After compliance officers had sifted through the updated Department of Justice’s Evaluation of Corporate Compliance Program’s guidance, the most popular question we received was, “I understand that I need to have data, but where do I find it?”

In the DOJ’s new guidance (published earlier this month), an entire paragraph was added on data analytics and data analysis. Specifically, the new guidance tells prosecutors to ask a company under investigation, “Do compliance and control personnel have sufficient direct or indirect access to relevant data sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions?” The requirement to obtain and analyze data isn’t just in the new guidance. It’s become a theme at the DOJ. Matt Kelly of Radical Compliance notes, “In several speeches over the last year or so, the Justice Department has talked about the importance of data analytics when looking for misconduct.”

We know we need data, but where can we get it? There may be more data available than first meets the eye. Where do you start? Consider the following ideas for data collection from the compliance, legal, HR, audit, finance, IT, and procurement departments. You can also download this handy checklist to help you find the data you need.

Compliance-Related

The obvious place to start is with compliance-related systems. Do you have any of the following?

• Third-party due diligence software

• Policy management software

• Conflicts of interest management software

• Investigations management tools

• eLearning modules

• Risk assessment and tracking software

• Gifts and hospitality register

For each program you have, call your vendor representative and ask about the data analytics that can be gathered from the system(s). You may think you know everything about running reports, but software companies are continually updating the ability to parse data into usable information. Ever since the original DOJ Guidance on evaluating compliance programs focused so intensely on proving the effectiveness of the compliance program, technology vendors have stepped up to develop advanced metrics within their software. Find out everything you can from the systems you already have.

You can also obtain your own data using:

• Focus groups

• Surveys

• Questionnaires

While compliance-related systems are a good place to start, other data will give you a much greater understanding of the state of the company. You can begin your search for more data with the Legal Department.

Legal

Many Legal Departments have contract management software that will help you find information. Some contract management software can do keyword searches. Other software can separate contracts using tags for important terms, or by contract amount. You may be able to find out the…

I couldn’t be more excited to be joined by Tony Charles from Steele for a fast-paced webinar to discuss the Top Ten Lessons for Compliance Officers from the DOJ’s Updated Program Evaluation Guidance! Join me on Tuesday, June 23rd at 11:00 a.m. Eastern time as we dissect the DOJ’s updated guidance, and provide crucial how-tos and what-to-do-nows. Register HERE: https://bit.ly/2Bh5gvD

This is a guest post by Ramsey Kazem, East Coast Vice President, Spark Compliance Consulting

“So, boys, what did we learn?” That was the question my football coach would ask the offense after our first couple of possessions. He was asking for our perspective on our game plan. What was working? What was not? What was the defense doing that we did not expect? What adjustments do we need to make to more effectively move the ball down the field and score? It was a simple question, but an important one. Our answers often made a difference between winning or losing.

For the past three months, the COVID-19 shutdown has challenged businesses across the country. Business as usual was anything but usual. For many companies, tried and true business practices were suddenly unworkable, ineffective, and, in some instances, illegal. To keep their business running, these companies were forced to implement new and untested processes, override existing procedures, and invent creative solutions to meet novel problems. While these challenges brought hardship, it also caused companies to be innovative and more open to changing the ways they conducted their day-to-day business activities.

While most of us are ready to return to life as normal, does that mean we should go back to the pre-COVID-19 ways of doing business? Maybe. But before we do, we as compliance professionals must ask the simple, but important, question: What did we learn?

Do Not Let This Crisis Go to Waste

As we begin the slow process of re-integrating into a post-COVID-19 world (hopefully!), it may be tempting to discard the past three months as a once-in-a-generation occurrence and return to business as usual. This perspective, however, overlooks the possibility that this crisis, like most crises, has a silver lining. That is, the chaos and uncertainty of the past three months provided a real-world case study of the effectiveness of your company’s compliance game plan. The crisis likely also provided some important insights and lessons for improving the overall effectiveness of the compliance program.

As companies across the country get back to work, compliance teams should initiate a “what did we learn?” campaign to better understand the business activities over the past three months. This campaign should solicit information from a cross-section of the company (including the various business functions, departments, and units) and focus on the following topics:

In response to popular demand, we’ve created a shareable whitepaper highlighting the Top Ten Lessons for Compliance Officers from the Update to the DOJ Program Evaluation Guidance (and what to do NOW in response to it). You can download the document HERE.

In April of 2019, the Department of Justice issued its game-changing Evaluation of Corporate Compliance Programs guidance. The guidance was a feast for the compliance profession. The format of the guidance came in questions a prosecutor would ask in an investigation, which in turn signaled the answers a company would be expected to give.

On June 1, 2020, the DOJ updated its guidance document to reflect, as Assistant Attorney General Brian Benczkowki said, “additions based on our own experience and important feedback from the business and compliance communities.[i]”

The new language in the guidance is fascinating because it sets out the updated expectations of prosecutors. Companies are once again on notice that the line in the sand has shifted, and they need to respond now to meet those new expectations. Following are the top ten lessons compliance officers can learn from the new guidance, and what to do now to update your program based on this new information.

Lesson One: Today’s Best Practices are Becoming Expectations Already

At Spark Compliance Consulting, when we do compliance program reviews we include recommendations for immediate changes, as well as more aspirational best practices that we’ve seen in more advanced programs. The new DOJ guidance includes references to many of these best practices, meaning that they are likely to become expectations in the very near future. These best practices include:

• Ensuring that online training programs have “a process by which employees can ask questions arising out of the training.”

• Conducting post-acquisition auditing at newly acquired entities.

• Ensuring that the “company engage(s) in risk management of third-parties throughout the lifespan of the relationship.”

• Making micro-training available. The guidance notes that companies have “invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management function.”

• Evaluating “the extent to which the training has an impact on employee behavior.”

There are challenges here. Most online training programs do not have the capacity to pass questions along automatically to the compliance department, and many training companies do not yet have micro-learning available. In addition, tracking how training affects employee behavior is a big undertaking.

WHAT TO DO NOW: Review the list above and determine whether you can implement any of these practices. If you can, do so. If you cannot, begin planning to implement them in the future. Contact the technology providers with which you have relationships and ask them when their technology will be updated to accommodate these expectations.

Lesson Two: You Need Access to Data…

In April, we did a survey asking what areas of a compliance program you wanted to learn about most. Overwhelmingly, the top answer was an in-depth class on how to perform risk assessments. Good news! We listened and are currently filming the online course, “Risk Assessments Made Easy.” In this course, you’ll learn:

• How to properly scope your risk assessment to set you up for success

• Tips and tricks for document gathering so you don’t miss important information - or get swamped with an impossible number to review

• How to choose the best interviewees, and how to ask questions effectively to suss out risk

• A robust methodology that you can apply immediately to produce a strong and defensible assessment

• Information on creating mitigating strategies and a roadmap for implementation of your recommendations for program improvement

Most importantly, you’ll receive templates to help you every step of the way through your risk assessment. You can use the course to perform single-risk assessments or to review multiple risks facing your program. The course will be out by the end of June. Stay tuned!