Boards and management should make use of recent expanded guidance from the US Department of Justice to ensure that their compliance programs are considered "effective" if and when an investigation arises. Companies should affirmatively answer three fundamental questions in evaluating a compliance program: 1) Is the compliance program well designed? 2) Is the program being implemented effectively and in good faith? 3) Does the compliance program work in practice?
On April 30, 2019, the US Department of Justice's Criminal Division (DOJ) issued new guidance to prosecutors, drawn from a number of existing departmental sources offering varying degrees of specificity, on evaluating corporate compliance programs. This guidance updates and answers questions posed in previous guidance issued in February 2017, to reflect DOJ's evolving view of compliance program effectiveness. Boards and Management should make use of DOJ's expanded guidance to ensure that their compliance programs are considered "effective" if and when an investigation arises. Companies should affirmatively answer three fundamental questions in evaluating a compliance program: 1) is the compliance program well designed? 2) is the program being implemented effectively and in good faith? and 3) does the compliance program work in practice?
The DOJ details specific factors that prosecutors should consider when investigating corporations and other organizations in the Justice Manual's "Principles of Federal Prosecution of Business Organizations." These factors include "the adequacy and effectiveness of the corporation's compliance program" at both the time of the offense and the time of the charging decision, and remedial efforts to "implement an adequate and effective corporate-compliance program or to improve an existing one." DOJ's 2017 guidance offered some general questions to help prosecutors make such an assessment—although it did not provide prosecutors with corresponding answers on compliance program effectiveness.
The "effectiveness" of compliance programs also currently appears in other DOJ policy memoranda and federal sentencing guidelines, but without substantial guidance as to what prosecutors should deem effective. Specifically, Sections 8B2.1, 8C2.5(f) and 82C.8(11) of the US Sentencing Guidelines provide that consideration should be given to whether a corporation had an effective compliance program in place at the time of misconduct when calculating the appropriate fine. DOJ's memorandum on the selection of compliance monitors (the Benczkowski Memo) also instructs prosecutors to consider, at the time of resolution, whether the corporation has made "significant investments in, and improvements to, its corporate compliance program and internal controls systems," and whether "remedial improvements to the compliance program" have been tested to demonstrate that the program would prevent or detect similar misconduct.
DOJ's new expanded guidance provides more specific factors for federal prosecutors to consider when determining whether a company deserves settlement credit through a demonstrated commitment to compliance. While broadly mirroring information in the Justice Manual, past DOJ memoranda and guidance, the federal sentencing guidelines, and many DOJ Deferred Prosecution Agreements and Non-Prosecution Agreements, the updated guidance provides more detail to assist prosecutors in making informed decisions about whether a corporation's compliance program was effective at the time of the offense and is effective at the time of a charging decision or resolution. Just as importantly, the updated guidance allows corporate boards and executives to make a similar assessment and to address any shortcomings in their organization's compliance program.
DOJ acknowledges that there is no "rigid formula" when it comes to assessing compliance programs. A company should tailor its compliance program to its specific risk profile. In doing so, however, compliance officers, board members and corporate executives should keep in mind that prosecutors will ask three "fundamental" questions in making an assessment of a company's compliance program:
1. Is the corporation's compliance program well
DOJ takes the position that a well-designed compliance program depends on a risk assessment: has the company "identified, assessed, and defined its risk profile?" In turn, does the program devote appropriate scrutiny and resources to the range of possible risks? Prosecutors will look to whether a compliance program is appropriately designed to detect the particular types of misconduct that are likely to occur in the company's line of business, regulatory landscape and business environment. Well-designed compliance programs also should be periodically updated, often through additional risk assessments.
Under the DOJ guidance, prosecutors will next look to a company's compliance policies and procedures, including a code of conduct that sets forth the company's commitment to compliance with relevant laws. The creation of well-designed policies should involve the right people—including appropriate seniority and relevant business units. Such policies should be drafted to be comprehensive, accessible and reinforced through internal controls systems.
The DOJ guidance also expects appropriately tailored training and communications, with a focus on training employees in control functions and high-risk areas. Training and guidance should be accessible and available in appropriate languages. Employees should know the company's position concerning misconduct. Similarly, employees should have clear, accessible and confidential reporting channels for reporting misconduct—and there should be appropriate processes for investigating such reporting. Such mechanisms are considered "probative" in assessing whether a company has established mechanisms for detecting and preventing misconduct.
The DOJ guidance specifically calls out third-party management and M&A as risk areas where DOJ expects companies to have well-developed programs to assess and address potential compliance issues.
2. Is the program applied earnestly and in good faith? In other words, is the program implemented effectively?
DOJ next looks to whether a company has demonstrated a commitment to the compliance program by senior and middle management. To the government, this is perhaps one of the most important factors in assessing the effectiveness of a compliance program. Prosecutors will ask whether senior management, including the board, has "clearly articulated the company's ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example." Prosecutors will then evaluate whether middle management has reinforced those standards.
DOJ will also ask whether a compliance program has appropriate autonomy and resources, focusing on whether there is sufficient seniority and authority within the organization, sufficient resources and staff to undertake the necessary work of a well-designed compliance program (including internal audit), and sufficient autonomy from management, including access to the board or audit committee.
DOJ will also look to incentives and disciplinary measures taken in response to compliance and non-compliance, respectively. It is critical that appropriate human resources processes are developed and consistently applied.
3. Does the corporation's compliance program work in practice?
Effective compliance programs cannot exist only "on paper." They must work in practice. Prosecutors will closely review whether a program was working when misconduct was identified, especially in circumstances where misconduct was not immediately detected. While Section 8B2.1(a) of the US Sentencing Guidelines makes clear that misconduct in and of itself does not mean that a program is ineffective, the DOJ guidance indicates that prosecutors should view identification of misconduct by a compliance program as a "strong indicator that the compliance program was working effectively." Prosecutors will consider whether and how the company detected potential misconduct, what resources were in place to investigate the potential misconduct, and the "nature and thoroughness of the company's remedial efforts."
Prosecutors will evaluate whether a compliance program continued to improve and evolve through ongoing risk assessment, periodic testing and review. Internal audit should conduct periodic compliance audits based on identified risks, compliance controls should be tested, and gap assessments should be undertaken from time to time.
Finally, companies must undertake analysis and remediation of identified underlying misconduct. Root cause analyses are a key component of determining the appropriate scope and extent of remediation when compliance violations are identified.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.