliance Programs guidance, variations of the word “periodic” appear 12 times in 20 pages. In the UK Ministry of Justice’s Guidance on the UK Bribery Act, variations of “periodic” and “review” appear 37 times. Prosecutors expect a periodic review of how your program is operating. Specifically mentioned is a periodic review of:

• The criteria used in risk assessment

• The risk assessment process

• How lessons learned have altered the program

• How investigations/reports have altered the program

• How effectively the investigations process is working

Human Nature Gets in the Way

If we know that regulators expect a periodic review of how various pillars of our program are operating, why don’t we do it? Human nature directs our attention to things that aren’t working, rather than spending time memorializing things we decided are fine.

But human nature is a poor defense when sitting across from a prosecutor trying to explain that you did think about whether your risk assessment criteria was good enough, but since it was fine, you didn’t memorialize that conversation with yourself.

Program Review or Periodic Review?

It’s important to note that the review we’re discussing is specific to various program elements as opposed to the program as a whole. Holistic program review (whether internally performed or done by an outside consulting group like Spark Compliance) is very important. In this blog, we’re discussing how to systematize and document an annual review process that will check the adequate procedure boxes and ensure that you’ve got your ducks in a row if the government comes calling.

The 5-Step How-To

Here’s how to get this done…

This is a guest post from Ramsey Kazem, East Coast Vice President at Spark Compliance Consulting

The pre-transaction due diligence has been completed. The terms of the deal have been negotiated. The agreement has been signed. It is time to pop the champagne and celebrate the acquisition of a new entity that will grow your business, increase your market share, and strengthen your competitive advantage. The hard work is over . . . or is it?

The completion of an M&A transaction is certainly cause for celebration, but it does not mark the end of the work – it only signals the beginning of a new phase: Post-Merger & Acquisition Integration. Post-transaction integration is critical to the overall success of a deal – especially from a compliance and ethics perspective. A company must be proactive and strategic in assimilating a newly acquired entity and its employees into its culture and compliance program. Failing to do so can result in confusion, misunderstanding, and costly missteps (or ongoing misconduct) within the business of the newly acquired entity.

Moreover, in its June 2020 guidance, the Department of Justice stressed the importance of post-transaction compliance integration stating:

“A well-designed compliance program should include . . . a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.”

To meet this expectation, companies should implement a process for creating a Post-Transaction Integration Plan (“Integration Plan”) after the acquisition is completed. The following explains how such a process should be structured.

Developing a Post-Transaction Integration Plan

An Integration Plan is…

Compliance training has a bad reputation – one which it has mostly earned. Because of irrelevant scenarios and training that focuses on the legal requirements instead of what the employee needs to know, employees have become turned off and tuned out. There is a better way to give training, and it all starts with understanding adult learning.

We’ve put together a 14-page whitepaper full of practical strategies and easy-to-apply examples to take your training to the next, NEXT level. In it, you’ll discover:

· Five critical assumptions to apply to adult learners

· How to use four different types of learning theories for maximum comprehension

· How to mix in five different types of learning styles to ensure everyone is engaged

· The top eight trends in Compliance training (and how to mix-and-match them)

· Eight ways to measure the effectiveness of compliance training

CLICK HERE to access and download the Whitepaper.