Compliance Illustration by Shutterstock

Periodic monitoring is crucial for corporate counsel to ensure that their companies' compliance programs continue to align with changing business profiles, geographic footprints, channels to market and clients served. In fact, the U.S. Department of Justice (DOJ) emphasized the importance of periodic testing and ensuring that compliance programs "work in practice" in its 2019 guidance document evaluation of corporate compliance programs. Despite this mandate to companies, enforcement agencies have neither outlined criteria for best-in-class compliance monitoring systems nor provided practical guidance as to how practitioners should test their effectiveness.

In this article, we will outline an approach for the design of a compliance monitoring system aimed at detecting compliance violations and identifying trends, outliers and red flags. It is important to keep in mind that what works for one company may not work for another—practitioners should read this article with an eye toward what is feasible within their companies.

Strategy. A company's compliance monitoring system should be tailored to the company's objectives for its compliance program and consistent with its corporate culture. Some highly regulated companies, for example, may prioritize having a compliance program that prevents all violations whereas a values-driven organization that is subject to less regulatory oversight might prioritize having a compliance program that is culturally embedded in the company.

Framework. Companies should determine the level at which monitoring should occur (e.g., by country, region or business line) and the cadence in which it should occur (e.g., monthly or quarterly). Practitioners can then prioritize the countries, regions, legal or financial reporting entities, or business lines that should be monitored. Perhaps most importantly, companies should determine who should receive monitoring reports, and who will be responsible for analysis and follow-up.

Measuring Risk. In measuring risks, companies must first determine what the appropriate baseline metrics should be.  What is the basis for comparison? How are anomalies identified? Baseline metrics may include projected, estimated, or planned spend, against which deviations can be measured. This will differ from company to company, but some suggestions include:

• Compliance-sensitive payments: Compliance-sensitive payments are A/P transactions that create an opportunity for potentially improper payments. Changes or trends in compliance sensitive payments can highlight increased risk.  For example, an increase in payments approved after-the-fact in a certain location may indicate potentially improper conduct or, at the very least, a need for training. To monitor, companies could identify and flag high-risk accounts within their ERP or accounting systems. Most accounting or ERP systems can generate reports on the flagged accounts which can be compared against projected budgets and previous reports to identify trends over time.
• Compliance-sensitive spend: Compliance-sensitive spend refers to non-A/P company spend for gifts, entertainment, or travel involving government officials or commercial clients. For example, an increase in external entertainment spend in a company's local office contemporaneous with major deals or tenders could signal the improper use of perks to influence decisions. Like compliance-sensitive payments, companies could earmark compliance-sensitive spend in their financial systems with the goal of generating and analyzing reports on a periodic basis.
• High-risk third parties: Companies should determine which of its third parties present a higher risk to the company—e.g., those that are likely to interact with government officials or major commercial clients. This type of data is often valuable in identifying areas where spend could be reduced. To monitor, companies can track the number and location of high-risk third parties engaged, third parties involved in investigations or audits and actual spend compared to projected budgets.
• New market entry: Companies are particularly vulnerable to inappropriate requests when they expand into new territories or channels to market. Projected timelines, key milestones, and projected budgets are useful baselines to compare against the actual time and spend associated with entering the market. Delays in permits, unexpected problems with partners, or poor financial performance may put pressure on local teams to take shortcuts in violation of violate company policies.
• Investigations: Trends in investigations can reveal gaps in how the company's policies are communicated and understood. The number of allegations by country or business line, the functional role of reporters, type of allegations, time before allegations were reported, and disciplinary actions imposed are important data points for comparison. Increased investigations in a particular country, for example, could indicate a need for targeted training, a change in management communications, or enhanced discipline for violations.
• Training: When compared with trends in investigations, data on the company's training program can offer insights into whether management is appropriately communicating or demonstrating its commitment to compliance and the effectiveness of such communications. Companies can monitor the frequency of the trainings, subject matter and format of training sessions, average time to completion, and test scores to determine whether there is a need for targeted training in specific geographies or on specific topics.

Monitoring Risk. Once companies have determined what criteria to measure and where such data resides, it is crucial to take the time to evaluate the sufficiency, completeness and reliability of the data that exists. Are there gaps or differences in the same data between different systems? Can the data be aggregated in a uniform way? For important criteria not captured by existing systems, companies could consider implementing interim, manual stop-gaps.

While there are several advanced, data analytics-driven products on the market for monitoring, it is important to remember that developing a compliance monitoring system is an iterative process and will take time. The best compliance monitoring systems are ones that accurately and consistently identify the types of risks specific to their companies, and the ability to identify risks depends on the quality of data available and the nature of the compliance program that the company has in place.

Vera Powell is senior counsel global compliance at Uber in San Francisco. She is responsible for managing a wide variety of anti-corruption compliance topics, including enhancing the company's risk-based third-party risk assessment and due diligence process and devising a compliance monitoring system. 

Alice Hsieh is a senior associate in the international department at Miller & Chevalier where her practice focuses on corporate anti-bribery compliance. She advises companies in matters related to the U.S. Foreign Corrupt Practices Act (FCPA) and related international corruption laws, business and human rights, and other areas of corporate responsibility.