Department of Justice Issues Updated Guidance on Evaluation of Corporate Compliance Programs
The Department of Justice’s (DoJ) April 2019 updated Guidance on the Evaluation of Corporate Compliance Programs offers some insights on how government prosecutors think about corporate compliance and what factors they will consider in determining whether a compliance program is properly designed and operating effectively both at the time of the offense and at the time of a charging decision. While not a major departure from the substance of the Guidance’s last (2017) iteration, it does provide some additional detail. Much has been written about the Guidance and we will not go through it line by line here. Instead, here are a few key takeaways.
Risk assessment is the key to an effective program.
Risk assessment has been given particular prominence in the updated Guidance – moving to the first topic discussed. “The starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.” Companies will be expected to keep risk assessments updated and to focus on the highest risks and those risks most likely to occur. Prosecutors can give credit to a program that devotes appropriate attention to these risks “even if it fails to prevent an infraction in a low-risk area.”
Third party risk still looms large.
A company’s third-party management practices have been and will continue to be among those most heavily scrutinized aspects of its compliance program. Along with risk-based due diligence, prosecutors will “assess whether the company engaged in ongoing monitoring, training, audits, and/or annual compliance certifications” by third parties. In the updated Guidance, the DoJ draws particular attention to the need for companies to have a clearly articulable business rationale for using a third party in the first instance and, on the back end, having controls in place to ensure that third parties who do not survive the due diligence process – or who are terminated post-contract – do not show up again at a later date.
Compliance incentives and disincentives are important.
Clear, rational and consistently applied disciplinary procedures are a hallmark of effective compliance. But having procedures in place is not always enough. Employees need to understand the consequences of a violation and know that companies will impose sanctions swiftly. The Guidance calls out publication of disciplinary actions, where appropriate, . . . along with “positive incentives – personnel promotions, rewards, and bonuses for improving and developing a compliance program or demonstrating ethical leadership” as drivers of compliance.
Does it work in practice? Monitoring is key.
The updated Guidance emphasizes the need to monitor program effectiveness through the use of data analytics – whether it is measuring culture, whether policies and procedures are adequate and followed or whether training is actually effective, the Guidance encourages measurement as the first step in continual improvement. Companies are expected to engage “in meaningful efforts to review its compliance program to ensure that it is not stale.”
Read the full guidance here.