The Prosecutor's Evolving Playbook: DOJ's Rising Expectations for Compliance Programs
As a former federal prosecutor, I frequently counsel corporate clients—in both the proactive and reactive aspects of my practice—to pay close attention to the government’s enforcement playbook. Frequently, clients have a common misconception that the government “hides the ball” about what elements are needed in their compliance programs. In recent years, federal agencies in the United States have continued to remind companies of the importance of effective compliance and have continued to be transparent about their expectations.
On February 8, 2017, the Fraud Section of the United States Department of Justice (DOJ) provided another clear reminder by announcing a new policy entitled, “Evaluation of Corporate Compliance Programs.” Considering that this guidance comes directly from the new Trump Administration, and was announced after the confirmation of the new Attorney General, Jeff Sessions, company leadership should take heed. Formally, the policy will be used by prosecutors to evaluate corporate compliance programs in the aftermath of a scandal—as part of their criminal investigation and as a factor for exercising their broad enforcement discretion.
This policy both incorporates and builds upon earlier foundational standards and elements of corporate compliance programs. Among the old favorites are the elements of:
- Sound policies and procedures.
- Effective training.
- Proportional and consistent discipline.
- Constant monitoring.
- Continual improvements.
However, this new guidance goes beyond the bare bones by adding a more comprehensive checklist, which includes a total of 119 different questions that companies and boards of directors can use for re-examining and stress testing their programs.
Moving Corporate Culture from Subjective Art to Objective Science
The vast majority of companies and executives consistently claim to care deeply about corporate compliance. (Who wouldn’t, right?) Historically, the meaning of the term “corporate culture” remained elusive and very subjective. Even though it contained both elements, compliance appeared to more closely resemble an art than a science. As a result, culture and compliance were mistakenly viewed as squishy or softer subjects, which were harder to effectively measure. In short, a good corporate culture meant different things to different people. Without the tools to measure and quantify, effective compliance also remained vulnerable to being overlooked or de-emphasized, due to rationalizations from less committed or uninformed leadership.
This new policy is another example of an ongoing and important trend to move away from the subjective standards and into the realm of objective and measurable metrics, which began when the USSC’s Organizational Sentencing Guidelines were first published in 1991. As seen below, rather than speaking in platitudes or lofty generalities, the policy offers a roadmap of issues and questions that can help companies demonstrate and document that commitment.
The Functional Elements of the New DOJ Compliance Guidance
After discussing some of the earlier guidance and the context for applying its principles, the new DOJ policy on corporate compliance is organized into the following 11 different topics, each of which also contains various questions:
- Analysis and Remediation of Underlying Conduct.
- Senior and Middle Management.
- Autonomy and Resources.
- Policies and Procedures.
- Risk Assessment.
- Training and Communications.
- Confidential Reporting and Investigation.
- Incentives and Disciplinary Measures.
- Continuous Improvement, Periodic Testing, and Review.
- Third-Party Management Mergers and Acquisitions.
Interestingly, the new policy presents a series of questions but offers few answers. This approach is consistent with past guidance since there is no one-size-fits-all approach. The new policy provides far more specifics and takes a deeper dive into critical areas that include processes, systems, authority, and resources. Rather than merely summarize all of the topics and questions, which are fairly self-explanatory, the remainder of this article will present the newer elements of the new policy in the context of the four pillars of self-governance:
For purposes of cross-referencing, each of the eleven topics in the policy is included within the bullets below.
The Prevention Elements
The truest measure of a company’s commitment to compliance is what it chooses to prioritize before an investigation begins. Rather than merely point to written policies (i.e., what the company “says”), the proof lies in what the company chooses to “do” (i.e., what it measures, what it funds, and what it incentivizes). Accordingly, the new compliance policy guidance highlights the importance of the preventive aspects of compliance through the following topics (which include references to the numbered elements of the new policy):
- A positive and authentic compliance “culture,” which includes demonstrable evidence of:
- A “shared commitment” to compliance throughout the organization [Topic #2].
- Properly delegated ownership and accountability [Topic #2].
- Employee empowerment [Topic #3].
- Strong, explicit, and visible support for the program, including:
- A strong “tone at the top” and consistent conduct displayed by words, actions, and modelled behaviors [Topic #2].
- Adequate oversight and engagement by executives and the board of directors [Topic #2].
- Sufficient program budget and resources [Topic #3].
- Written policies and procedures that are properly designed [Topic #4a].
- A highly qualified, experienced, autonomous, and well-resourced compliance team [Topic #3].
- Due diligence and contractual compliance expectations of third-party vendors and/or joint venture partners [Topic #10].
- Strong training, which is understandable, risk-based, relevant, and updated [Topic #6].
- Post-merger integration/absorption of compliance principles within acquired companies/divisions/personnel [Topic #11].
- Sound implementation and operational integration [Topic #4b].
- On-going risk assessments which include methodologies for identifying, analyzing, and managing top risks [Topic #5].
The Detection Elements
- Regular monitoring and auditing (both internal self-assessments and external) [Topic #9].
- A visible confidential reporting system (with non-retaliation and consistent and documented follow-through) [Topic #7].
- A proven track record for spotting, responding to, and learning lessons from other “red flags” (e.g., employee concerns, agency investigations, fines, etc.) [Topic #1].
- Open flow of communications in all directions (“laterally” across the company; “upward” to audit committees and the board of directors; and “downward” to middle management and the employees) [Topic #2].
The Response Elements
- Timely, thorough and credible internal investigations which include detailed “root cause” analyses [Topic #1].
- Appropriate, proportional and consistent discipline of employees, managers, executives, and third-party vendors who engage in violations [Topic #8].
- A proper incentive system that recognizes, rewards and promotes strong compliance performance of employees and managers [Topic #8].
The Correction/Remediation Elements
- On-going improvements to all compliance program elements [Topic #9].
- Post-incident remedial actions [Topic #1], including:
- Remedy harm/impacts.
- Increase budget/resources as needed.
- Modify training to address “gaps."
- Prevent recurrence of non-compliance.
One fundamental (and often frustrating) principle of “effective” corporate compliance is that the process of improvement is never completed. The risk landscape is always changing based upon a wide variety of internal and external factors. This latest DOJ compliance program policy gives clear notice to all companies that the government still cares about these standards of selfgovernance, and provides concrete examples of the questions that the government will ask.
In light of the government’s transparency about compliance priorities and expectations, every company will be expected to be equally transparent. More specifically, companies need to review the guidance and evaluate their programs in full view of this clear notice and on-going priority placed upon such programs. The two questions they need to be prepared to answer are:
- How does your compliance program score in light of the government’s criteria?
- What did your company do internally to assess its program in light of this new policy?
As every compliance officer knows— the time to act proactively, and to get the maximum protection is now—before any significant trouble hits. As the adage goes, “an ounce of prevention is worth a ton of cure.” As a company’s audit and compliance program grows and matures, the leadership must be ever-vigilant in making sure it remains effective.
©2017. Published in Compliance & Ethics Professional, May 2017, by the Society of Corporate Compliance and Ethics. Reproduced with permission. All rights reserved.