The U.S. Department of Justice (DOJ) has updated its Evaluation of Corporate Compliance Programs guidance detailing how federal prosecutors should measure corporate compliance programs in deciding whether to pursue corporations criminally for alleged wrongdoing. While much of the DOJ’s guidance remains unchanged from prior versions, the update emphasizes the need for companies to develop “dynamic” compliance programs that are adequately resourced to evolve and respond to identified risks. It also focuses on the need for a “culture of compliance” from corporate executives to frontline employees, all of whom can create exposure for companies.
Federal prosecutors have long factored the strength of corporate compliance programs in making charging decisions and evaluating possible penalties. Companies with strong compliance programs are better positioned to argue for lenient treatment, including noncriminal resolutions and lower penalties, than companies that do not have an organized effort to identify and seek to address risk. Companies with weak compliance programs take an expensive gamble that can end up costing them millions and sometimes billions of dollars when things go wrong. Heeding this guidance, and investing resources where it makes sense, can be the difference in whether a company survives a government investigation.
The revised guidance builds on three “fundamental questions” for prosecutors to “evaluate the company’s performance on various topics” that the DOJ “has frequently found relevant in evaluating a corporate compliance program both at the time of the offense and at the time of the charging decision and resolution.”
The three fundamental questions for assessing the strength of a company’s compliance program are:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
While not intended as a checklist, the DOJ guidance lists a series of topics of inquiry that guide prosecutors as they evaluate a company’s compliance program. In turn, the guidance provides insight for companies to design, revise, and implement their own programs to ensure that they proactively identify and mitigate risks, and reactively investigate and remediate problems as they arise.
Off-the-Shelf Compliance Programs Are Insufficient
The cornerstone of a compliance program is whether it is intentionally designed and implemented to address a company’s particular risk profile. It is not sufficient for a company to appoint a compliance officer, adopt generic “industry-specific” compliance policies, and call it a day. The DOJ expects that companies conduct targeted risk assessments and develop policies and programs tailored to the risks inherent in their business.
Among other things, companies should consider (because prosecutors will evaluate) whether policies and procedures to detect questionable activity are designed with the company’s unique operating infrastructure in mind (e.g., whether accounting controls conform to the company’s accounting software). Prosecutors will consider the strength of a company’s code of conduct, how it is communicated throughout the organization and how employees are trained on its principles, whether it is clear how employees can report potential violations (and whether they can do so confidentially), and how such reports are reviewed, investigated, and addressed. There should also be a process to track and implement program changes based on “near misses” and “lessons learned.”
For companies that conduct business internationally, where risks often loom large, it is critical to have a process in place to ensure that vendors, joint-venture parties, and other third parties adhere to the company’s code of conduct. Because companies can be held liable for the wrongdoing of third parties acting on the company’s behalf, the DOJ expects companies to conduct due diligence into their business partners and demand contract language binding third parties to the company’s compliance principles. Companies should also ensure that third-party employees are adequately trained on compliance requirements and have a way to report wrongdoing anonymously. Finally, companies must have a mechanism for investigating and remediating wrongdoing by third parties, which may require terminating the business relationship.
Put Your Company’s Money Where Its Mouth Is
The DOJ guidance makes clear what has been known for some time: “Prosecutors are instructed to probe specifically whether a compliance program is a ‘paper program’ or one ‘implemented, reviewed, and revised, as appropriate, in an effective manner.” In short, for a compliance program to be effective, it must be “adequately resourced and empowered.” This means corporate leadership must set the tone by, at a minimum:
- encouraging compliance and demonstrating commitment to compliance personnel, including their remediation efforts and disciplinary recommendations;
- ensuring the compliance function is adequately funded and staffed to undertake necessary and effective risk assessment, documentation, auditing, and training; and
- giving compliance personnel necessary autonomy and access to decision-makers.
In this vein, the guidance notes that a “hallmark of effective implementation of a compliance program is the establishment of incentives for compliance and disincentives for non-compliance.” Accordingly, companies may want to consider including cooperation with compliance efforts as a factor in management evaluation and compensation.
Additionally, the DOJ expects companies to invest adequate resources in their compliance programs. If a company has not invested in a targeted risk assessment recently (or ever) or does not conduct thorough and searching investigations, provide adequate training to employees who are in a position to create risk, or revise its compliance programs as problems arise, then prosecutors will not look favorably on that company if it finds itself in the DOJ’s crosshairs.
OK, But Does It Work?
The final fundamental inquiry is succinctly addressed in the DOJ guidance:
In assessing whether a company’s compliance program was effective at the time of the misconduct, prosecutors should consider whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial efforts. To determine whether a company’s compliance program is working effectively at the time of a charging decision or resolution, prosecutors should consider whether the program evolved over time to address existing and changing compliance risks.
Just as an off-the-shelf compliance program is insufficient from the start, the most brilliantly designed and funded program will be deemed inadequate if it is put on the shelf and not implemented. While no compliance program can guarantee 100 percent compliance, the effectiveness of a program can be judged by how it improves and changes over time and in response to incidents and new or newly identified risks. The DOJ guidance makes clear that compliance should be viewed as an iterative process, and its reporting, training, auditing, investigating, and remediating functions must be integrated into a company’s day-to-day business activities and culture.
Following this guidance is not only a way to help potentially avoid legal scrutiny, but it should be considered part of best practices.