On April 30, 2019, the Department of Justice (DOJ) released an updated version of its guidance for evaluating corporate compliance programs. A copy of the Guidance can be found here. While DOJ directly states that the document is meant to assist prosecutors in evaluating the effectiveness of a corporation’s compliance program when determining whether to charge the company and/or reach another potential resolution, it is imperative for all companies, in particular those operating in regulated industries, to review the Guidance. And in so reviewing, companies should examine and, if necessary, revise their compliance programs in light of the guidance provided. A robust compliance program will not fully inoculate a company from potential government investigation, but it will help prevent wrongdoing and, if a problem arises, it will help remediate the problem in a timely and efficient manner. Likewise, as noted in the DOJ Guidance, the existence of such a robust program will have a positive effect in reaching a better resolution in the event of an enforcement investigation.
As an initial matter, DOJ identifies three overarching questions to answer when assessing the effectiveness of a corporate compliance program:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith?
- Does the corporation’s compliance program work in practice?
The remainder of the Guidance lists various issues and factors to consider. Company compliance officers and legal counsel (both in-house and outside counsel) should be intimately familiar with these factors. If they are not incorporated into the company’s program, then the program should be updated to address and include them.
Is the corporation’s compliance program well designed?
The critical factors in evaluating whether the compliance program is “adequately designed for maximum effectiveness in preventing and detecting wrongdoing” are:
- Risk Assessment – Is the program appropriately designed to detect the particular types of misconduct most likely to occur in the company’s line of business and related regulatory environment? Is the program tailored to the risk assessment?
- Policies and Procedures – Does the code of conduct set forth the company’s commitment to full compliance in a way that is accessible and applicable to all company employees? What is the process for designing and implementing new policies and procedures? Do the policies reflect and deal with the spectrum of risks the company faces?
- Training and Communication – Have the policies and procedures been integrated through periodic training for all directors, officers, employees and, where appropriate, agents and business partners? Has the company provided information in a manner tailored to the audience’s size, sophistication and subject matter expertise?
- Confidential Reporting Structure and Investigation Process – Is there an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s policies or of suspected misconduct? Does the company appropriately determine which complaints or red flags merit further investigation? Is the scope of the investigation proper based on the potential issues raised?
- Third-party Management – Does the company apply risk-based due diligence to its third party relationships? Does the company know its third party partners’ reputations and relationships, including, if any, with foreign officials? Is there a business rationale for needing the third party partner? How does the company address red flags raised from its due diligence of third parties?
- Mergers and Acquisitions – Does the company conduct comprehensive due diligence of acquisition targets? How has the company’s compliance function been integrated into the merger, acquisition, and integration process?
Is the corporation’s compliance program being implemented effectively?
Understanding that even the best-designed compliance program could be unsuccessful in practice if implementation is lax or ineffective, the DOJ has provided the following factors to consider when assessing whether the compliance program is a “paper program,” drafted just to gather dust on a bookshelf, or an active and robust program:
- Commitment by Senior and Middle Management – Is there a high-level commitment from company leadership to implement a culture of compliance? Has senior management clearly articulated the company’s ethical standards, conveyed them in clear and unambiguous terms, and demonstrated rigorous adherence by example?
- Autonomy and Resources – Do those employees responsible for compliance have sufficient seniority within the organization, sufficient resources for their work, and sufficient autonomy from management, including direct access to the board of directors or the board’s audit committee?
- Incentives and Disciplinary Measures – Does the company have clear disciplinary procedures in place, enforce them consistently, and ensure that the procedures/remediation are commensurate with the violations?
Does the corporation’s compliance program work in practice?
It can be simplistic and inaccurate to say that a compliance program did not work because wrongdoing occurred. Therefore, the DOJ Guidance document specifically notes that the existence of misconduct does not, by itself, mean that a compliance program was ineffective at the time of the wrongdoing. Instead, in determining the effectiveness of the compliance program, a company should (and the government will) consider the following factors:
- Continuous Improvement, Periodic Testing, and Review – Because a company’s business changes over time as do the laws that govern its actions and industry standards, has the company engaged in meaningful efforts to review its compliance program and ensure that it is not stale?
- Investigation of Misconduct – Has the company ensured that any investigation is properly scoped? Was it independent, objective, appropriately conducted, and properly documented?
- Analysis and Remediation of Any Underlying Misconduct – Has the company taken appropriate remedial actions in a timely manner? Has the company conducted a thoughtful root cause analysis of any misconduct?
A strong compliance program will not prevent all misconduct. But it can help to limit instances of misconduct and to mitigate the adverse consequences of such misconduct. Accordingly, companies should utilize the new DOJ Guidance to evaluate and improve on their existing compliance programs.