Alyssa S. Lawrence (alyssa.lawrence@miami.edu) is Senior Director, Compliance, and Hannah G. Kent (hannah.kent@miami.edu) is Compliance Specialist at University of Miami Health System in Miami, FL.
Effective compliance programs serve to prevent and detect criminal conduct and promote a culture of ethics and compliance with the law. Conducting investigations on allegations of misconduct is integral to this process. The current worldwide pandemic has altered the normal investigations process by requiring creative solutions to unforeseen roadblocks. Nevertheless, compliance officers can still conduct thorough investigations by being flexible and remaining committed to high standards.
The requirements for an effective compliance and ethics program are outlined in the Federal Sentencing Guidelines.[1] The Federal Sentencing Guidelines are recommendations set by the U.S. Sentencing Commission that outline voluntary guideposts for federal courts in criminal cases. The guidelines stipulate that an effective compliance and ethics program can reduce sentences for a company’s federal offenses. The historical diligence of a company’s compliance program has a “direct bearing” on the penalties and probation should the company be sentenced for a criminal offense. Specifically, the guidelines task prosecutors to assess the company’s process for handling investigations of noncompliance, including whether the company directs complaints to the appropriate personnel, completes investigations in a timely and thorough manner, and conducts the proper follow-up and discipline.[2] It therefore remains highly important to uphold the quality of compliance investigations throughout this prolonged period of new challenges.
Best practices, no matter what
The ability to conduct an effective and fair internal compliance investigation is critical to the success of the employer. Not only are these internal investigations scrutinized by the government if you find yourself in their crosshairs, but internal compliance investigations can resolve internal matters, help build a culture where employees feel heard, and shape the general strategy on compliance matters. The goal of all investigations should be to determine the facts of the case. In the fact-finding process, identifying, implementing, and executing a methodical practice on internal compliance investigations is imperative for a well-functioning compliance department. These best practices remain applicable regardless of the size of the institution. Deviating from protocols on how to investigate compliance matters may not just risk credibility with the government upon external review, but also can lead to the compliance department itself losing credibility within its own institution. If a compliance department follows protocol while investigating a junior level staffer for a policy violation and human resources/management terminates their employment, then regardless of any negative emotions, the department can say they completed a fair and comprehensive investigation. However, what happens when a senior executive is investigated for the same policy violation, but the compliance department, under pressure from management, fails to do the same document review, interview protocol, and offers guidance to make exceptions to the policy? It’s not just bad optics; it also leads to a bad culture. Uniform enforcement is the pinnacle of a well-developed compliance program. There are some tools that can assist compliance departments in shaping an investigative system to be as consistent as possible, as much as possible.
Policies and standard operating procedures
Policy writing is a challenging task for compliance professionals. Each institution/organization approaches policies differently. Some prefer simple policies with as few words as possible, while others prefer lengthy policies that outline procedures for every possible fact pattern. A middle ground is likely the best, as with most concepts.
Tip: It’s okay if policies are simple.
Your organization investigates all credible allegations of suspected or known violations of internal policy and/or applicable federal or state law. A good way to ground these investigations is to create a compliance investigations policy that will lay the groundwork for the methodology and purpose of compliance investigations. A well-written, well-publicized policy gives the compliance staff a direction and a goal, with concrete steps and boundaries, and more importantly, the compliance staff can use the policy as a way to justify actions taken as part of an investigation. You can expand that policy to note the fairness, consistency, and integrity of the investigation process. Another option to consider is whether your institution actually investigates all reports, or only all credible reports. If there is a distinction, this should be noted either in the policy statement or in the policy procedures. We regularly use a simple example to explain how a compliance program may not investigate all claims of wrongdoing: an employee calls in complaining that their supervisor only wears green shirts on Wednesdays, and it is annoying to them. Does the compliance office need to investigate that? Careful language will help keep your office in scope. Most compliance offices are not so large that any comment can be thoroughly investigated. Additionally, compliance offices have different scopes around the country. Does your compliance department cover privacy and data security? Foreign Corrupt Practices Act? Is it limited to fraud, waste, and abuse? These distinctions may be helpful when writing a broad policy.
In policy procedures, consider items that would apply to all employees of the organization. How does an investigation become initiated? Do your employees have an affirmative duty to report wrongdoing? What level of confidentiality can you commit to providing those involved? Do your employees have an obligation to be truthful and to cooperate? Some recommendations may also be to add in a line about how investigations are documented and about working with your legal office, human resources, or any other assurance function that may work with you frequently on these types of matters.
Standard operating procedures are important to consider, especially if you have a large investigations unit. Describing the steps you take for each investigation can get very granular. Compliance management may want to do this to assist with succession planning, or to address general time concerns. If your head of investigations took a leave for a few weeks, would the staff know what to do? Where do they start? Do they notify a supervisor prior to initiating an investigation into a particular employee? Are there certain types of investigations that require upper management or board notification? When does the compliance department call the legal team? What is the process for interviewing employees? What do reports look like? What event triggers a corrective action? All of these questions—and plenty more—are important to discuss at the management level.
Systems: Leveraging technology
How does a compliance office ensure that your own policies and standard operating procedures are being followed? That investigations are handled in a timely manner? How can a compliance officer, who is not involved in each investigation, actually provide oversight? These questions can be answered simply by investing in a good investigation/case management system. A system that tracks your cases and your activity can allow you to not only get a handle on what your compliance team is doing, but will also give you data to report to your own leadership and board. Access to this kind of data will help you answer questions relating to how many cases you handle in a quarter, your frequent topics of investigations, and your average length of time to close a case. One example where this is particularly helpful is in defining how to close a case. Is a case closed when compliance is finished and reported out? Is it when the corrective action plan is issued? What about when all the corrective action plan items are resolved? This question, in particular, is extremely helpful for planning: Are you seeing a significant uptick in conflict-of-interest investigations? Maybe you should consider auditing the Centers for Medicare & Medicaid Services Open Payments data,[3] or maybe launch an educational initiative. From a management perspective, a system that tracks all current (and closed) matters is helpful. At any given moment, you can log in and see the status on all cases. You can decide how you want that to look—some programs are very customizable, some are not; some departments use the same system they use for the hotline, some use something else. The key is to document what you are doing and report on what you are doing. When you look at all of your cases together, it is easy to see where you are diverting from the established process, even accidentally. Systems also help you keep your records in compliance with your own policies and the requirements by the managed care companies and the government.