Kusserow on Compliance: DOJ issues guidelines on corporate compliance programs

In February 2017, the Department of Justice (DOJ) issued its“Evaluation of Corporate Compliance Programs,” which provides an explanation as to how compliance programs are evaluated by prosecutors. This 119-question resource offers great insights for compliance officers working to build and enhance their compliance programs. One thing to remember about these guidelines is that they relate to all industry sectors.   The Principles of Federal Prosecution of Business Organizations in the United States Attorney’s Manual describes specific factors that prosecutors should consider in conducting an investigation of a corporate entity, determining whether to bring charges, and negotiating plea or other agreements. These factors, commonly known as the Filip Factors, include “the existence and effectiveness of the corporation’s pre-existing compliance program” and the corporation’s remedial efforts “to implement an effective corporate compliance program or to improve an existing one.” The guidance was formulated to evaluate compliance programs after a violation has been discovered and examine the existing misconduct as the benchmark against which the compliance program will be evaluated. The Compliance Program Guidance is divided into 11 sections. Each category includes a list of questions the DOJ may consider when evaluating a company’s compliance program when it confronts corporate misconduct. The sections are:

  1. Analysis and Remediation of Underlying Conduct;
  2. Senior and Middle Management;
  3. Autonomy and Resources;
  4. Policies and Procedures;
  5. Risk Assessment;
  6. Training and Communications;
  7. Confidential Reporting and Investigation;
  8. Incentives and Disciplinary Measures;
  9. Continuous Improvement, Periodic Testing and Review;
  10. Third Party Management; and
  11. Mergers & Acquisitions.

The DOJ noted that in developing this document, it used the U.S. Sentencing Commission Guidelines. The document also relates back to a number of other DOJ reports, including the Yates Memorandum that focused on individual accountability in corporate investigations, and not just organizational wrongdoing. Although the compliance guidance documents issued by the HHS Office of Inspector General (OIG) are tailored to the health care sector, the reading of the DOJ evaluation document is relatable to them. All seven elements of an effective compliance program are included in the DOJ guidelines. It is worthwhile for compliance officers of health care entities to read this document and incorporate those areas identified by the DOJ for their own work place. There are plenty of ideas among the 119-questions outlined in their document for use by compliance officers to improve their organizations’ compliance programs.

Tip

The OIG calls for ongoing monitoring of the compliance program to ensure that it is up to date and operating the way it is designed to. In addition, there should be periodic, independent auditing of the program to verify that monitoring is taking place and validate that the results of operation are making the compliance program effective in achieving its goals. The U.S. Sentencing Commission in its standards for compliance and ethics programs also call for organizations to “evaluate periodically the effectiveness of the organization’s compliance and ethics program.” Now the DOJ is calling for the same thing.  As such, those organizations that have not had their compliance program subject to an independent compliance program effectiveness evaluation should consider having it now, incorporating the DOJ guidelines as part of their review.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.

Webinar provides triage tips for internal investigations

Health care compliance investigations are not like a fine wine, stressed Kashish Chopra—age may improve a wine, but waiting for an investigation will never make it go more smoothly. Chopra, along with former HHS Inspector General Richard P. Kusserow, both of Strategic Management Solutions, presented a webinar titled Best Practices for Internal Investigations, during which they provided pertinent information on internal investigations. The information included the goals of such investigations, key individuals who should be involved in the process, and necessary steps and precautions. They also provided listeners with a sample Protocol Policy to clarify the relationship between a compliance officer and legal counsel when they have overlapping responsibilities.

Kusserow and Chopra explained the importance of having an internal investigation program as part of a robust compliance program. Internal investigations are a form of risk management, as they can prevent costly mistakes and provide reassurance to everyone that problems and reports are taken seriously and examined carefully. The foundation of a successful investigation is to have a formalized process for everything, including even informal processes, to ensure that complaints can be received, investigated, and, if necessary, mitigated. Chopra noted that although most complaints that anonymous compliance hotlines receive are related to human relations (HR), the type of complaints that are most likely to lead to an investigation include allegations of harassment, discrimination, retaliation, privacy or security threats, theft or fraud, notice of litigation, and inquiries by government agencies or contractors.

It is important for all individuals involved in an investigation to have well-defined roles and to maintain communication and transparency. Kusserow explained how it is important, during an investigatory interview, to minimize note-taking and maintain eye contact; however, he reminded listeners to build in time between interviews to fill in gaps left by minimal note-taking to ensure adequate records are kept. They also provided tips on how to “triage” complaints—ranking tasks according to priority, which requires a quick, accurate assessment of each issue. They especially emphasized the importance of providing individuals the opportunity to report problems both confidentially and anonymously. The difference being that although anonymity is protected, there is no obligation for the compliance department to protect the job of an anonymous source, while confidential sources must be protected against retaliation.

Kusserow on Compliance: 2017: Time for independent compliance program effectiveness evaluation?

Tom Herrmann, J.D., retired after a career in the Office of Counsel to the Inspector General, has been a compliance consultant for the the past ten years. He notes that the HHS Office of Inspector General (OIG) and other regulatory bodies have stressed the importance of evidencing Compliance Program (“CP”) effectiveness. Furthermore, compliance officers, like any program manager, are responsible for ongoing monitoring of their program; and the program should be subject to ongoing auditing. The OIG has made clear that program managers cannot audit their own program’s effectiveness and that includes the compliance program. What this means is that periodically the organization should seek an independent evaluation by experts. This is not important only to show government agencies.  It is especially valuable in providing convincing evidence to boards and executive leadership that the program is progressing on the desired path.

Carrie Kusserow has 15 years’ compliance experience, having both served as compliance officer in major health care organizations and been a consultant leading teams of experts conducting program evaluations. She notes that conducting such reviews in growing in importance.  The OIG in its practical guidance has gone so far as to urge boards to engage compliance experts to assist them in providing active oversight of the compliance program.  The OIG Corporate Integrity Agreements now mandate boards engage Compliance Experts to advise them on the program and then have them personally certify its effectiveness. Knowing that is the new standard should be a warning shot to all compliance officers to get ahead of the power curve by engaging experts and finding out what they say.  It provides opportunity to evidence acting upon findings and recommendations.  It is always better for the compliance officer to take the lead in seeking experts to evaluate the program.  It sets the tone that experts are being sought to improve the program and any findings and recommendations can be accepted as useful to advancing the program.

Camella Boateng is a Certified Healthcare Compliance (CHC) and Healthcare Privacy Compliance (CHPC) professional and has served on multiple occasions as a compliance officer, as well as conducted compliance program evaluations.   She makes the point that this type of review is not simple and to have value must go beyond a checklist of the standard seven elements. To be of value to compliance officers means that the review must focus on how well the program is functioning and not just the design. The results of the review needs to relate to outcome metrics, not process output.  A significant part of any such evaluation should relate to the high-risk areas identified by the OIG. The expertise and experience of the compliance experts used is critical for the most useful results.  A detailed report of this type can be expected to be 50-75 pages in length.

Al Bassett, J.D., has conducted more compliance program effectiveness evaluations than just about anyone in the country over the last 20 years. He states that the results from this approach should provide an in-depth analysis of the status of the program, identify in the findings and observations opportunities for improvement, and specific recommendations and suggestions as to how any deficiencies may be overcome. Done properly, it should be a collaborative effort with active involvement of the compliance office, executive leadership and the board.  The scope of the work should include a full compliance-related document review; onsite interviews with members of executive leadership and selected key staff; focus group meetings; and onsite audit of key features of the program.   Special attention should be given to the compliance work plan and how well ongoing auditing and monitoring is addressing high risk areas.

Steve Forman, CPA, has twenty years experience as a compliance officer and consultant, along with previously serving as Director of OIG Management Operations. He also believes the real value of compliance program evaluations is in its operations and that effectiveness is best found with the first line managers and how they are communicating and supporting the program.  If the truth be known, immediate supervisors have more influence with their subordinates when it comes to compliance that any utterances from the CEO, compliance officer, or board members.  Gaining that insight will come not only from interviewing a number of managers, but focus group meetings with staff.   Forman also likes using the Compliance Knowledge Survey of employees on their understanding of the compliance program. It is a great tool to validate how things are working and permits comparisons with the universe of those who employed it.  The key point is that if the message is received and understood by employees, that is the best evidence that the compliance program is working. He notes that the OIG also endorses this method as a tool for measuring compliance program effectiveness.

16 Best Practices Tips

  1. Engage experts now to find out what “fresh eyes” see in the compliance program.
  2. For sound results, engage a firm that is truly expert on compliance programs.
  3. Check the credentials of the individuals who would be used to conduct the review.
  4. Ensure that those who perform the review are real experts, avoid bait and switch.
  5. Examine the history and leadership of the prospective firms for the evaluations.
  6. Ask how many such evaluations they have been performed by the firm.
  7. Seek references of past work in order to learn how valuable results were.
  8. Avoid firms who use a common checklist approach as the results will be poor.
  9. Focus on a top-down, as well as bottom-up review as to how the program is working.
  10. Review should include (a) full document review; (b) onsite operations audit; (c) executive, board, and key employees interviews; and (d) focus group meetings.
  11. Ensure everyone knows that compliance will always be work in progress, never completed.
  12. Stress seeking opportunities for improvement and best practices.
  13. Consider employing the Compliance Knowledge Survey for measuring effectiveness.
  14. Reviews should focus on auditing and monitoring of high risk areas.
  15. Use only those certifying meeting GAGAS operational review standards.
  16. Seek a fixed price agreement for the review.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.