DOJ Releases Updated Guidance Regarding Evaluation of Corporate Compliance Programs

The guidance also provides corporations with a roadmap for creating and implementing a successful compliance structure. Importantly, the guidance makes clear that a compliance program, in name only, is not enough to shield a company from further government action or to minimize potential penalties; rather, compliance programs must be designed, implemented, and operated for the purpose of rooting out and addressing misconduct. Companies should be able to demonstrate the thought and rationale behind various aspects of the program in order to establish their commitment to compliance.

The existence of an effective compliance program has long been a factor in determining whether and how to prosecute corporations, and the nature and extent of potential penalties in the event of a settlement. Although there is no specific formula for evaluating compliance programs, prosecutors are instructed to ask three “fundamental questions”:

(1) Is the corporation’s compliance program well designed?;
(2) Is the program being applied earnestly and in good faith (i.e., effectively)?; and
(3) Does the corporation’s compliance program work in practice? 

The new guidance expands on these three questions in narrative form, and highlights relevant nuances through a series of questions that prosecutors should ask when evaluating a compliance function.

The 16-page guidance outlines in great detail what the DOJ believes to be the “gold standard” in terms of compliance functions. However, there are certain thematic takeaways:

(1) compliance programs should be founded on a comprehensive assessment of the particular risks a company faces and should be tailored to address those risks;
(2) compliance programs should be periodically updated, tested and improved;
(3) compliance programs must actually be implemented, with full integration into the day-to-day operations and culture of a company through appropriate policies and procedures, training, and communication; and
(4) all decisions relating to the compliance function and how it operates should be considered and justified.

At bottom, a compliance program cannot — and should not — be the result of mere after-thought. A good compliance program is the first line of defense against preventing misconduct, and is often times the last line of defense against criminal prosecution. Companies should consult the guidance and ensure that their compliance programs adhere to the standards identified by DOJ and make changes to existing programs as necessary.

For a summary of the specific factors outlined in the new guidance, see below.

I. Is the Corporation’s Compliance Program Well-Designed?

Federal prosecutors are instructed to consider the comprehensiveness of a compliance program as well as whether the program is integrated into the company’s operations and workforce. A well-designed program, according to the new guidance, assesses and addresses high-risk areas, is incorporated into a company’s daily operations via policies and procedures, is implemented through training and communication, includes a confidential reporting structure and investigation process, extends to third-party relationships, when appropriate, and requires comprehensive due diligence of acquisition targets.

The following are hallmarks of a well-designed compliance program:

A. Risk Assessment

Risk Management Process — The company has analyzed the particular types of misconduct likely to occur in the company’s particular line of business and regulatory environment, including the varying risks presented by, for example, the location of its operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third party gifts, travel, and entertainment expenses, and charitable and political donations.

Risk-Tailored Resource Allocation — The compliance program is tailored to address the particular risks likely to occur and allocates appropriate time and resources to policing high-risk areas as opposed to devoting a disproportionate amount of resources to low-risk areas.

Updates and Revisions — The compliance program is periodically reviewed and updated in light of previous misconduct, lessons learned, and regulatory developments.

B. Policies and Procedures

Design — The company’s process for designing policies and procedures involves consulting the appropriate business units and individuals.

Comprehensiveness — The company monitors and implements policies and procedures that reflect and address the specific risks it faces, including changes in the legal and regulatory landscape.

Accessibility — The company has communicated its policies and procedures to all employees and relevant third parties, in the appropriate language(s).

Responsibility for Operational Integration — The company has designated individuals or departments responsible for integrating policies and procedures, ensuring that policies and procedures are communicated to employees in a manner that the employees understand them, and are reinforced through the company’s internal control systems.

Gatekeepers — The individuals responsible for implementing the compliance program and the key gatekeepers in the control processes (e.g., those with approval authority or certification responsibilities) receive guidance and training on how to identify misconduct and when and how to escalate concerns.

C. Training and Communications

Risk-Based Training — The company has identified specific employees in relevant control functions and high-risk areas who should receive compliance training, and has provided those individuals with training tailored to the subjects and risks associated with their title and job responsibilities (e.g., supervisory employees receive different or supplementary training).

Form/Content/Effectiveness of Training — Compliance training is offered in the language appropriate for the audience, and in the appropriate format (i.e., in-person, online, both), and the company has a rationale for the format it chooses. Compliance training addresses lessons learned from prior incidents and is tailored to educate the audience of the particular misconduct they are likely to encounter. Additionally, employees are tested on what they have learned, the company has a procedure for addressing employees who fail the testing, and the company has mechanisms for measuring the effectiveness of the training.

Communications about Misconduct — Senior management of the company should clearly communicate the company’s position concerning misconduct and the discipline associated with different types of misconduct.

Availability of Guidance — The company makes available to employees guidance related to compliance policies and assesses whether its employees know when to seek advice and whether they are willing to do so.

D. Confidential Reporting Structure and Investigation Process

Effectiveness of the Reporting Mechanism — The company has an anonymous reporting mechanism that is publicized to the company’s employees. In addition, the company analyzes the effectiveness of the reporting mechanism, by reviewing the seriousness of the allegations reported and whether the compliance function has full access to reporting and investigative information.

Properly Scoped Investigations by Qualified Personnel — The company has a process for determining which complaints or red flags merit further investigation and for ensuring that investigations are properly scoped, independent and objective, properly conducted, and properly documented.

Investigation Response — Complaints are handled in a timely manner, and the company has a process for monitoring the outcome of investigations and for ensuring accountability for the response to any findings or recommendations.

Resources and Tracking of Results — The reporting and investigating mechanisms are sufficiently funded, and the company tracks and analyzes data to identify patterns of misconduct or compliance weaknesses.

E. Third Party Management

Risk-Based and Integrated Processes — The company’s compliance program is integrated into the relevant procurement and vendor management processes.

Appropriate Controls — The company has an appropriate business rationale for the use of third parties, and a procedure for ensuring that contract terms are sufficiently detailed, that the contracted-for services are performed, and that compensation is commensurate with services rendered.

Management of Relationships — The company evaluates compensation and incentive structures for third parties, monitors and audits third parties, and trains employees who manage third-party relationships about compliance risks.

Real Actions and Consequences — The company tracks third-party misconduct and addresses it (including by not hiring, terminating, suspending, or auditing the third party).

F. Mergers and Acquisitions (M&A)

Due Diligence Process — The company conducts a risk review of the acquired/merged entities and evaluates and addresses any misconduct or risks of misconduct identified during due diligence.

Integration in the M&A Process — The compliance function is integrated into the merger, acquisition, and integration process.

Process Connecting Due Diligence to Implementation — The company tracks and remediates misconduct or misconduct risks identified during due diligence, and implements a compliance program at the new entity.

II. Is the Corporation’s Compliance Program Being Implemented Effectively?

Federal prosecutors should also evaluate whether a compliance program is merely a “paper program” or whether it has actually been implemented and maintained in an effective manner. This involves the active participation and oversight of management. Effective implementation is demonstrated by a commitment of senior and middle management to fostering a culture of compliance at the company, dedication of appropriate authority and resources to those charged with day-to-day compliance operations, and incentives for compliance and disincentives for non-compliance.

The following are hallmarks of effective implementation:

A. Commitment by Senior and Middle Management

Conduct at the Top — Senior leaders, through their words and actions, encourage compliance and exhibit leadership in the company’s compliance and remediation efforts.

Shared Commitment — Senior leaders and middle-management (e.g. business and operational managers, finance, procurement, legal, human resources) demonstrate their commitment to compliance and remediation, even in the face of competing business interests.

Oversight — Compliance expertise is available to the board of directors, and the board actively oversees the compliance and control functions through executive or private sessions with the compliance functions and through examination and supervision of investigations and remediation.

B. Autonomy and Resources

Structure — Consideration should be given to where the compliance function is housed (e.g. within the legal department, under a business function, or as an independent function reporting to the CEO and/or board), who oversees the compliance function, and whether the compliance function is run by a designated chief compliance officer or by an individual with other responsibilities in the company, accords with the size and structure of the company and the specific risks of misconduct associated with the business.

Seniority and Stature — The compliance function has appropriate compensation levels, ranks/titles, reporting lines, resources, and access to key decision-makers. Additionally, the compliance function is afforded appropriate deference in determining how to address compliance concerns.

Experience and Qualifications — Compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities.

Funding and Resources — The compliance department is provided sufficient staffing and funds to carry out its function.

Autonomy — The company takes steps to ensure the independence of compliance and control personnel.

Outsourced Compliance Functions — If the company outsources all or parts of its compliance functions, it has a justification for doing so, the company has a designated individual responsible for overseeing the external consultant with sufficient access to the external consultant, and the company has assessed the effectiveness of the outsourced process.

C. Incentives and Disciplinary Measures

Human Resources Process — The company’s human resources department has a process in place for making disciplinary decisions related to misconduct, including who participates in making the decisions, whether the same process is followed for every instance of misconduct, and whether the actual reasons for discipline are communicated to employees.

Consistent Application — Disciplinary actions and incentives are fairly and consistently applied across the company, and where similar instances of misconduct are treated differently, the company has a justification for doing so.

Incentive System — The company incentivizes compliance and ethical behavior and has analyzed the effectiveness of its incentive and rewards system.

III. Does the Corporation’s Compliance Program Work in Practice?

Federal prosecutors are instructed to consider whether the compliance program was working effectively at the time misconduct occurred. Specifically, prosecutors should consider whether the compliance program has evolved over time to address existing and changing compliance risks, whether and how misconduct is investigated, and the extent to which a company remedies misconduct and the root causes of misconduct.

The hallmarks of a working program include the following:

A. Continuous Improvement, Periodic Testing, and Review

Internal Audit — The company undertakes internal audits to identify issues relevant to risks or misconduct.

Control Testing — The company review and audits its compliance program by testing controls, collecting and analyzing compliance data, and interviewing employees and third parties regarding compliance.

Evolving Updates — The company regularly looks for gaps in its program and updates its risk assessments and compliance policies, procedures, and practices.

Culture of Compliance —The company measures its culture of compliance and seeks input from employees at every level to determine the perception of the company’s commitment to compliance.

B. Investigation of Misconduct

Properly Scoped Investigation by Qualified Personnel — The company has procedures in place to ensure properly scoped investigations that are independent, objective, appropriately conducted, and properly documented.

Response to Investigations — The company’s investigations are used to identify the root causes, system vulnerabilities, and accountability lapses.

C. Analysis and Remediation of Any Underlying Misconduct

Root Cause Analysis — The company conducts root cause analyses to identify systemic issues.

Prior Weaknesses — The company considers what controls failed, whether policies and procedures were effectively implemented, and whether individuals responsible for those functions should be held accountable.

Payment Systems — The company considers how the misconduct in question was funded and what process could have prevented or detected improper access to funds, and the company takes steps to improve those processes.

Vendor Management — If vendors were involved in misconduct, the company evaluates whether there are weaknesses in its process for selecting vendors.

Prior Indications — The company considers whether there were prior opportunities to detect the misconduct in question, and if so, how the opportunities were missed.

Remediation — The company has made specific changes to reduce the risk that the same or similar misconduct will occur in the future.

Accountability — The company has taken timely disciplinary actions in response to misconduct.

Arent Fox will continue to monitor developments in this area and will provide alerts and updates as warranted.