“Catch me if you can!”
Monitoring & Review is an essential component that adds value to any Compliance Management System (CMS). In my consulting practice, however, I often find that this topic is largely disregarded when it comes to evaluating compliance programs. Many companies implement detailed guidelines and provide training, but do not convince themselves of the effectiveness of these measures. On the one hand, this happens due to the time constraints, but also because compliance officers are reluctant to accept the role of “controller” in their own companies and perceive a conflict of interest in their role as consultant.
What is Monitoring & Review?
Monitoring & Review is all about examining the functionality and effectiveness of a CMS. “By examining the CMS (…) companies receive independent and objective evidence that their CMS is appropriate and effective. (…) The actual function of the individual components of the CMS can only be assessed in an effectiveness check. In addition to the risk-mitigating effect, a CMS check can also be understood as a ‘stress test’ for the company, which helps identify any existing weaknesses (e.g., loopholes) and improve the system”.
Similar information can also be found in the U.S. Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act (UKBA). The US Department of Justice (DOJ) has recently (June 2020) emphasized that a Compliance Program must work in practice — after all, even the best CMS is of no use unless it is implemented or the competent compliance officers verify that it is efficient.
The terms ‘monitoring’, ‘review’, ‘revision’, ‘internal investigation’ and ‘audit’ are often mixed up and cannot always be clearly distinguished from one another. However, the difference between periodic measures, which we would like to refer to as Monitoring & Review here, and internal investigations, should be emphasized. The latter describe ad hoc actions taken in a specific suspected case.
Planning is the key
How should compliance officers embrace it? Prior to planning, you need to determine what you want to test and how you want to test it?
Let us consider the key components of the CMS (also refer to the individual sections of the 12-Month Challenge) as a checklist. The individual components do not only have to be formulated ‘on paper’ – these also have to be fulfilled in a targeted and effective manner.
There are different methods to choose from. On the one hand, you could perform a CMS ‘self-check’ for compliance with the completeness, functionality and efficiency requirements. One question could be, for example: Is the program being implemented as intended? Do the employees actually accept the code of conduct when they join? Does the phone number of the whistleblowing system really work? Have the recommendations for action points arising out of the risk assessments been implemented yet? On the other hand, you could also focus on the monitoring of other functions or the conduct of employees. Ideally, you should check both ‘on-book’, i.e. using invoices, service specifications etc., which could reveal the improper use of funds by foreign subsidiaries, and ‘off-book’, i.e. through practical checks on site. This means that undocumented events can also be discovered, such as diverted cash payments to consultants.
It has proven useful for the planning to enter the individual examinations in an annual plan, to coordinate them with the company’s senior management and then implement them over the course of the year.
Define stakeholders and look for allies
As far as the planning is concerned, however, it is not only important what is to be checked and which method is to be used, but also who will perform the check.
Internal revision/auditors (if any) could also prove useful and assist the compliance officers by contributing their expertise and resources. External help could also help avoid putting Compliance Monitoring & Audit on the back burner and find a starting point. Depending on your local law, also participation of the works council could be required.
Learn from findings!
The best actions and reviews will not help unless conclusions are drawn from the relevant findings. So what do you do if the CMS check reveals loopholes or abnormalities? This actually depends on the type of findings. Should you discover individual misconduct or irregularities, you might need to perform an internal investigation. If, on the other hand, you find that your CMS suffers from structural defects, you should consider improvements to the CMS.
When it comes to monitoring, the guiding principle is as follows: “Little is more than nothing”, i.e. starting small and, if necessary, working your way forward in individual steps is always better than doing nothing at all. Those who ‘stick with it’ and have their well-designed CMS ‘stress-tested’ on a regular basis will have a clear advantage in the worst-case scenario.
Our 12-Month Compliance Challenge is drawing to a close. We have considered the key CMS components and divided them into individual work packages. Remember, there is only one way to eat an elephant: piece by piece!
If you are unsure how to set up and run your compliance project successfully, please feel free to contact me.
 Schmidt, in: Hauschka/Moosmayer/Lösler, Corporate Compliance, 3rd Edition 2016, Section 45 marginal no. 14.