DOJ and Corporate Compliance Program Risk Assessment
“Forget the ABCs and Focus on the LBD”
by Sean Weiss, Partner & VP of Compliance
Mitigating Risk as a Practice Executive means lots of things… financial loss, threats of competitors, threats of audits from payors, and the ever-growing threat of government investigations for compliance violations. While we are never going to 100% given the human impact on operations we can and must take steps to actively mange the risk of potential violations within our organizations to avoid the calamity that comes with participating with insurance companies and accepting federal and state insurance beneficiaries. I’ve had lots of providers tell me they’re simply going to stop seeing Medicare beneficiaries, so they opt out and quickly learn that without those beneficiaries they have lost 40-60% of their revenues (this % range is based on geographic location and specialty) and then look to opt back in but by then many of their patients have already found another provider to take care of them. This is why knee-jerk reactions never workout.
As “The Compliance Guy”, I want to focus on risk mitigation from a regulatory compliance standpoint. Forget about the ABCs of compliance and focus on the LBD as I call it. LBD stands for Living, Breathing Document which is your compliance program with its policies and standard operating procedures (SOPs) and how effective they are and whether or not the organization is adhering to them.
Everyone already knows the seven steps of an effective compliance plan… however, no one is really focused on number 8. Yup, that’s right there is an 8th step and it is the Risk Assessment. This is without a doubt the most vital part of any compliance plan and what prosecutors are looking at in their preliminary assessment of a practice and the viability of its compliance plan. The following section comes from the Department of Justice Criminal Division and the document is titled “Evaluation of Corporate Compliance Programs”.
While I can put this into my own words and give you my spin on it; the way the following information is written is so straight forward that there is only 1-way to interpret this information:
“Risk Assessment The starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks. Prosecutors should consider whether the program is appropriately “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business” and “complex regulatory environment.” JM 9-28.800.2
For example, prosecutors should consider whether the company has analyzed and addressed the varying risks presented by, among other factors, the location of its operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel, and entertainment expenses, and charitable and political donations. Prosecutors should also consider “[t]he effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment” and whether its criteria are “periodically updated.” See, e.g., JM 9-47-120(2)(c); U.S.S.G. § 8B2.1(c) (“the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement [of the compliance program] to reduce the risk of criminal conduct”). Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.
Prosecutors should therefore consider, as an indicator of risk-tailoring, “revisions to corporate compliance programs in light of lessons learned.” JM 928.800.
Risk Management Process – What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?
Risk-Tailored Resource Allocation – Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than more modest and routine hospitality and entertainment?
Updates and Revisions – Is the risk assessment current and subject to periodic review? Have there been any updates to policies and procedures in light of lessons learned? Do these updates account for risks discovered through misconduct or other problems with the compliance program?”
The last thing I want to address in this blog post is the perspective the DOJ provides to the policies and procedures within the Corporate Compliance Program and how their effectiveness is measured. Again, I will keep this in the DOJ’s words since there is only one way to interpret what they are saying:
“Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process. As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees. As a corollary, prosecutors should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations.
Design – What is the company’s process for designing and implementing new policies and procedures, and has that process changed over time? Who has been involved in the design of policies and procedures? Have business units been consulted prior to rolling them out?
Comprehensiveness – What efforts has the company made to monitor and implement policies and procedures that reflect and deal with the spectrum of risks it faces, including changes to the legal and regulatory landscape?
Accessibility – How has the company communicated its policies and procedures to all employees and relevant third parties? If the company has foreign subsidiaries, are there linguistic or other barriers to foreign employees’ access?
Responsibility for Operational Integration – Who has been responsible for integrating policies and procedures? Have they been rolled out in a way that ensures employees’ understanding of the policies? In what specific ways are compliance policies and procedures reinforced through the company’s internal control systems?
Gatekeepers – What, if any, guidance and training has been provided to key gatekeepers in the control processes (e.g., those with approval authority or certification responsibilities)? Do they know what misconduct to look for? Do they know when and how to escalate concerns?”
As you can see there are no shortcuts when it comes to the government’s requirements for an effective compliance program. This is why doing it the right way the first time is critical and focusing on the “LBD” vs. the ABCs is imperative. Don’t make the mistake so many practices and hospitals make, which is believing that simply having P&Ps in place is enough. The fact is; its not and you have to demonstrate your culture and corporate commitment to compliance if you expect to be well insulated from governmental investigations.