DOJ Refreshes Guidance Document on Evaluation of Corporate Compliance Programs
Even before April’s release of the Department of Justice (DOJ) Criminal Division’s 2019 Evaluation of Corporate Compliance Programs (2019 Guidance), those operating within highly-regulated industries like government contracting and health care knew the importance of having an effective, well-tailored compliance program. Largely tracking the DOJ Fraud Section’s 2017 Guidance (our discussion of the 2017 document is available here), the new, longer 2019 Guidance adds more detailed examples to aid federal prosecutors in evaluating compliance programs. By making this information public, DOJ is providing companies a blueprint for the design, implementation, and evaluation of those programs that will satisfy the scrutiny of a criminal investigation.
Assistant Attorney General Brian Benczkowski announced the 2019 Guidance during a speech at the Ethics and Compliance Initiative 2019 Annual Impact Conference as an effort to “better harmonize” prior guidance and legal standards and “better explain what [DOJ] examine[s] when evaluating a company’s compliance program and culture.” While the foundational principles are consistent – if not identical to – concepts found in DOJ’s Justice Manual, the 2012 FCPA Guide, and the United States Sentencing Guidelines, the 2019 Guidance is primarily structured around three questions:
(1) Is the program well-designed?
(2) Is the program being applied earnestly and in good faith?
(3) Does the program actually work in practice?
In unpacking those questions over 18 pages from the perspective of a federal prosecutor, the 2019 Guidance identifies the hallmarks of quality compliance programs. Below is a summary of those key questions and the key factors DOJ will examine when formulating the answers and making charging decisions.
1. Is the Compliance Program Well Designed?
Consistent with prior guidance, DOJ will look to see if the program is well thought out and tailored to real-life risks that a specific entity may face. In doing so, DOJ wants to understand how a company created and tested its program, and whether the company has learned from past mistakes and made appropriate changes. In that vein, federal prosecutors will ask if the program sends “a clear message that misconduct is not tolerated” and is “well integrated into the company’s operations and workforce,” amongst others. The following are specific areas DOJ prosecutors will focus on to answer this key question.
a. Risk Assessment
What methodology has the company used to identify, analyze and address the particular risks it faced? Does the company collect information and metrics to adequately assess risks, and what types of metrics? Does the company disproportionately focus on low-risk areas instead of high-risk areas? Does the company update its risk assessments regularly?
b. Policies and Procedures
A company MUST have an appropriate Code of Conduct and procedures. Additional questions DOJ will ask when assessing whether such policies are appropriate include: What is the company’s process for designing and implementing new procedures? Are the policies and procedures comprehensive? Have they been properly communicated? Do key gatekeepers know their unique roles in ensuring compliance with the policies?
c. Training and Communications
Training only works if it is right-sized for a company’s operations and appropriate for the target audience. Questions prosecutors will ask include: What training was in place and is it properly tailored for high-risk or control employees? Is the training offered in the right form and language for the target employees? How does the company communicate to employees about any misconduct that does occur? Are employees properly informed about the availability of additional guidance?
d. Confidential Reporting and Investigation
Both the Justice Manual and the Sentencing Guidelines emphasize confidential reporting mechanisms or “whistleblower hotlines” as indicative of good corporate governance. In turn, DOJ also expects that companies will effectively investigate reports of misconduct. To that end, prosecutors will ask: Does the company have an effective way of collecting and analyzing allegations of misconduct? Does the company ensure that investigations have been properly scoped, conducted, and documented? Did the investigation look to root causes of the misconduct? Did the investigation go to sufficiently high levels of the company? Does the company apply timing metrics to ensure responsiveness? Are investigations properly tracked, analyzed, and used to detect patterns of misconduct, and to update the compliance program?
e. Third Party Management
Third-party issues, such as agency relationships, can be difficult for companies to manage. But as many FCPA resolutions highlight, failing to address these issues both on the front-end and throughout a contractual relationship exposes entities to risks related to conduct by individuals outside of its control. Questions involving third-party risk include: Did the third-party management process adequately analyze risk? How does the company ensure there is an appropriate business rationale for using third-parties? Are there appropriate controls over third-parties? How has the company considered and analyzed the third-party’s compensation and incentive structures against compliance risks? Does the company adequately track and respond to red flags in the third-party relationship? Has the company suspended, terminated, or audited a third-party as a result of compliance issues?
f. Mergers and Acquisitions (M&A)
M&A is an area of particular focus for DOJ. Failing to do proper pre-acquisition due diligence or address known problems at a target company can expose an acquiring company to civil and criminal liability, as well as reputational damage. If misconduct is discovered after a merger, DOJ will ask: Was there proper due diligence during the M&A process? Was there proper remediation of issues discovered through due diligence? How has the compliance function been integrated into the M&A process?
2. Is the Compliance Program Being Implemented Effectively?
A key take-away from this section of the 2019 Guidance is that compliance programs must be fluid and constantly reevaluated as the particular risks a company faces evolve. Static programs that fail to address new business lines or operations in new parts of the world are neither “well designed” or “implemented effectively.” If a compliance program is just a “paper program” that is written and put on the shelf to collect dust, it neither serves its purpose nor provides any defense in the event of a criminal investigation.
a. Commitment by Senior and Middle Management
Tone at the top is a frequent refrain from DOJ (and SEC). There must be a shared commitment to compliance supported by action. This extends not only to management but also the board of directors. In evaluating the “tone at the top,” DOJ will ask: Did senior managers, through their words and actions, encourage or discourage compliance? What concrete actions have senior leaders and middle management taken to demonstrate commitment? Does the board of directors have access to the right expertise in performing its oversight function?
b. Autonomy and Resources
DOJ’s former Compliance Counsel repeatedly emphasized the importance of ensuring that a corporation’s compliance function is adequately resourced and valued within the organization. To that point, DOJ will ask: Does the compliance function, including internal audit, have the right resources and sufficient seniority within the company to perform effectively? Do compliance personnel have the appropriate experience and qualifications? Are compliance personnel dedicated to compliance or do they have other responsibilities, and to whom do they report? Does compliance have appropriate independence, such as direct access to the board of directors or the board’s audit committee?
c. Incentives and Disciplinary Measures
A compliance program cannot be effective if employees and management either do not know what happens if they violate it, or view consequences for violations as hollow threats. To that end, DOJ will ask: Is there proper accountability as demonstrated by discipline for managers under whose watch misconduct occurred? Are there legal or investigation-related reasons for restricting information, or have pre-textual reasons been provided to protect the company from whistleblowing or outside scrutiny? Is the application of discipline consistent? Is there an incentive program for good compliance and ethical behavior? Can the company point to specific examples of actions taken (promotions or awards denied) as a result of compliance and ethics considerations?
3. How does the Compliance Program Work in Practice?
DOJ recognizes that “the existence of misconduct does not, by itself, mean that a compliance program did not work or was ineffective at the time of the offense.” However, when misconduct is found, DOJ wants to see that the company’s investigation into that misconduct included an adequate and honest root cause analysis to understand what happened and the remediation needed.
a. Continuous Improvement, Periodic Testing, and Review
Continuing with the theme that compliance programs should be alive, not static, DOJ will ask: What are the program’s processes for determining when to conduct internal audits, and how are they carried out? What types of audits would have identified the misconduct at issue and were they conducted? Did management and the board follow up on audit findings and failures? Does the company test its controls? Does the company routinely update its compliance program and make sure it adequately addresses current risks?
b. Analysis and Remediation of Underlying Misconduct
Compliance programs must evolve to prevent the re-occurrence of bad events. Evolution requires learning from past mistakes; after an incident a corporation must do an analysis to see if there was a systematic failure in compliance. To that end, prosecutors will ask: Did the company miss prior opportunities to detect the misconduct? Has the company evaluated why those opportunities were missed? What remediation was undertaken once a problem was discovered? What specific changes has the company made to reduce the risk of a reoccurrence?
While the 2019 Guidance is not at all new, this iteration is an important tool for companies in that it enables them to “begin with the end in mind” when crafting, testing, and revising their compliance programs. No compliance program is perfect, nor can any compliance program guarantee that there will be no bad actors. However, by publicizing the questions federal prosecutors will ask when the inevitable failure happens, DOJ has placed companies in a better position to shape their compliance programs so the answers to those questions result in positive outcomes.
Join us on May 28th at 12 p.m. ET for a webinar on “Using DOJ’s 2019 Guidance to Benchmark and Improve Corporate Compliance Programs."