In its updated guidance issued on Tuesday, the US Department of Justice Criminal Division places effectiveness at the epicenter of its factors to be utilized when evaluating a company’s compliance program in the context of a criminal investigation.
The US Department of Justice (DOJ) published updated guidance on April 30 on factors prosecutors should consider when analyzing the effectiveness of a corporate compliance program to prevent or detect fraud and other misconduct. The “Evaluation of Corporate Compliance Programs” (Compliance Program Guidance) updates guidance previously released on February 8, 2017, and provides companies with increased clarity on the government’s evaluation of corporate compliance programs.
This is the first formal guidance issued by the DOJ’s Fraud Section since the confirmation of the new US Attorney General.
No One-Size-Fits-All Approach
The Compliance Program Guidance expands on the “fundamental questions” previously provided to prosecutors to evaluate whether a corporate compliance program is adequately identifying and preventing wrongful conduct. These “fundamental questions” are:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
- Does the corporation’s compliance program work in practice?
Notably, while the main factors relevant to a prosecutor’s analysis remain the same, the Compliance Program Guidance emphasizes that there is no one-size-fits-all approach to evaluating a company’s corporate compliance program. Instead, “each company’s risk profile and solutions to reduce its risks warrant particularized evaluation.” In making these individualized determinations, the Compliance Program Guidance provides an organized set of topics against which a company’s performance and corporate compliance program are evaluated. In doing so, however, DOJ signals that it is not just looking for a checklist of compliance efforts, but is expecting companies to build a corporate compliance program that is individualized, addresses the real and specific risks faced by the business, and is properly implemented to assure that it is truly effective.
The Compliance Program Guidance emphasizes that companies have flexibility in designing and improving a corporate compliance program in order to assure that the program is tailored and targeted to the risks that the company’s business faces given the current regulatory and legal environment. Senior management should be involved and accountable in assessing the areas of high risk. Moreover, the company should rely on the business teams to identify the greatest areas of risk, to assist in developing the appropriate and effective communication channels, and to assure that the policies, procedures, training, and additional internal controls will work effectively within the framework of the company and its culture. Each company should consider the types of misconduct that are most likely to occur in its business and measure whether its compliance program is sufficiently designed to identify, detect, and prevent such misconduct, with a prioritization of areas of high risk so that additional compliance measures are applied to particularly sensitive activities.
Further, when prosecutors are evaluating how a compliance program is structured and the sufficiency of the personnel and resources dedicated to furthering its goals, prosecutors will take into account characteristics specific to each company, such as “size, structure, and risk profile.” The Compliance Program Guidance stresses that prosecutors should ensure that a company’s corporate compliance program is not just good on paper, but is “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business.”
Commitment by Management
Senior management must also visibly demonstrate leadership and commitment to a culture of compliance through concrete actions. Instead of a check-the-box approach, the Compliance Program Guidance instructs prosecutors to looks for examples of management setting the tone for the rest of the company and which communicates to employees that senior management is serious about compliance. Senior management should go beyond just messaging and take concrete actions to model and encourage proper behavior. This would include not “tolerating compliance risks in pursuit of new business” or “encouraging employees to act unethically to achieve a business objective.”
Different strategies work best for different companies. As examples, the Compliance Program Guidance states that “some companies have found that publicizing disciplinary actions internally, where appropriate, can have valuable deterrent effects” while other companies have found that positive incentives have furthered compliance, such as personnel promotions, rewards, and bonuses for improving and developing a compliance program or demonstrating ethical leadership.
The new DOJ guidance emphasizes that prosecutors should question whether compliance expertise has been available to the company’s board of directors. This includes whether the board has met individually with the compliance and control functions, and the types of documents and information that were made available to the board, including with regard to areas where there have been violations of company policy. Companies should consider how they will address the question of board oversight regarding the compliance function, and how that oversight has been documented over time.
Investigations and Building on Lessons Learned
The Compliance Program Guidance reiterates DOJ’s longstanding principles for an effective corporate compliance program, specifically, a company’s compliance department must be well funded and have the resources, authority, and backing of management to effectively assess, investigate, and discipline violations. Companies should assure that compliance investigations are conducted in a timely and thorough manner. For example, the guidance should put in place procedures to assure that the “investigations are independent, objective, appropriately conducted, and properly documented.” Should misconduct be identified, the Compliance Program Guidance calls for a company to undertake “an adequate and honest root cause analysis to understand both what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future.” By doing so, companies are not only being reactive and addressing the misconduct at hand, but can use the investigation as an opportunity to identify the root cause of the misconduct and any weaknesses in a company’s compliance program practices or internal controls. The company can then make modifications and enhancements where needed based on these “lessons learned.”
Incentives to Companies
In this guidance document, DOJ reminds companies that prosecutors “may reward efforts to promote improvement and sustainability” within the company’s compliance program, and highlights some of the ways DOJ will make that determination. One of the critical ways that a company can improve and sustain its compliance program is by establishing an auditing and monitoring process that is proactive and considers lessons learned from prior problems. Not surprisingly, the DOJ guidance focuses on the importance of this subject area and counsels prosecutors to examine whether and to what extent a company has utilized resources effectively to audit and monitor business activities that present compliance risk. Prosecutors will be looking at whether internal audit has examined the company’s compliance program, its findings, and remediation following those audits. The guidance also advises prosecutors to question whether a company has undertaken testing of controls, performed data analytics in areas of compliance risk, and followed up with interviews of employees when red flags are identified to run issues to ground. DOJ also suggests to prosecutors they should examine how often and in what form the company is measuring its culture of compliance by seeking input from employees throughout the organization regarding their perceptions of management’s commitment to compliance. In other words, rather than simply relying on a company compliance hotline to catalog potential violations, are companies seeking input from employees about the company’s compliance culture before violations are reported?
The DOJ guidance acknowledges throughout that each company is different, and the extent to which compliance measures are sufficient to address risk and be effective will vary based on individual circumstances. Importantly, this guidance document stresses to companies that while favorable consideration from DOJ in the course of a government investigation is achievable for companies that have implemented effective compliance programs, “more importantly, [companies] may avert problems down the line.”
Perhaps the key takeaway from this new guidance is that more than ever, companies must examine the risk calculus in deciding how much to invest in a corporate compliance program. With greater emphasis, DOJ has expressed the view that “paper programs” are not sufficient, and the department is becoming much more sophisticated in its approach to determining the effectiveness of a corporate compliance program. While size and shape will vary, every company must ask itself whether it is addressing each of the elements of an effective compliance program, and whether it has devoted sufficient resources to addressing the higher risk business activities, not just on a reactive basis, but in anticipation that compliance violations may occur. The aversion of “problems down the line,” while often hard to value from a return on investment standpoint, is likely the greatest incentive for companies that invest in and implement effective compliance programs.
As corporate compliance programs continue to be closely scrutinized, companies and their boards, senior management, and legal and compliance departments should tailor their corporate compliance programs to issues and risk areas specific to the company’s business. Senior management plays a critical role in identifying these issues and risk areas and must serve as an example and enforcer of good compliance practices. Companies cannot let their compliance programs get stale and must continue to innovate, revamp, and enhance their corporate compliance practices based on lessons learned. DOJ emphasizes that “one hallmark of an effective compliance program is its capacity to improve and evolve.”