DOJ Shares How it Evaluates Compliance Programs
When designing a compliance and ethics program, organizations want one that not only will prevent, find and fix problems, but also one that will meet the US Department of Justice’s stringent standards if an incident occurs. To help firms do this successfully, the DOJ recently released, quite exactly, what it considers when evaluating the effectiveness of a company’s compliance program.
The Evaluation of Corporate Compliance Programs is structured into questions that a prosecutor will ask to evaluate the effectiveness of the company’s compliance program – both before the incident occurs and after an incident is known. This document is intended “to assist prosecutors in making informed decisions” in corporate investigations relevant to “determining the appropriate 1.) form of any resolution or prosecution; 2.) monetary penalty, if any; and 3.) compliance obligations contained in any corporate criminal resolution.”
While we recommend you read the entire report, front to back, provided below are five areas of focus that the guidance makes clear the DOJ expects to see from company’s compliance programs.
Training MUST be relevant, risk-based and measurable
Companies must ensure that policies and procedures have been integrated into the organization through periodic training and certification for all directors, officers, relevant employees, and where appropriate, agents and business partners. Prosecutors are also to assess whether the company has relayed information in a manner tailored to the audience’s size, sophistication or subject matter expertise. Companies will also be examined to see if the curriculum covers prior compliance incidents and how the effectiveness of training is measured (what kind of metrics/reporting is available). The guidance also instructs prosecutors to look at whether supervisors received additional training, employees were tested on what they learned and how the company addresses employees who fail all, or a portion of the testing.
Compliance MUST be given resources to do their jobs correctly
Perhaps one of the biggest takeaways from this document is the evaluation of whether the compliance department is properly resourced. In fact, the word “resource” appears 21 times throughout the 18-page report. This includes whether compliance has 1.) sufficient seniority within the organization, 2.) sufficient resources, namely staff to effectively undertake auditing, documentation and analysis, and 3.) sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee. One of the most interesting questions prosecutors are to ask is “Have there been times when requests for resources by compliance and control functions have been denied, and, if so, on what grounds?”
Employees MUST have an easy way to seek guidance on misconduct
Another hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidently report allegations of a breach of the company’s code of conduct, company policies or suspected or actual misconduct. Prospectors are instructed to look for a compliant-handling process that includes pro-active measures to create a workplace atmosphere without fear of retaliation, appropriate processes for the submission of complaints and processes to protect whistleblowers.
Companies MUST adopt stringent third-party controls
According to the report, a company’s third-party due diligence practices are a huge factor that prosecutors should assess to determine whether the compliance program is in fact able to “detect the particular types of misconduct most likely to occur in a particular corporation’s line of business.” Not only should the company ensure that contract terms provide a description of the work to be provided, but follow-up should be done to ensure that the work is actually being performed and that the payment terms are appropriate.
Compliance MUST improve and evolve over time
A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions and the applicable industry standards. Accordingly, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure it is not stale and that the program is working properly, as intended. In evaluating this component, prosecutors are to consider “revisions to corporate compliance programs in light of lessons learned.”