Law360, New York (November 6, 2015, 12:37 PM ET) -- When I first began to represent companies on Foreign Corrupt Practices Act matters before the US Department of Justice's Fraud Section, it was not uncommon to appear with a client that had no anti-corruption policy whatsoever. That rarely happens today, and when it does let’s just say that explaining how the client is implementing its first policy is not a great icebreaker.

Over 20 years, both the best and common practices have evolved substantially. A policy no longer cuts it — enforcement authorities will expect to see an interlocking series of policies tailored to the risks the company faces. And in a steady drumbeat over this past year the DOJ and US Securities and Exchange Commission have made clear that a “fire-and-forget” compliance policy-cum-program no longer passes muster.

A signal event in this shift was the Bruker settlement, where the company was held responsible for corrupt activities in its China subsidiary with no evidence of headquarters involvement or knowledge. Rather it was the lack of activity that created the basis for the settlement — the failure to take any steps to ensure that a nifty set of policies which had been promulgated down to the subsidiary had actually been implemented. In other words, they had a policy, but no program.

The recent appointment of the DOJ’s first internal compliance expert, or more to the point Assistant Attorney General Leslie Caldwell’s speech crowing over that appointment, marks another nail in the fire-and-forget coffin. Caldwell referred to such compliance programs as “paper programs” and stated that this new appointment would allow the DOJ to more accurately assess companies’ programs. Caldwell’s speech highlighted six factors the department, and the compliance counsel in particular, will look to in assessing compliance programs — some familiar, but several others speaking directly to the progression from words to action. The boldface taglines and the commentaries are ours:

Tone at the Top: Does the institution ensure that its directors and senior managers provide strong, explicit and visible support for its corporate compliance policies?

Nothing new here; Anti-Corruption 101.

Organizational Authority and Visibility: Do the people who are responsible for compliance have stature within the company? Do compliance teams get adequate funding and access to actual resources? Of course we don't expect that a small company has the same compliance resources as a Fortune 50 company.

The second question is a twist. Call it the Benghazi factor — an email record filled with the complaints of a resource-constrained compliance program is a ticking time bomb, especially when the disgruntled former compliance employee finds his or her whistle. Does this mean that compliance gets a blank check? No. But it means the resources allocated to compliance should be tied to risk, and changes in risk, separate and apart from the company’s overall economics. But let’s be real, if the firm’s overall economics require a reduction in resources, so be it, but make that change a smart change through a risk-based methodology. And remember, if it isn’t documented, it didn’t happen. This message is particularly directed to oil patch companies in this grimily challenging period in that sector.

Although companies must create risk-based compliance programs with an eye to its resources, Caldwell pointed to the recent F/X cases to raise the dangers of overly tailoring and attempting to limit a compliance program based on regulatory priorities.

Companies will want to make certain that they are not out of sync with their peer companies in terms of managing their compliance departments. If other similar-sized company in a comparable financial situation appears to devote more funding and resources to its compliance program than another, it will reflect badly on the under-resourced company.

Accessibility: Are the institution's compliance policies clear and in writing? Are they easily understood by employees? Are the policies translated into languages spoken by the company's employees?

One would be tempted to say this is Anti-Corruption 101, but in Bruker and other cases policies are not in the languages of the host countries in which company’s operate. Easy fix. Hard to forgive whiff.

Training, Beyond Check the Box: Does the institution ensure that its compliance policies are effectively communicated to all employees? Are its written policies easy for employees to find? Do employees have repeated training, which includes direction regarding what to do or with whom to consult when issues arise?

It used to be a great answer to say everyone does an online training. But let’s apply a little brain science — thoughts get ingrained and behavior changes through repeated exposure on different vectors. A one-size-fits-all online training for worldwide employees is a good start but nowhere near the end of a program capable of creating alignment between employee attitudes and corporate policy.

Living Policies and Continuous Improvement: Does the institution review its policies and practices to keep them up to date with evolving risks and circumstances? This is especially important if a US-based entity acquires or merges with another business, especially a foreign one.

This ties into the last point. If your policies have not been updated in five years, they are out of date. And when policies are updated, those changes both illustrate the company’s commitment to a real program and provide a great vector reinforcing training in the basics of the program. This theme was echoed elsewhere in Caldwell’s speech when she spoke about how when the department makes a charge determination, it considers what remedial measures were taken after a company discovers misconduct and whether there was an effort to improve the compliance program.

Consequences: Are there mechanisms to enforce compliance policies? Those include incentivizing good compliance and disciplining violations. Is discipline even-handed? The DOJ does not look favorably on situations in which low-level employees who may have engaged in misconduct are terminated, but the more senior people who either directed or deliberately turned a blind eye to the conduct suffer no consequences. Such action sends the wrong message — to other employees, to the market and to the government — about the institution's commitment to compliance.

In a callback to the Yates memorandum, we see here again the DOJ-qua-LBJ focus on putting skins on the wall. I was surprised not see this included explicitly in the Caldwell speech, but one of the things the DOJ is talking about here (beyond firing people) is integrating compliance into personnel assessment systems, including but not limited to compensation systems. I find it difficult to argue with DOJ officials who say: “We know what company X values, and so do its employees, because those values are directly reflected in the metrics on which compensation is based.” This is a best practice that is rapidly evolving to common. And it strikes a chord with a broader theme. A program, as compared with a policy, will be integrated into the company’s existing business systems and procedures.

Beyond the Walls: Does the institution sensitize third parties like vendors, agents or consultants to the company's expectation that its partners are also serious about compliance? This means more than including boilerplate language in a contract. It means taking action — including termination of a business relationship — if a partner demonstrates a lack of respect for laws and policies. And that attitude toward partner compliance must exist regardless of geographic location.

This is really just an extension of no “fire and forget” — the DOJ wants to see the contract language and certifications, but it also wants to see audit clauses that are used and consequences for noncompliance.

Continuous improvement is no longer just a good idea. In the recent actions and words of the DOJ, we see some critical tools and methods for evolving from a dusty policy to a living program.