Did you catch this subtle update in the March 2023 version of the DOJ’s Evaluation of Corporate Compliance Programs?
“…designed to detect [AND PREVENT] particular types of misconduct…”
The DOJ added this phrase twice when describing how prosecutors should evaluate whether a compliance program is “well designed”. Many of us have seen the consequences when companies rely on detective measures alone. Preventive measures are now not only a DOJ expectation, but also good for business.
When considering how to incorporate preventive measures into your compliance programs, what are some ways your company can use existing detective systems to prevent misconduct from happening in the first place? Here are three ideas:
Risk assessments as an awareness campaign:
Administering a risk assessment program usually includes a combination of questionnaires, interviews, and data analysis. Are you also administering your risk assessment program as a risk awareness campaign? Do you have the right levels of leadership engaged in the process? If not, you may be missing an opportunity.
Empowering the right leaders with information about what the company is currently doing (and NOT doing) to address risks in their organization can create valuable advocates and empower your first line of defense. Here is a great article by Adam Balfour on this topic: Six Ethics And Compliance Topics That Leaders Can Easily Talk About With Their Teams
The root cause analysis:
For those of you counting, the phrase “root cause analysis” shows up 6 times in the DOJ guidance. Of course, root cause analysis is inherently reactive. However, the findings of your root cause analysis are the backbone of securing preventive measures to make sure the issue in question – or others like it – do not happen again.
Often, teams are fatigued at the end of investigations. While insights may be top-of-mind in the short term, business moves on, employees turnover, and leaders reallocate resources. Make time for the root cause analysis and track those findings in a way that will remain top of mind for the right audience in your organization.
Hotline data – your canary in the coal mine:
Your company’s ethics hotline is the cornerstone of detective compliance measures – providing a resource for reporters to share their observations and concerns. But what about insights from trends in reporting activity? Aggregated hotline data can be used to identify risks and gaps in training, policies, monitoring, and controls. For example, does a particular business unit or region:
- Report more frequently on a particular issue?
- Report anonymously more often than others?
- Produce reports that result in higher (or lower) substantiation rates?
These types of questions can help you identify opportunities for targeted, preventive intervention.
What are some ways your organization is building proactive programs to prevent, not just detect, misconduct?