“Catch me if you can!”
Monitoring & Review is an essential component that adds value to any Compliance Management System (CMS). However, many companies implement detailed guidelines and provide training, but do not convince themselves of the effectiveness of these measures. On the one hand, this happens due to the time constraints, but also because compliance officers are reluctant to accept the role of "controller" in their own companies and perceive a conflict of interest in their role as consultant.
What is Monitoring & Review?
Monitoring & Review is all about examining the functionality and effectiveness of a CMS. By examining the CMS companies receive independent and objective evidence that their CMS is appropriate and effective. In addition to the risk-mitigating effect, a CMS check can also be understood as a stress test for the company, which helps identify any existing weaknesses and improve the system.
Similar information can be found in the U.S. Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act (UKBA). The US Department of Justice (DOJ) has (in June 2020) emphasized that a Compliance Program must work in practice — after all, even the best CMS is of no use unless it is implemented, or the competent compliance officers verify that it is efficient.
The terms ‘monitoring’, ‘review’, ‘revision’, ‘internal investigation’ and ‘audit’ are often mixed up and cannot always be clearly distinguished from one another. However, the difference between periodic measures, which we would like to refer to as Monitoring & Review here, and internal investigations, should be emphasized. The latter describe ad hoc actions taken in a specific suspected case.
Planning is the key
Prior to planning, you need to determine what you want to test and how you want to test it.
Let us consider the key components of the CMS (see individual sections of our ‘12-Month Challenge’) as a checklist. The individual components do not only have to be formulated ‘on paper’ – they must be fulfilled in a targeted and effective manner.
There are different methods to choose from. On the one hand, you could perform a CMS ‘self-check’ for compliance with the completeness, functionality and efficiency requirements. Questions could be: Is the program being implemented as intended? Do the employees accept the code of conduct when they join and have they been trained? Have the recommendations for action points arising out of the risk assessments been implemented yet? On the other hand, you could also focus on the monitoring of other functions or the conduct of employees. Ideally, you should check both ‘on-book’ (using invoices, service specifications etc.) which could reveal the improper use of funds by foreign subsidiaries, and ‘off-book’ (practical checks on site), meaning that undocumented events can also be discovered, such as diverted cash payments to consultants.
It has proven useful to enter individual examinations in an annual plan, to coordinate them with the company’s senior management and then implement them over the course of the year.
Define stakeholders and look for allies
As far as the planning is concerned, however, it is not only important what is to be checked and which method is to be used, but also who will perform the check.
Internal revision/auditors (if any) could prove useful and assist the compliance officers by contributing their expertise and resources. External help could avoid putting Compliance Monitoring & Audit on the back burner and find a starting point. Depending on your local law, participation of the works council could be required.
Learn from findings!
The best actions and reviews will not help unless conclusions are drawn from the relevant findings. Should you discover individual misconduct or irregularities, you might need to perform an internal investigation. If, on the other hand, you find that your CMS suffers from structural defects, you should consider improvements to the CMS.
When it comes to monitoring, the guiding principle is as follows: "Little is more than nothing", i.e., starting small and, if necessary, working your way forward in individual steps is always better than doing nothing at all. Those who ‘stick with it’ and have their well-designed CMS ‘stress-tested’ on a regular basis will have a clear advantage in the worst-case scenario.
Our 12-Month Compliance Challenge is drawing to a close. We have considered the key CMS components and divided them into individual work packages. Remember, there is only one way to eat an elephant: piece by piece!
If you are unsure how to set up and run your compliance project successfully, please feel free to contact me.