During a periodic review, a compliance director notes that while the company's written anti-bribery policy is comprehensive, it has not been revised or audited in five years. During this period, the organization expanded operations into three developing markets known for corruption risks. In which core program element has the company failed?
Select an answer to reveal the explanation.
Short Explanation and Infographic
Here's a scenario: you configure your network security rules in 2021, and then you never touch them again. Meanwhile, you open three new branch offices, connect to public clouds, and let everyone work from home. Do you think those old rules are going to protect you today? Not a chance! Hackers will eat you alive. The same goes for compliance. Your business changes, the world changes, and new risks emerge. If your policies are gathering dust for five years while you expand into high-risk global markets, you've got a major gap in ongoing monitoring and adaptation. The correct answer is C. A good program is a living document, not a museum piece. Let's make sure we keep updating and auditing, or the regulators will have a field day.
Full explanation below image
Full Explanation
The correct answer is C. A compliance program must be a dynamic, living system. The FSGO and DOJ evaluation guidelines emphasize that organizations must continuously monitor, audit, and adapt their compliance programs to ensure effectiveness. When an organization's business changes—such as expanding into high-risk geographic markets—its risk profile shifts significantly. A program that remains unchanged for five years under these conditions fails the requirement of ongoing monitoring and adaptation, leaving the company vulnerable to unmitigated risks.
Let's analyze why the other options are incorrect: - Option A is incorrect because while third-party risk management is an important operational risk area, the root failure in this scenario is the high-level failure to evaluate and update the overall program in response to corporate growth. - Option B is incorrect because training and communication, even if executed regularly, will be ineffective if they are based on outdated policies that do not address the company's current operational realities. - Option D is incorrect because the scenario describes a failure to evaluate, review, and update policy controls in response to geographic expansion, which is a monitoring and adaptation failure rather than a failure of the disciplinary process.