In early February, the US Department of Justice (DOJ) Fraud Section quietly released a short paper entitled “Evaluation of Corporate Compliance Programs,” which sheds more light on how the DOJ’s new compliance expert will differentiate effective compliance programs from those that are superficially pretty. In the paper, the Fraud Section reiterates that the factors it considers in deciding whether to investigate, charge or negotiate with a corporation (called the “Filip Factors”) necessarily require a fact-specific assessment. The topics the Fraud Section considers in conducting its assessment – like tone at the top, third party risk assessments and compliance resources – are not new. Yet, the paper provides an important glimpse into “common questions that we may ask” in evaluating how an individual organization passes muster under the Filip Factors. Many of the “sample questions” highlight where the Fraud Section will press to ferret out those corporations that have simply adopted a check-the-box compliance program, versus those that have embraced compliance as a cultural imperative.
The paper enumerates 11 sample topics that the Fraud Section “has frequently found relevant in evaluating a corporate compliance program.” Many of these topics appear in other compliance resources, but their presence here shows their durability as measures by which corporations will be judged. The topics include:
- Analysis and remediation of underlying misconduct, including root cause analysis of compliance failures and whether similar incidents occurred in the past;
- Senior and middle management words and deeds to convey and model proper behavior;
- Autonomy and resources of the compliance function including stature, qualifications and funding;
- Operational integration of compliance policies and procedures into a control framework;
- Risk assessment process and the role of metrics;
- Incentives and disciplinary measures and whether they are effective, consistent, and fairly meted out; and
- Continuous improvement, periodic testing, and review.
Thematically, the topics convey that a successful compliance program responds and reacts to each compliance failure. Compliance needs to bear the visible support of top – and middle – management and run under the leadership of well-resourced compliance professionals. Compliance does not exist isolated from a company’s day-to-day operations and strategic decision-making, but is integrated throughout both.
“Common Questions” to Probe a Company’s Compliance Program
The Fraud Section is careful to note that it “does not use any rigid formula to assess the effectiveness of corporate compliance programs” and that each company’s “risk profile and solutions to reduce its risks warrant particularized evaluation.” Yet, the paper sets forth “common questions” that the Fraud Section may ask in making that individualized determination.
Many of the questions coalesce around three critical avenues to explore whether a company has embedded compliance into its culture: (1) the company’s processes for lessons learned, (2) the effectiveness of its gatekeepers and (3) the integration of compliance into the business.
Processes for lessons learned
These questions probe whether the company is learning from prior compliance mistakes or simply punishing the wrongdoer without seeking and correcting systemic failures. For example:
- “Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures . . . ? What is the company’s analysis of why such opportunities were missed?”
- “What controls failed or were absent that would have detected or prevented the misconduct? Are they there now?”
- “Has the company’s investigation been used to identify root causes, system vulnerabilities, and accountability lapses, including among supervisory manager and senior executives?”
- “What information or metrics has the company collected and used to help detect the type of misconduct in question? How has the information or metrics informed the company’s compliance program?”
Effectiveness of gatekeepers
These questions explore not only stature and skill of compliance personnel and personnel in other control functions in the organization, but also whether reports of misconduct get to the right responders. For example:
- “What has been the turnover rate for compliance and relevant control function personnel?”
- “Who reviewed the performance of the compliance function and what was the review process?”
- “Has the company outsourced all or parts of its compliance functions to an external firm or consultant? . . . How has the effectiveness of the outsourced process been assessed?”
- “Has there been clear guidance and/or training for the key gatekeepers . . . in the control processes relevant to the misconduct?”
- “Has the compliance function had full access to reporting and investigative information?”
Integration of compliance into the business
Many of the Fraud Section’s questions attempt to shine light on whether a company has woven compliance into its day-to-day business, from board room to the factory floor. Questions include:
- “What specific actions have senior leaders and other stakeholders (e.g., business and operational managers, Finance, Procurement, Legal, Human Resources) taken to demonstrate their commitment to compliance . . . ?”
- “What compliance expertise has been available on the board of directors?”
- “What role has compliance played in the company’s strategic and operational decisions?”
- “Have business units/divisions been consulted prior to rolling [new policies and procedures] out?”
These questions suggest that the Fraud Section will continue to press on a key vulnerability that plagues the compliance efforts of many organizations – how to translate a well-designed compliance program into the cultural fabric of the company. And prosecutors will not likely be impressed without demonstrable proof of action at all levels of the organization and across all aspects of its business.