Compliance Officer Challenges With Re-Opening After Lockdown
As the country moves towards returning to a fully reopened workplace, it is time to think about what should be done to fully reactivate the compliance program. The primary focus for most organizations has been addressing the consequences of the pandemic and its impact on operations and programs. One result was moving compliance off to the side. In fact, actions by the Department of Health and Human Services’ (HHS) enforcement authorities reinforced this notion with the Office of Inspector General (OIG), Centers for Medicare & Medicaid Services (CMS) and Office for Civil Rights (OCR) all having provided leniency on their expectations of compliance programs during the crisis. It is time to give serious consideration to what steps are needed to put compliance back on track, and not to be relegated as just another ancillary cost center. The following are some suggestions for consideration:
- Plan on reconnecting with the Board but make it a very meaningful meeting. Compliance empowerment begins at the Board level. Carefully prepare a detailed briefing and underscore the importance of compliance at this time and what they can expect from it.
- Focus an executive leadership message on why the compliance program needs the proper level of resources, a difficult task during a time of great financial stress. If this is not well presented, it may lead to decisions on cutting back funding and support for the program. Make the point that both the OIG and Department of Justice (DOJ) stress that it is critical that the compliance program be adequately resourced with a staff and budget.
- Build new bridges with legal counsel, human resources, internal audit, procurement, and risk management, to strengthen cooperation and integration of efforts. All these functions have been stressed by the crisis. Make the case that by strengthening these relationships, the program is more cost efficient and effective.
- Make the case that continuing compliance education budgets are a necessary investment against regulatory and legal missteps. Consider budgeting for webinars, virtual events, or online classes.
- Review and update specialized compliance education training and briefings for program managers, regarding their obligations for ongoing monitoring of their high-risk areas. The DOJ and OIG guidance make it clear that those involved in making business decisions must be trained and educated differently (or additionally) to the general employee population.
- The pandemic reinforces the fact that new compliance risks and threats continue to emerge. During briefings and training consider presenting examples of how these new scams have taken advantage of employees. The DOJ and OIG websites have considerable information on how fraudsters have taken advantage of people who have lowered their guard during the crisis.
- Ensure that there is ongoing monitoring of third-party relationships, including updated due diligence procedures, training, audits, and/or annual compliance certifications by third parties. This is another critical test highlighted by the DOJ to show an effective compliance program.
- Take steps to evidence that compliance-related policies and procedures have been integrated into the organization, including through periodic training of all employees.
- Evidence measures that create a workplace atmosphere where employees can report problems and suspected wrongdoing without fear of retaliation. Ensure these available channels are well publicized to employees. Review and document how the system is used, types of allegations received, and how they were resolved.
- Arrange for an independent evaluation of the compliance program. The OIG has long called for independent evaluations of programs and more recently the DOJ has also highlighted this action. It is not enough for the Compliance Officer to engage in ongoing monitoring of the compliance program; the program needs to be independently evaluated by experts to provide credible independent results. It must be more than a simple “gap analysis” and should focus on outcomes of the program’s efforts, identifying not only strengths, but areas for improvement. Professionally designed and conducted reviews are the best way for compliance programs to evidence the improvement in effectiveness.
- The COVID-19 crisis is leading to an increased number of mergers and acquisitions. It is important for the Compliance Officer to have an active role in identifying compliance risks and the means to integrate the compliance program in the resulting organizations. The DOJ Guidelines stress the importance of the compliance function and its involvement in pre- and post-acquisition due diligence to avoid loss of reputation and legal liability. If there is currently no plan for compliance involvement in an acquisition, then this needs to be addressed.
- Adjust the compliance program based upon the lessons learned from internal reviews, experience with the program, and examples from other companies dealing with compliance problems. Keep up with enforcement actions by the DOJ, OIG, OCR, CMS and other agencies and take lessons from what is learned, including from Corporate Integrity Agreements (CIA) and other settlement agreements. Information is available on government websites and blogs.
- Ensure compliance document management (policies, procedures, Code, internal controls) updates (a term used seven times in the Guidelines) and periodically reviews the documents. It is important to have an audit trail that evidences regular review of key compliance documents.
- Focus on “metrics,” a term used ten times in the DOJ Guidelines, to evidence compliance program effectiveness. The OIG specifically cites policies and procedures, investigations, third-party relationships, risk management/risk assessments, and training as areas where metrics should be used.