Completing Remediation Pre-Resolution Can Save Companies Millions and Avoid Post-Settlement Obligations
This article is part 3 in a series on remediation. Read part 1 on Root Cause Analysis here and part 2 on Read Across and Remediation here.
Failing to complete remediation before settling with the government can lead to severe consequences, including criminal charges, formal enforcement action, severe fines and penalties, self-reporting, and even third-party government oversight.
Conversely, completing remediation before resolution yields significant benefits, including no criminal charges, no formal enforcement action, and substantially reduced fines and penalties. However, reaping these benefits is challenging.
For example, the DOJ requires that organizations be effectively remediated at the time of the resolution to fully benefit from the DOJ Criminal Division Corporate Enforcement Policy (“CEP”). Losing CEP benefits is costly, potentially leading to criminal prosecution and fines double what they would have paid if they had met the CEP criteria. Organizations may also face a corporate compliance monitor under the DOJ Criminal Division’s Monitor Selection Policy. Even if the organization avoids third-party oversight, it faces the financial burden and years of time-consuming post-settlement obligations and self-reporting.
These policies are not unique to DOJ. Prosecutors and regulators worldwide reward organizations that remediate early and punish those that fail to act.
Given these carrots and sticks, you would expect organizations under investigation to complete remediation before settlement. But most are unsuccessful, perhaps because they are in the business of providing services and products rather than remediation.
Building on the discussion of Root Cause Analysis (“RCA”) and Read Across earlier in our multi-article series for effective remediation, we suggest these essential steps for on-time and under-budget remediation corrective action plans (“CAPs”).
1. Build CAPs Around Stakeholder Expectations
Remediation plans commonly fail because they address only the immediate problem, not broader stakeholder expectations.
Address Root Causes
To satisfy the CEP, organizations must show that they conducted a “thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes.” 1 Root cause analysis necessitates an objective, cross-disciplinary team applying an acceptable risk management framework (e.g., COSO) for significant compliance violations and misconduct.2 To show that the root causes have been addressed, the remediation team should frame its conclusion as actionable findings.
Implement an Effective Compliance and Ethics Program
The CEP goes even further. Besides fixing root causes, the CEP defines remediation to include “[i]mplementation of an effective compliance and ethics program.”3 Although the CEP acknowledges that the program will vary depending on the organization’s size, resources, and risks, the DOJ will assess against it the most current DOJ Criminal Division Evaluation of Corporate Compliance Programs (“ECCP”). CAPs, therefore, must also include steps the organization will take to fill gaps between the organization’s program and the ECCP. It is essential to start early because compliance program flaws, particularly those involving control environment, risk assessments and technological deficiencies, can take years to remediate.
2. “Check and Challenge” Executability
Organizations usually structure remediation efforts into workstream initiatives and, as a first step, require workstreams to develop CAPs. CAPs should follow a consistent format that (1) describes the initiative, (2) itemizes the work steps, (3) assigns responsibility and accountability, (4) establishes milestones and target dates, (5) identifies required resources, and (6) notes dependencies (e.g., technological solutions).4
Build a Realistic Timeline
CAPs vary in quality and comprehensiveness, particularly in remediation projects using multiple workstreams. Workstreams tend to underestimate the time and resources necessary to design, implement, and conduct training on enhanced processes and controls. Allocate additional time if remediation involves developing or procuring technology. Build enough time for improvements to function sufficiently to allow for operational effectiveness testing.
Include Milestones. Milestones should be identified to gauge progress and define success. They should also be verifiable to guard against workstreams prematurely declaring milestone completion.
Avoid “Plans for a Plan”
CAPs should note the steps needed to develop solutions when the organization has not yet determined how to address an issue. Be transparent that the organization has not yet created a solution and update the timeline when one has been found.
“Check and Challenge”
Press workstreams to defend the timeline’s achievability, including the adequacy of resources and potential risks and dependencies, and the scope of remediation, including how remediation addresses root causes and meets the DOJ ECCP and other relevant regulatory standards and guidelines.
3. Project the ROI
Treat remediation as an investment by budgeting costs and benefits and aiming for a positive return.
Estimating costs demands detailed action steps. Include costs for internal resources and out-of-pocket expenses. Creating a budget will make it apparent that large remediation projects require dedicated resources drawn from across the organization and, if necessary, externally.
Apply the CEP and compare similar cases to estimate likely reductions in fines and penalties. These savings alone will deliver a positive ROI. Consider whether remediation affords opportunities to cut costs, maximize revenues and safeguard tangible and intangible assets. Highlight how remediation aligns with the company’s strategic objectives and can contribute to overall business success. Frame remediation as a competitive advantage and emphasize the Importance of stakeholder engagement.
4. Incorporate Project Management
Most organizations have project management resources and frameworks to apply to remediation projects. Key actions include:
Staff with Multi-Disciplinary, Cross-Functional Resources
Remediation requires a handful of dedicated resources knowledgeable of the industry and the organization’s day-to-day business operations and experienced in root cause analysis, risk identification and mitigation, and compliance controls testing. Besides compliance and legal resources, include well-respected business segment personnel.
Implement a Remediation Dashboard
Dashboards enable the remediation team to track and report on the status of the CAPs. They can be as simple as manually prepared spreadsheets, although most organizations engage in-house or third-party experts to develop a customized project management dashboard.
Perform “Real-Time” Assurance
Prematurely marking milestones complete poses a significant risk to the overarching remediation plan, particularly where milestones are interconnected. To mitigate this risk, we suggest a “real-time” assurance process that mimics an audit or review to test whether the milestone has been met.
Establish an Oversight Committee. Establishing a committee or formal governance responsible for overseeing the execution of the CAPs that includes senior management representatives from business and control functions helps drive accountability and timely remediation.
5. Certify Pre-Settlement to Avoid Post-Settlement Obligations
CAPs should anticipate how the organization intends to persuade stakeholders of the remediation’s effectiveness. The gold standard is to issue certifications like the DOJ requires in corporate settlement agreements (i.e., non-prosecution, deferred prosecution, and plea agreements).5 Those agreements require certification of the compliance program’s effectiveness. The only difference is that the certification occurs before, not after, settlement.6
Remediation and compliance program certification pre-settlement enables organizations to argue for no self-reporting and post-settlement certification. However, the organization must demonstrate that the certification derives from a rigorous process, including independent testing.7 Key steps include selecting a framework and criteria; identifying and assessing significant ethics and compliance risks and scenarios; evaluating the design and operating effectiveness of the risk response; executing a corrective action plan to cure deficiencies; implementing an evidence-based sub-certification waterfall; and arranging for an independent third party or internal audit validate that the program meets the framework and criteria.8
Moving Ahead: Stay tuned for the next piece in this series, where we offer steps to meet testing design and operating effectiveness expectations.
1 DOJ Criminal Division, Corporate Enforcement and Voluntary Disclosure Policy ¶5c (2023) (“CEP”)
2 J. Frank, M. Edwards and C. Hoyle, A Primer in Root Cause Analysis: A Critical Step in the Remediation of Compliance Violations, StoneTurn Alert (2024) . See J. Frank, Remediation, Litigation Services Handbook, Chapter 13A (2015)
3 CEP, supra, ¶5c
4 For a sample CAP, see J. Frank, M. Edwards, C. Hoyle, L. Greenman, K. Ioffe, Meeting DOJ and SEC Post-Settlement Obligations: A Practical Guide, StoneTurn Client Alert (2023) (“StoneTurn Post-Settlement Guide”)
5 See generally J. Frank, M. Edwards, C. Hoyle, L. Greenman, K. Ioffe, Meeting DOJ and SEC Post-Settlement Obligations: A Practical Guide, StoneTurn Client Alert (2023) (“StoneTurn Post-Settlement Guide”)
6 See J. Frank, K. Nolan, Great Expectations: Certification of Ethics and Compliance Program Effectiveness, COSMOS (2023)
7 See J. Frank, K. Nolan, Great Expectations: Certification of Ethics and Compliance Program Effectiveness, COSMOS (2023)
8 StoneTurn Post-Settlement Guide, supra, at pp.12 – 15.
If you have any questions or would like to find out more about this topic please reach out to Jonny Frank, Chris Hoyle or Michele Edwards.
To receive StoneTurn Insights, sign up for our newsletter.