The US Department of Justice (DOJ) updated its guidance document, in April 2019, titled “Evaluation of Corporate Compliance Programs.” The document is meant to assist prosecutors to make informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of offense and if it is effective at the time of resolution and to determine the appropriate 1) form of resolution or prosecution; 2) monetary penalty, if any; and 3) monitoring or reporting obligations contained in resolution.
Although the DOJ notes that is does not use a “rigid formula” to assess the effectiveness of corporate compliance program, the document indicates that are three “fundamental questions” to be asked by prosecutors.
The guidance offers valuable awareness for compliance professionals in that prosecutors will apply significant weight to compliance programs when determining whether to charge, fine or impose compliance obligations on organizations that have engaged in wrongdoing.
Fundamental Questions and Their Answers
1) Is the Compliance Program Well-Designed?
The critical determination is whether an organization’s compliance program is appropriately designed to detect the types of misconduct that are most likely to occur in the company’s line of business. Examine a company’s policies and procedures to ensure that they address key compliance risks and that they are effectively communicated to employees through regular trainings. Also, determine whether a company has a system for the confidential reporting of potential violations, as well as for investigating such reports. Lastly, determine whether a compliance program includes procedures for performing meaningful due diligence with third-party management and/or mergers and acquisitions.
2) Is the Compliance Program Implemented Effectively?
Even a well-designed compliance program can be unsuccessful if implementation is ineffective. Therefore, determine whether an organization’s compliance program is “implemented, reviewed, and revised, as appropriate in an effective manner.” In addition, determine “whether the organization has provided for a staff sufficient to audit, document, analyze, and utilize the results of the compliance efforts.” Also, determine whether management has clearly articulated the company’s ethical standards, demonstrated adherence to these standards, and encouraged employees to follow them. An organization should also evaluate whether the employees, who are responsible for compliance, have sufficient experience, seniority, resources, and autonomy. Lastly, organizations should assess what happens should compliance issues be detected—i.e., whether the organization has established incentives for compliance and disincentives for non-compliance (disciplinary procedures in place), and whether these procedures are consistently and effectively enforced, and whether the company’s compliance program is adapted or revised, as necessary.
3) Does the Compliance Program Work In Practice?
One of the most difficult things to do after misconduct has occurred is to try to determine whether a compliance program was working effectively, especially if the misconduct was not immediately detected. The guidance document notes that “the existence of misconduct does not, by itself, mean that a compliance program did not work or was ineffective at the time of the offense.” In order to assess whether a compliance program was effective at the time that misconduct occurred, organizations should consider, “whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial efforts.” Also, consider whether and how an organization’s compliance program “evolved over time to address existing and changing compliance risks.” Consider any remedial actions taken by an organization upon the discovery of misconduct, including disciplinary actions against violators and the implementation of measures to reduce the risk of repeating the misconduct, including measures to identify “future risk.”
It would be prudent for compliance professionals and organization’s management to pay attention to DOJ’s new guidance. The guidance document is a reminder to companies of the ever-increasing emphasis that DOJ places on compliance. It is easily the most detailed communication of how DOJ will analyze corporate compliance programs when determining whether criminal charges, fines, or compliance obligations are justified.
Whether an organization is under DOJ’s scrutiny or not, the guidance document is for those organizations who are looking to build an effective compliance program that will be viewed favorably in the event of a future investigation. Organizations should make every effort to design compliance programs that comply with the guidance document. Compliance programs should be revised over time in order to reflect organizations business changes.
For more information, contact Rodney Farley at 717-213-3123 or email RFarley@LW-Consult.com.