How KPI Reporting Can Help With DOJ Guidance on Corporate Compliance Programs
The primary goal of the KPIs is to eliminate any potential risks that would lead to fraud.
Compliance professionals have worked with certain key performance indicator (KPI) reporting, metrics and computer programs applicable to corporate compliance programs for years. However, without much fanfare, on Feb. 8, 2017, the Department of Justice (DOJ) issued the "Evaluation of Corporate Compliance Programs" ("Guidance") which sets forth new guidelines for how the agency examines compliance programs during federal fraud investigations.
The agency recognizes that each fraud compliance program is different across organizations, and thus, each program should be examined individually. However, because personal liability for corporate individuals is now on the line (often referred to as the "Filip Factors") in addition to corporate liability, the DOJ issued some sample questions that may be considered when examining each program. So, what can compliance professionals take away from this new Guidance?
The DOJ Guidance Offered Can Help With Self Audit
The DOJ Guidance can help compliance professionals self-audit their own corporate compliance programs. For example, the Guidance sets forth 119 questions that could be asked in determining whether to bring charges or negotiate a plea. According to the DOJ, these questions are organized into the following eleven sections:
- "Analysis and Remediation of Underlying Conduct"
- "Senior and Middle Management"
- "Autonomy and Resources"
- "Policies and Procedures"
- "Risk Assessment"
- "Training and Communications"
- "Confidential Reporting and Investigation"
- "Incentives and Disciplinary Measures"
- "Continuous Improvement, Periodic Testing and Review"
- "Third Party Management"
- "Mergers & Acquisitions"
While most compliance professionals may be familiar with these topics, the DOJ has broken these questions down more specifically to apply the Filip Factors. This gives additional context for what the investigators will be searching for to determine the existence and effectiveness of a fraud compliance program. This additional insight will aid compliance professionals in spotting any deficiencies in their programs and allow them to make corrections proactively. It also gives these professionals a significant opportunity to see what the DOJ is investigating ahead of an investigation.
Risk Assessment: Supported by Metrics
The Guidance also examines the business's risk assessment. The questions asked are:
- What methodology has the business used to identify, analyze and address the particular risks it faced?
- What information or metrics has the organization collected and used to help detect the type of misconduct in question?
- How has the information or metrics informed the firm's compliance program?
Metrics must be used to support the data for risk, breach and general support of the program. As the data and the risks become more advanced, should the metrics also evolve? According to CFO.com, compliance professionals should start using well-defined KPI reporting to help define the eleven sections set forth by the DOJ for fraud compliance.
KPI Dashboard to Eliminate Potential Fraud Risk
The Guidance stresses two key points, including:
- The remediation of the "root cause" of the misconduct
- The continual improvement of all compliance efforts with the use of data and metrics
The primary goal of the KPI reporting is to eliminate any potential risks that would lead to fraud. However, the business does not want to make the KPIs so difficult that they'll be discarded. A simple KPI dashboard is key. This dashboard will be able to indicate deviations from established policies and procedures, and alert the compliance professional of an issue so that a root cause may be identified. This can also allow the organization to pursue working toward a continual improvement process.
KPIs Should Be Reviewed by Leadership
The DOJ will also look to upper management. It is the DOJ's position that the ownership of any problem starts at the top of the company. To ensure success of the compliance program, according to CFO.com, the KPI dashboard should demonstrate a top-down commitment to compliance, including the C-suite and the board of directors. All KPIs should be reviewed by the executives and the board of directors at least monthly, which demonstrates commitment and accountability, and further gives knowledge to upper management and the board of the organization's fraud compliance.
When the DOJ conducts a federal investigation, it's not simply interested in the organization's written compliance documents, such as the training manual and the policies and procedures, but it's also interested in the specifics of how the compliance program is operated. This recent Guidance gives organizations an opportunity to review their fraud compliance programs, establish a plan moving forward and determine what steps toward improvement may be necessary.