Off-the-Shelf Compliance Programs Are Insufficient
The cornerstone of a compliance program is whether it is intentionally designed and implemented to address a company’s particular risk profile. It is not sufficient for a company to appoint a compliance officer, adopt generic “industry-specific” compliance policies, and call it a day. The DOJ expects that companies conduct targeted risk assessments and develop policies and programs tailored to the risks inherent in their business.
Among other things, companies should consider (because prosecutors will evaluate) whether policies and procedures to detect questionable activity are designed with the company’s unique operating infrastructure in mind (e.g., whether accounting controls conform to the company’s accounting software). Prosecutors will consider the strength of a company’s code of conduct, how it is communicated throughout the organization and how employees are trained on its principles, whether it is clear how employees can report potential violations (and whether they can do so confidentially), and how such reports are reviewed, investigated, and addressed. There should also be a process to track and implement program changes based on “near misses” and “lessons learned.”
For companies that conduct business internationally, where risks often loom large, it is critical to have a process in place to ensure that vendors, joint-venture parties, and other third parties adhere to the company’s code of conduct. Because companies can be held liable for the wrongdoing of third parties acting on the company’s behalf, the DOJ expects companies to conduct due diligence into their business partners and demand contract language binding third parties to the company’s compliance principles. Companies should also ensure that third-party employees are adequately trained on compliance requirements and have a way to report wrongdoing anonymously. Finally, companies must have a mechanism for investigating and remediating wrongdoing by third parties, which may require terminating the business relationship.
Put Your Company’s Money Where Its Mouth Is
The DOJ guidance makes clear what has been known for some time: “Prosecutors are instructed to probe specifically whether a compliance program is a ‘paper program’ or one ‘implemented, reviewed, and revised, as appropriate, in an effective manner.” In short, for a compliance program to be effective, it must be “adequately resourced and empowered.” This means corporate leadership must set the tone by, at a minimum:
- encouraging compliance and demonstrating commitment to compliance personnel, including their remediation efforts and disciplinary recommendations;
- ensuring the compliance function is adequately funded and staffed to undertake necessary and effective risk assessment, documentation, auditing, and training; and
- giving compliance personnel necessary autonomy and access to decision-makers.
In this vein, the guidance notes that a “hallmark of effective implementation of a compliance program is the establishment of incentives for compliance and disincentives for non-compliance.” Accordingly, companies may want to consider including cooperation with compliance efforts as a factor in management evaluation and compensation.
Additionally, the DOJ expects companies to invest adequate resources in their compliance programs. If a company has not invested in a targeted risk assessment recently (or ever) or does not conduct thorough and searching investigations, provide adequate training to employees who are in a position to create risk, or revise its compliance programs as problems arise, then prosecutors will not look favorably on that company if it finds itself in the DOJ’s crosshairs.
OK, But Does It Work?
The final fundamental inquiry is succinctly addressed in the DOJ guidance:
In assessing whether a company’s compliance program was effective at the time of the misconduct, prosecutors should consider whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial efforts. To determine whether a company’s compliance program is working effectively at the time of a charging decision or resolution, prosecutors should consider whether the program evolved over time to address existing and changing compliance risks.
Just as an off-the-shelf compliance program is insufficient from the start, the most brilliantly designed and funded program will be deemed inadequate if it is put on the shelf and not implemented. While no compliance program can guarantee 100 percent compliance, the effectiveness of a program can be judged by how it improves and changes over time and in response to incidents and new or newly identified risks. The DOJ guidance makes clear that compliance should be viewed as an iterative process, and its reporting, training, auditing, investigating, and remediating functions must be integrated into a company’s day-to-day business activities and culture.
Following this guidance is not only a way to help potentially avoid legal scrutiny, but it should be considered part of best practices.