This is a guest post written by Diana Trevley, Chief of Global Services, Spark Compliance Consulting
The Department of Justice’s recently released Evaluation of Corporate Compliance Programs Guidance Document (“Guidance”) provides prosecutors with a list of questions to consider asking when investigating a company’s compliance failures and determining whether to bring charges. By publishing these questions, the Guidance also provides companies with specific information on what actions, taken together, constitute an effective compliance program. Included in the document are three questions about gatekeepers:
“Gatekeepers – What, if any, guidance and training has been provided to key gatekeepers in the control processes (e.g., those with approval authority or certification responsibilities)? Do they know what misconduct to look for? Do they know when and how to escalate concerns?”
This has some compliance officers wondering, what, pray tell, exactly is a gatekeeper?
Simply put, a gatekeeper is someone who controls access to something.
For those of you who are interested (and I realize it might just be me), the first known use of the term was in 1572 and it was quite literal – it meant someone who tended or guarded a city gate. Anyone who wanted to get in – or possibly out – of a fortified city had to get past the gatekeeper. The gatekeeper may not have been a particularly high-level person in terms of rank and status, but they certainly had a lot of power.
While all managers are gatekeepers, not all gatekeepers are managers. Managers, especially high-level managers, are usually gatekeepers in multiple ways: they may have a high-level of spend, they may be able to approve third-parties without seeking permission from higher authority within the company, they may approve their employees’ expense reports, they are often the first person to whom employees report their concerns, and they may have the ability to hire, fire and promote employees. But in other cases, non-managers, much like the literal gatekeeper watching over the city gate, will have a significant amount of authority in a specific area.
The person within your company who reviews and approves the gifts and hospitality reimbursements is a gatekeeper. The on-site auditor who reviews your third-parties’ manufacturing facilities to certify that they are compliant with labor laws is also a gatekeeper. The human resources representative at your regional office who determines whether the person stopping by their office to complain of what they perceive to be an unfair situation is a gatekeeper.
Two Defined Roles
The Guidance has given us two defined roles for gatekeepers: persons with (a) “approval authority” or (b) “certification responsibilities.” Don’t overthink these relatively vague terms. Approval authority means that the person can make high-level decisions on behalf of the company, including who to hire, how much to spend, where to spend it, etc. Certification responsibilities are functions that have the responsibility to verify that specific information is accurate – this could include vetting third-party business associates, reviewing the gifts and entertainment spend within a business unit for the month of May, providing accurate information to the government upon request, etc.
So, what is a compliance officer supposed to do with the guidance on gatekeepers? How do you determine who the “key” gatekeepers are in your company? What guidance do you provide them that is above and beyond the standard companywide training?
A Risk-Based Approach
The key is taking a risk-based approach, tailored to your company.
· First, identify your highest risks within the company. What laws and regulations, regions, business units, functions, and business activities are your company’s highest compliance risks? (Hint: if you haven’t conducted a risk assessment, this is the first step. The Guidance emphasizes that a risk assessment is the first step of a well-designed compliance program, and everything that follows, including providing guidance and training to key gatekeepers, is no exception.)
· Second, identify what key controls are in place to control those risks. Financial controls are important, but don’t neglect non-financial controls – due diligence activities, reporting channels, the requirement that three vendors be considered for a particular job, the need for at least two signatures on a contract, etc. Because every good compliance program has multiple controls in place, don’t focus on every single control. Focus on the controls that you think do the most to mitigate your company’s highest risks.
· Third, identify the gatekeepers of these controls. In short, who is in charge of implementing and running the control? Who is the person who, if they weren’t doing their job properly, could cause a major compliance failure? Also note that if you have trouble identifying a specific function or team as the gatekeeper to a key control, that may mean that the process needs to be better defined (and documented).
· Fourth, provide gatekeepers with specialized training and guidance. You will want to tell the gatekeeper what their role is with regard to compliance, why it is important, what red flags to watch out for, and when and how to escalate concerns. The training and guidance you provide doesn’t need to be an hour-long bespoke in-person training. But it does need to be tailored to their specific roles. The procurement specialist in China is going to encounter very different red flags than the Head of Sales in Brazil. Your training doesn’t have to be long, but it should provide examples of high-risk situations the gatekeeper may encounter and how they should then proceed.
· Fifth, monitor and audit your gatekeepers’ gatekeeping activities. When considering what compliance activities to monitor and audit, your gatekeepers should be at the top of the list. Also, don’t get distracted with the “easy” monitoring activities. For example, a company should be more concerned with determining whether managers are properly reviewing and approving their employees’ expense reports than they should be with the minutiae of a low-level employees’ expense report that went over the meal limits by $20.
· Sixth, update as needed. Your highest risks and your key controls will likely change over time. Remember when you periodically update your risk assessment to reevaluate who your key gatekeepers are and what additional training they should receive.
Gatekeepers hold the keys to the compliance kingdom. With great power comes great responsibility, so make sure they’re properly equipped with the right training.
Diana Trevley is Chief of Global Services for Spark Compliance Consulting. She can be reached at DianaTrevley@SparkCompliance.com.