There has been quite a buzz since the Department of Justice announced last year that it had appointed a compliance counselor to aid prosecutors’ evaluation of compliance programs and would focus on individual culpability for wrongdoing when investigating corporate misconduct. The combination of these actions, along with the FCPA unit’s stated intention to add 10 prosecutors to its ranks, has perked ears in the C-suite and boardroom and has compliance officers asking what, in particular, DOJ will be looking for in connection with its evaluation of compliance programs.
In recent weeks, DOJ Fraud Section Chief Andrew Weissmann and Compliance Counsel Hui Chen have embarked on something of a road show, speaking publicly about their expectations for compliance programs and the anticipated effects of DOJ moves to step up enforcement. Ms. Chen has said that four broad areas of inquiry will be pursued when evaluating an organization’s compliance program:
How thoughtful is the program’s design? This line of inquiry may focus on whether internal stakeholders from across the organization are involved in a dialog about program design, who owns the compliance program, and to what extent program ownership extends outside of compliance to the business and other functional units. This point also highlights the importance of an effective risk assessment and ensuring that the program design is informed and directed by the company’s highest risks.
How operational is the program? Here, evaluation may turn on the extent to which components of the program are tied to company functions and operations. DOJ guidance cautions against “paper programs.” Ensuring that the program is effective through monitoring and auditing will be an important focus going forward.
How well do personnel at all levels of the organization communicate about compliance? Probing this aspect of compliance may concentrate on the frequency of communications among stakeholders throughout all levels of the organization about compliance issues, whether ground-level/frontline employees are knowledgeable about the compliance program and risks relevant to their duties, whether the folks back at headquarters know and appreciate the challenges facing frontline employees in the company’s various locations, and whether employees feel comfortable raising questions and issues.
How well resourced is the compliance program? This area of review is not constrained to examining the sufficiency of a company’s investment of human and financial resources, but also extends to the level of attention and commitment backing up those resources. Ms. Chen’s comments suggest that merely throwing money and people at a problem is not enough. Regional and executive leadership must be attuned to compliance concerns, receive briefings supported by data and reasoned analysis, and participate compliance initiatives.
These categories of interest point up other aspects of compliance program structure on which DOJ is likely to focus, such as compliance unit reporting lines and independence, the role of compliance once a red flag is detected, and the attributes of an adequate whistleblower program.
Mr. Weissmann has stated that in the near future DOJ will publish a list of questions Ms. Chen may pose to companies when evaluating their compliance programs. We’ll bring you a further update once that guidance is made public. In the meantime, Mr. Weissmann’s and Ms. Chen’s acknowledgement that one size does not fit all signals a flexible approach to program evaluation that should bring a measure of calm to compliance officers.