On the heels of any investigation or during periodic compliance assessments, clients regularly inquire concerning how the Department of Justice ("DOJ") will evaluate the effectiveness of their company's compliance program or specific remediation efforts. As experienced practitioners with decades of compliance and investigations experience, Baker Botts lawyers tailor our responses for each company based on its business model, risk tolerance, existing compliance program coverage, and any specific areas of concern. We also provide clients with benchmarks based on guidance issued by the DOJ through various publications and case studies.
Last week, with little fanfare and no press release, the DOJ Fraud Section posted a memo entitled "Evaluation of Corporate Compliance Programs" that provides the most recent overview of what the government will consider and inquire about in assessing remediation of problems and the effectiveness of a company's compliance program. The memo posting comes a little over a year after the DOJ Fraud Section hired an expert compliance consultant to advise prosecutors evaluating corporate remediation and to create consistency in how the DOJ evaluates the effectiveness of compliance programs in criminal enforcement cases.
The 11 items on the "checklist" are not new and are drawn from existing guidance such as the Resource Guide to the US Foreign Corrupt Practices Act and the US Attorney's Office Manual, Chapter 8 of the US Sentencing Guidelines. The items on the checklist are as follows:
- Analysis and Remediation of Underlying Conduct
- Senior and Middle Management
- Autonomy and Resources
- Policies and Procedures
- Risk Assessment
- Training and Communications
- Confidential Reporting and Investigation
- Incentives and Disciplinary Measures
- Continuous Improvement, Periodic Testing and Review
- Third Party Management
- Mergers & Acquisitions
While some of the checklist items relate to the nuts and bolts of the company's compliance program, others hit on mission critical themes that continue to present the greatest challenges for compliance departments.
- Compliance programs are not static. They should be treated as evolving programs that are periodically re-evaluated and adapted to changes in business objectives and business activities.
- Compliance programs cannot just look good on paper. If a company winds up before the DOJ, it must be prepared to show how the program works in practice, how the rules are made known throughout the company and how they are applied. In particular, the DOJ will be interested in seeing how the company identified and addressed any problems and the extent to which management failures may have contributed to the issues. Companies will need to “show their work” when explaining their program. Policies alone are not enough.
- Compliance departments must be adequately resourced and empowered to do their job. They must receive support and visibility at the highest levels of the organization and they must be taken seriously. A weak, under-resourced, and disempowered compliance program cannot be effective and will never pass scrutiny if reviewed by the DOJ.
- Tone at the top and compliance culture are hard to measure but critical to any program. The cues and constant messaging on ethics from senior leadership down through the organization are an important start but the messaging must be implemented. In sum, companies have to demonstrate that they "walk the walk." A key questions that will be asked is: Have employees been receiving a consistent message from their supervisors that the company is compliance-oriented in everything it does or is compliance viewed as merely a cost of doing business — a cost to be minimized whenever possible? If your answer veers more toward the latter, and a problem is detected and reported to the DOJ, weak compliance messaging from upper management will undermine any arguments for leniency.
- Companies must pressure test their compliance programs to maximize their effectiveness and efficiency. No compliance program is perfect. However, programs must be adapted to address and mitigate specific risks while being able to withstand scrutiny in hindsight by outsiders, including the government. As the memo makes clear, the first series of questions a company will be asked in the face of an enforcement action will test whether the underlying misconduct can be attributed to programmatic or systemic failures by the company and its management.