On June 1, 2020, the Department of Justice (DOJ) released Revised Guidance of Evaluation of Corporate Compliance Programs, June 2020. The revised guidance updates their April 2019 Guidance, providing prosecutors a framework for evaluating the effectiveness of a compliance program. The guidance also offers practical insights for compliance professionals to consider as they review and update their programs.
Key Themes and Revisions
The guidance clearly demonstrates that DOJ’s expectations continue to rise. Below we have highlighted the key themes that the DOJ has focused on in their revisions. The language from the Guidance is provided in italics and new/changed language provide in blue italics for emphasis. We also have provided a redlined version of the document here.
One Size Does Not Fit All. While the DOJ continues to provide general insight and guidance on what they expect of corporate compliance programs, they recognize that each situation will vary: “In any particular case, the topics and questions set forth below may not all be relevant, and others may be more salient given the particular facts at issue and the circumstances of the company.” They further outline the various factors that they will consider in assessing each case. These include, but are not limited to “the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.” Each of these should be considered as the program is developed and evolves.
Structured, Not Static — Program Evolution and Continuous Improvement. While the DOJ will consider individual circumstances, they continue to focus on whether a program is well designed, applied earnestly and in good faith, adequately resourced and empowered to function effectively, and works in practice. They have added significant emphasis to the fact that this is an ongoing process and the compliance program should continue to evolve and improve: “prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.” They go on to state that a corporate compliance program should be evaluated “both at the time of the offense and at the time of the charging decision and resolution.”
Clearly, the DOJ expects programs to evolve over time to address changing risks and circumstances. They further expand on the concept adding a Lessons Learned section asking, “Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?” This question highlights the expectation that companies should not only address their own experience, but also learn from other similarly situated companies. They further expand the topic to ensure companies are investing in continued development of their personnel with the following new question: “How does the company invest in further training and development of the compliance and other control personnel?” Finally, they take the concept to Mergers and Acquisitions with a focus on not only conducting pre-acquisition due diligence, but also continuing into the integration process.
Risk Assessment. Tightly coupled with the concept of an evolving program is an effective risk assessment process. The revisions expand on the DOJ’s prior guidance that each company’s risk profile and associated solutions justify evaluation. As outlined above, they call out specific factors to consider including “the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations.” They further build on the concept of program evolution with two new questions: “Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls?” The DOJ emphasizes that the identification of risk factors should be continuous and result in updates to policies, procedures, and controls. Prosecutors will clearly be focusing on continuous risk assessment processes and whether they address the companies’ specific compliance risks, not just the companies general risk profile. As companies conduct these assessments, they should draw upon key stakeholders and multiple data sources from across the organization.
Data Use and Access. With this new addition, the DOJ is specifically calling out the increasing important role data and technology plays in the effective management of a compliance program. A new Data Resources and Access section under Autonomy and Resources was added with questions: “Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?” Prosecutors will be focused on the availability and use of data for monitoring and testing and how impediments to that data are being addressed. As outlined above, they also stress the need to continuously access operational data and information across functions and use the data identify risks and update and continuously improve policies, procedures and controls.
Adequately Resourced and Empowered. Going hand-in-hand with an effective and evolving program is ensuring adequate resources and empowerment of the people that must execute the program. The DOJ expanded on their prior guidance with new language for prosecutors to consider whether a program “being implemented is adequately resourced and empowered to function effectively” and whether the program is being applied earnestly and in good faith. The guidance further states “even a well-designed compliance program may be unsuccessful in practice if implementation is lax, under-resourced, or otherwise ineffective.” The DOJ will clearly be reviewing the resources (human, financial and technological) dedicated to implementing the program. It will also take into consideration the power and authority given to the compliance department in determining if the program functions effectively and works in practice or is just a paper program.
Organizational Justice. Finally, the DOJ added a new question, “Does the compliance function monitor its investigations and resulting discipline to ensure consistency?” A fair and consistently applied program is critical for organizational justice and for the success of an effective compliance program. Where implementation, execution or misconduct are treated differently across an organization’s program, it undermines trust in the compliance program and leadership. That lack of trust can lead to an ineffective program and a broken culture.
The DOJ is clearly setting high expectations that programs should be well designed and continue to evolve over time. As you manage and evolve your program, can you answer “yes” to the following questions? If not, what are you doing to address them?
- Can you demonstrate how your program was designed and is evolving to address changing risks, circumstances and lessons learned?
- Do you have an effective risk assessment process that addresses the companies’ compliance risks and overall risk profile, driving updates to the compliance activities?
- Do you have continuous access to compliance and operational data necessary to effectively run your program?
- Is your program adequately funded and your team empowered to be effective?
- Is your compliance program fairly and consistently applied?