Vladimir Berezansky (vberezansky@ptc.com) is General Director of PTC Inc.’s Russian affiliate and Chief Compliance Counsel for PTC in Russia/CIS/CEE/MENA. Renee Martinez Sophocles (reneesoph@gmail.com) is the former Compliance Training Manager for PTC, based in Boston, Massachusetts, USA.
Although most compliance teams are careful to ensure robust implementation of their internal policies and protocols, a systematization of these processes is often lacking. At our organization, we were concerned that too much reliance was being placed on the internal audit function for these purposes, as internal audit was repeatedly covering much of the same ground to fulfill its role, which was deemed inefficient.
So for our compliance program, we decided to adopt an approach similar in spirit to that of: “Physician, heal thyself!” It remained unclear to us, however, how exactly to do this. Our team began a search for appropriate models and/or regulatory guidance that would help facilitate the implementation of a broadly scoped model for monitoring and surveillance of our own procedures. At the time of this internal discussion, the U.S. Justice Department (DOJ) Criminal Division and the U.S. Department of the Treasury Office of Foreign Assets Control (OFAC) issued unsolicited guidance, literally days apart, that we would eventually incorporate into our own model. In addition, we were further inspired by France’s Sapin II Law.
By combining key factors from all three of these sources, we developed our own internationally influenced hybrid model, which we will describe here.
The DOJ guidance: The value of lessons learned
In April 2019, a DOJ communication announced its updated Evaluation of Corporate Compliance Programs.[1] The document provides criteria by which DOJ assesses corporate compliance programs once something has clearly gone wrong. For purposes of its adaptation and implementation, this document should be viewed as a study in “lessons learned.” Toward this end, DOJ’s recommended approach poses three guiding questions:
-
Is the company’s compliance program well designed?
-
Is the company’s compliance program being implemented effectively?[2]
-
Does the company’s compliance program work in practice?
The answers to these questions significantly influence the severity of charges brought by the DOJ’s Criminal Division. The remainder of the document expands on the implications of how a company’s responses to these questions are assessed by DOJ.
OFAC guidance: The need to perform adequate risk assessments
Two days after DOJ’s update of their guidance, the U.S. Department of the Treasury announced the release of A Framework for OFAC Compliance Commitments.[3] This announcement specified the purpose of OFAC’s guidance “to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program (SCP).”[4]
As this statement of purpose suggests, this is a much more tightly focused document. The recurring theme in OFAC’s SCP guidelines is the need to perform thorough risk assessments regularly, and then adjust your company’s internal controls to the resulting risk profile.
Such advice, however, can be deceptively simple. Implicit within this guidance is the expectation that the compliance program has the requisite skills, expertise, and authority to complete, evaluate, and implement the results of fully adequate risk assessments.
Backward- and forward-looking approaches
There is another significant factor distinguishing these two instances of regulatory guidance, which we found helpful, and that is their respective orientations regarding when the misconduct has occurred or could occur.
DOJ’s approach is backward looking; that is, it draws on prosecutions brought by the Criminal Division (in addition, presumably, to instances from its archives when DOJ had declined to press criminal charges) in order to articulate general guidance. The guidance, in turn, is directed internally to its own staff for purposes of evaluating future instances wherein it may be appropriate to prosecute alleged violations of law that appear to have been facilitated by weaknesses in the compliance program of a defendant company.
OFAC’s guidance, however, is oriented toward the future or the hypothetical. It anticipates the probability that an SCP, engaging in a robust evaluation of its compliance program, may identify a specifically designated risk of a recurring nature. This approach anticipates potential compliance-relevant incidents by identifying them in the present through aggressive, continuous risk-assessments, thereby heading them off.
These approaches, however, are neither inherently contradictory nor mutually exclusive. To the contrary, our “physician” now has the luxury of two pathways toward restored health. Given the wide contrast in underlying premises and conceptual approaches between these two sets of regulatory guidelines, however, we thought it might be prudent to incorporate a third source of regulatory guidance into this project.