The U.S. Department of Justice (DOJ) has released updated guidance on evaluating corporate compliance programs. The Evaluation of Corporate Compliance Programs updates prior guidance that was released by DOJ in February 2017.
In announcing the new guidance, Assistant Attorney General Brian A. Benczkowski characterized the update as “part of [DOJ’s] broader efforts in training, hiring, and enforcement to help promote corporate behaviors that benefit the American public and ensure that prosecutors evaluate the effectiveness of compliance in a rigorous and transparent manner.”
In announcing the update, Benczkowski emphasized that the new guidance is “neither a checklist nor a formula,” and that prosecutors would make an “individualized determination in each case.” While the evaluation guidance is framed as guidance for prosecutors, it nevertheless provides valuable insight for companies assessing their own compliance programs.
There isn’t much new or different in the updated guidance, but it does provide a useful, clear, and well-organized framework for evaluating compliance programs, built around three fundamental questions:
Is the program well designed?
Risk Assessments: The guidance advises prosecutors to “consider whether the compliance program is appropriate to the company and business,” but it allows them to “credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.”
Compliance Tools: Prosecutors are advised to assess a company’s compliance tools, including codes of conduct, and to determine whether the policies and procedures effectively integrate a culture of compliance into day-to-day operations.
Due Diligence: The guidance advises prosecutors to assess a company’s efforts to conduct due diligence on all partners, from vendors and distributors to acquisition targets. Prosecutors are directed to assess whether the company is applying “appropriate scrutiny” in conducting due diligence on business partners and counterparties, and whether the compliance program is set up to “enforce its internal controls.”
Is the program effectively implemented?
Tone at the Top: The guidance advises prosecutors to review whether a company’s culture truly shows a commitment to ethics and to compliance with the law. Key to this is whether senior management clearly articulates the company’s ethical standards, is able to communicate the standards, and demonstrates adherence to these standards through leading by example.
Oversight: Prosecutors are advised to evaluate whether those charged with implementing and operating the compliance program have the personnel, resources, and autonomy to “act with adequate authority and stature to prevent, detect, and mitigate compliance concerns.”
Incentives and Discipline: The guidance advises prosecutors to assess the company’s incentives for compliance and disincentives for noncompliance, and whether those incentives and disincentives are communicated, promoted, and enforced consistently across the organization.
Does the compliance program actually work in practice?
Improvement, Testing, and Review: Prosecutors are advised to consider whether a company’s compliance program is adaptable (has the “capacity to improve and evolve”) and whether the company has engaged in meaningful efforts to review its compliance program and to assess revisions “in light of lessons learned.”
Investigation of Misconduct: The revised guidance advises prosecutors to consider whether and how company misconduct was detected, what investigative efforts were conducted, and the nature and thoroughness of the company’s remedial efforts.
Remediation Efforts: Prosecutors are advised to consider whether the company undertook an “adequate and honest root cause analysis” to evaluate what contributed to the misconduct and to determine the degree of remediation needed to prevent similar events in the future.