On April 30, 2019, the U.S. Justice Department’s Criminal Division issued new policy guidance to help prosecutors evaluate whether corporate compliance programs are effective. Many of the concepts are not new, but companies should review the guidance carefully. The guidance identifies very specific questions that the DOJ expects every company to be able to answer about their compliance programs. Because the DOJ has published these questions for everyone to see, the DOJ will be more likely to evaluate compliance programs more strictly in future investigations and punish those companies who cannot provide satisfactory answers.

Why Are These Questions Important?

Prosecutors and other regulators offer more lenient treatment to companies with effective and strong compliance programs and inflict harsher treatment on companies falling short of this standard. With effective compliance programs, companies have a better chance of preventing misconduct, avoiding prosecution, saving jobs, negotiating more favorable settlements with lower penalties, avoiding onerous conditions (such as the imposition of costly third-party monitors with reporting obligations to DOJ), and narrowing the scope of investigations when problems arise.

Of course, nearly every company believes that it has a reasonable compliance program and that it is investing the appropriate resources. Nearly every company will point to its code of conduct, policies prohibiting misconduct, messages from senior leadership, risk assessments, due diligence of third parties, and so on. However, many companies under investigation – including Fortune 500 corporations with substantial compliance departments – are often surprised when DOJ prosecutors conclude that their compliance programs were not effective or adequate.

What Are The Questions That DOJ Prosecutors Will Ask Companies?

DOJ’s new guidance illustrates why prosecutors often fault compliance programs. The guidance instructs prosecutors to ask very pointed questions designed to help separate the “effective” compliance programs from the rest of them. At the most general level, prosecutors are supposed to ask if: (1) a compliance program is “well designed;” (2) it is “being applied earnestly and in good faith;” and (3) it “work[s] in practice.” Prosecutors are supposed to ask these questions while keeping in mind the specific industry risks facing the company.

Those general questions are only the starting point. Like any good cross-examiner, DOJ tries to punch holes in the arguments of companies touting their compliance programs. The new evaluation takes prosecutors through 151 detailed questions designed to test whether a company really cared about creating, implementing, and testing its compliance programs. The questions are not intended to be exhaustive, but they convey the type of sharp-edged questions that most companies will receive from DOJ in the event of an investigation.

The DOJ’s questions cover risk assessments; policies and procedures; training and communications; confidential reporting structures and investigation processes; due diligence and subsequent management of third parties; and mergers and acquisitions processes. The questions probe the commitment by senior and middle management to compliance; the autonomy and resources given to compliance personnel; the incentives and disciplinary measures utilized by the company; and the company’s commitment to improving its program to meet new and emerging risks. The questions examine the company’s willingness to test its compliance program; the quality of its investigations; the depth of the analysis used by the company when it has discovered misconduct; and the remedial actions taken by the company.

How Should Companies Respond To This New DOJ Evaluation?

Every company should attempt to answer these 151 questions. They are not easy questions, which is why many sophisticated and well-meaning companies have failed to satisfy the DOJ that their compliance programs are effective. The answers have to be detailed. The answers have to show that the company has used a thoughtful process to design, operate, and test its compliance program, given the resources available to the company. The answers have to show that the company’s compliance program is evolving over time as it adapts to the risks that it faces.

This DOJ evaluation also presents a new dilemma for companies. Traditionally, many companies have been reluctant to include significant detail in many of their compliance documents. For instance, they do not want to describe the detailed reasons behind their risk assessments. They do not compile comprehensive due diligence files. They do not want lengthy reports describing how they tested the compliance programs.

And there are good reasons for this historical reluctance. Documentation can be time-consuming and requires a company to devote scarce resources to these tasks. Companies fear that detailed compliance documents can be distorted and taken out of context by either the government or by private attorneys suing the company for private claims, leaving the company vulnerable to meritless litigation or investigations. These companies want to rely on their key employees to describe the reasoning behind their compliance decisions.

But the government’s new compliance evaluation highlights the danger of using abbreviated compliance documentation. If the company’s evidence of its compliance program consists of cursory or superficial documents, many prosecutors will tend to believe that the company did not engage in a thoughtful compliance process. Some prosecutors assume an event did not happen if there is not a document proving it. Key employees can also leave the company, departing with their institutional knowledge, or they may not remember all of the detailed reasons behind the compliance decisions. Similarly, the key employees might themselves be under investigation, and prosecutors may not credit their statements.

In light of this new DOJ guidance, companies should evaluate whether their own compliance documentation adequately shows the time, attention, and energy invested in the compliance programs. Companies should consider how they would provide the answers to these questions, remembering that prosecutors will be a skeptical audience and that they are likely to fault the company for a lack of detail.

If done properly, improved compliance documentation can make a major difference for the company and its employees. It can prevent prosecutions and save millions of dollars for companies resulting from lengthy investigations. It can save the jobs of key executives and employees who might otherwise be blamed by prosecutors, regulators, the board of directors, or shareholders for perceived deficiencies in the company’s compliance programs. The quality and depth of the company’s compliance documentation is a question that every general counsel should consider after reading DOJ’s new guidance on evaluating compliance programs.