Article

Seven Actions to Make the Most of Your Corporate Monitorship

Recommended actions your organization can take to make the Monitorship as useful and painless as possible.

By Alma Angotti, Samantha Welch, Gene Bolton

Federal and state regulators continue to use corporate Monitors to resolve criminal, civil, and regulatory actions against corporate defendants across industries such as financial services, pharmaceuticals, telecommunications, energy, healthcare, medical devices, extractives, and transportation. A corporate Monitor or Independent Consultant is an independent third party that oversees your institution’s remediation efforts and reports your progress and pitfalls directly to the U.S. Department of Justice (DOJ), or other federal or state agencies joining in the enforcement action.

The presence of a Monitor can be daunting, but it can also be very beneficial. A good Monitor can be quite useful to the Compliance Department, giving thoughtful advice on needed enhancements, and may help you secure the resources—human and technological—and other tools needed to manage your risk. The wrong Monitor, potentially lacking real-world industry-specific compliance and/or operational experience, can wreak havoc on your operations. Avoid implementing unsustainable solutions by working closely with your Monitor and Regulators if it appears that a Monitor’s recommendation is not effective and efficient. If you think a Monitor may be in your future, start planning now.  

Guidehouse recommends the following actions your organization can take right now to make the Monitorship as useful and painless as possible:

 

1. Design Your Action Plan

Regulators and the Monitor will let you know exactly what they think is wrong with your corporate compliance program. But now is the time to take a holistic approach and look at everything you might need to enhance your program. It does not help to fix one part of a program and let weaknesses in other areas linger. The Monitor may be responsible for helping you identify the areas for enhancement, but any work you do on your own will help you keep control of the cadence of the remediation effort. Nothing invites failure like attempting to accomplish major compliance changes too quickly. Develop an action plan that:

  • Spells  out remediation efforts in detail, if they are known. If they are not known, identify what must happen so you can know them, and then what must happen once you know them. Update the Action Plan as remediation efforts progress, or change.
  • Provides for a reasonable timeline. Technology implementations or enhancements may take longer to implement properly or are highly vulnerable to timing challenges due to the many dependencies and moving parts of technology upgrades/changes.  
  • Assigns a responsible person to each remediation area or compliance program area. Nothing encourages success like accountability.
 

2. Build Your Project Management Office

You will need a robust Project Management Office (PMO) led by someone with experience in heading large, complex efforts and with some stature in the company. A low-level administrative PMO may not have the experience necessary to know when something is important or the gravitas necessary to get senior management’s attention when needed. The PMO generally should be a full-time position and have resources, commensurate with the complexity of the remediation effort, to keep the work moving according to plan, to understand dependencies and roadblocks, and know whom to contact to manage those issues. The PMO should:

  • Track all requests from the Monitor, and organize documents and information provided in response to those requests.
  • Respond timely to all requests from the Monitor for documents, information, and access to the company’s personnel.
  • Communicate to the Monitor any changes to the timeline. If you are going to be late, communicate quickly that you will not make a milestone and indicate why.
  • Meet regularly with the Monitor. Early on, set more frequent meetings to establish a good cadence, and then dial back meetings when the time is appropriate.

 

3. Involve Senior Management and Your Board

Senior management and board involvement is crucial in a successful remediation of any kind, but particularly when there is a Monitor. Bring local and national head office leadership to meetings with the Monitor regularly to show tone at the top and have leadership participate at meetings and calls to show their involvement.  

While a good Independent Consultant can be invaluable, the involvement of the business leadership will pay dividends, even after the Monitor leaves. The leadership will generally have a clear idea of why the institution made certain decisions, why money was spent the way it was, and the effect of the enhancements on the institution’s operations and program before it happens. If the institution is headquartered outside of the U.S., make sure the Monitor and the Regulator also meet with leadership from the international home office periodically. It will prove that the institution is striving for the right blend of head office oversight and local control. Institutions can operationalize leadership involvement by:

  • Creating a Steering Committee that includes senior business and compliance leaders to discuss the progress of the Monitorship, the progress of the remediation, and the budget.
  • Reporting regularly to the board of directors, or the appropriate board committee, and the home office board, as appropriate.
  • Including business leadership in operating committees working on the remediation. The first-line involvement is critical to enhance risk mitigation efforts.
 

4. Communicate Often and With Everyone

There is almost no such thing as too much communication when mounting a remediation effort under the eye of a Monitor. Therefore, institutions should:

  • Communicate with the personnel of the institution so they know what is happening and why, and what role they have in managing the risk of the institution.  
  • Form a Risk Committee that includes compliance, business, technology, and risk personnel if you do not have one now. It will be important to get such a committee’s input into compliance issues that affect the business and will be critical to your business-as-usual (BAU) compliance efforts once the remediation is complete.
  • Meet with the Monitor regularly, including business leadership and consultants.
  • Organize meetings with your Regulator, not just the Monitor. Do not let the Monitor own your narrative with the Regulator.
  • Include Internal Audit in the process. Internal Audit can provide valuable insight into the progress of the remediation by periodically testing enhancements at various points during the Monitorship. Internal Audit can validate that an enhancement really is properly implemented and sustainable before the testing by the Monitor.

 

5. Set Expectations on Timing Early

Educate the Monitor on how the institution operates with respect to corporate governance, local versus head office dependencies, what approvals are necessary for changes and decisions, and how long that might take. For example, the Monitor and regulator may request changes to the program that require governance and oversight that involve head office approval or notification. While the institution should be able to expedite governance and oversight processes, changes will not be immediate and certain changes may take longer than others. If the Monitor understands the process, they should not be concerned unless the timelines seem unreasonable.

 

6. Do Not Be Afraid to Ask Questions

It is important to assess the scope of the Monitorship regularly and discuss with the Monitor whether the scope of the engagement has expanded. The Monitor might exceed the scope, or it may be subject to interpretation. Monitorships are quite vulnerable to scope creep, which can have significant ramifications after the Monitorship is complete. Moreover, early in the process, try to become comfortable discussing precisely what a Monitor’s recommendation means and discuss the impact or unintended consequences, if any, so that there is agreement on whether the recommendation can be effectively operationalized or whether there is another recommendation/solution that could accomplish the same result.

 

7. Define Success

It is critical to know what success looks like to avoid chasing a moving target. Work with the Monitor to specifically identify the targets that you must meet for an element to be considered remediated. Certain deficiencies, such as lack of training on a particular subject, will be easy to fix. Others, such as enhancing your investigative processes, will be more difficult to implement. Decide in advance, with the Monitor, what that means. Using the example of enhanced investigative processes for a financial institution, a three-month sample of alert reviews might show that the new protocols are properly implemented, sustainable, and resulting in better Suspicious Activity Reports. Success will be different for each element of the remediation. Be sure you know where that goal line is.

 
The best defense is a good offense. Make sure you review and enhance your corporate compliance program often and respond quickly to regulatory, internal audit, and compliance testing results. The hardest part of an enforcement action is often not the fines and legal fees but managing the additional program remediation work while trying to keep up with BAU activities. Your risk-based decisions could become subject to challenge, or, worse, you lose control of your compliance program and risk tolerance.

Let Us Guide You

Guidehouse is a global consultancy providing advisory, digital, and managed services to the commercial and public sectors. Purpose-built to serve the national security, financial services, healthcare, energy, and infrastructure industries, the firm collaborates with leaders to outwit complexity and achieve transformational changes that meaningfully shape the future.

Stay ahead of the curve with news, insights and updates from Guidehouse about issues relevant to your organization and its work.