Enhance your global compliance monitoring with a hybrid model

Vladimir Berezansky

Vladimir Berezansky

Renee Martinez Sophocles

Renee Martinez Sophocles

By Vladimir Berezansky and Renee Martinez Sophocles

Vladimir Berezansky (vberezansky@ptc.com) is General Director of PTC Inc.’s Russian affiliate and Chief Compliance Counsel for PTC in Russia/CIS/CEE/MENA. Renee Martinez Sophocles (reneesoph@gmail.com) is the former Compliance Training Manager for PTC, based in Boston, Massachusetts, USA.

Although most compliance teams are careful to ensure robust implementation of their internal policies and protocols, a systematization of these processes is often lacking. At our organization, we were concerned that too much reliance was being placed on the internal audit function for these purposes, as internal audit was repeatedly covering much of the same ground to fulfill its role, which was deemed inefficient.

So for our compliance program, we decided to adopt an approach similar in spirit to that of: “Physician, heal thyself!” It remained unclear to us, however, how exactly to do this. Our team began a search for appropriate models and/or regulatory guidance that would help facilitate the implementation of a broadly scoped model for monitoring and surveillance of our own procedures. At the time of this internal discussion, the U.S. Justice Department (DOJ) Criminal Division and the U.S. Department of the Treasury Office of Foreign Assets Control (OFAC) issued unsolicited guidance, literally days apart, that we would eventually incorporate into our own model. In addition, we were further inspired by France’s Sapin II Law.

By combining key factors from all three of these sources, we developed our own internationally influenced hybrid model, which we will describe here.

The DOJ guidance: The value of lessons learned

In April 2019, a DOJ communication announced its updated Evaluation of Corporate Compliance Programs.[1] The document provides criteria by which DOJ assesses corporate compliance programs once something has clearly gone wrong. For purposes of its adaptation and implementation, this document should be viewed as a study in “lessons learned.” Toward this end, DOJ’s recommended approach poses three guiding questions:

  1. Is the company’s compliance program well designed?

  2. Is the company’s compliance program being implemented effectively?[2]

  3. Does the company’s compliance program work in practice?

The answers to these questions significantly influence the severity of charges brought by the DOJ’s Criminal Division. The remainder of the document expands on the implications of how a company’s responses to these questions are assessed by DOJ.

OFAC guidance: The need to perform adequate risk assessments

Two days after DOJ’s update of their guidance, the U.S. Department of the Treasury announced the release of A Framework for OFAC Compliance Commitments.[3] This announcement specified the purpose of OFAC’s guidance “to employ a risk-based approach to sanctions compliance by developing, implementing, and routinely updating a sanctions compliance program (SCP).”[4]

As this statement of purpose suggests, this is a much more tightly focused document. The recurring theme in OFAC’s SCP guidelines is the need to perform thorough risk assessments regularly, and then adjust your company’s internal controls to the resulting risk profile.

Such advice, however, can be deceptively simple. Implicit within this guidance is the expectation that the compliance program has the requisite skills, expertise, and authority to complete, evaluate, and implement the results of fully adequate risk assessments.

Backward- and forward-looking approaches

There is another significant factor distinguishing these two instances of regulatory guidance, which we found helpful, and that is their respective orientations regarding when the misconduct has occurred or could occur.

DOJ’s approach is backward looking; that is, it draws on prosecutions brought by the Criminal Division (in addition, presumably, to instances from its archives when DOJ had declined to press criminal charges) in order to articulate general guidance. The guidance, in turn, is directed internally to its own staff for purposes of evaluating future instances wherein it may be appropriate to prosecute alleged violations of law that appear to have been facilitated by weaknesses in the compliance program of a defendant company.

OFAC’s guidance, however, is oriented toward the future or the hypothetical. It anticipates the probability that an SCP, engaging in a robust evaluation of its compliance program, may identify a specifically designated risk of a recurring nature. This approach anticipates potential compliance-relevant incidents by identifying them in the present through aggressive, continuous risk-assessments, thereby heading them off.

These approaches, however, are neither inherently contradictory nor mutually exclusive. To the contrary, our “physician” now has the luxury of two pathways toward restored health. Given the wide contrast in underlying premises and conceptual approaches between these two sets of regulatory guidelines, however, we thought it might be prudent to incorporate a third source of regulatory guidance into this project.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings