At NAVEX Global’s May Master Class, Hui Chen, former Compliance Counsel Expert to the U.S. Department of Justice (DOJ), and Carrie Penman, Chief Compliance Officer and Senior Vice President at NAVEX Global, discussed recent updates to the DOJ’s Evaluation of Corporate Compliance Programs (the Evaluation). As the author of the DOJ’s original Evaluation document published in 2017, Hui Chen offered unique insight on the impetus of the guidance as well as on its latest evolution.
While there were a number of key lessons to be learned from the hour conversation, one thing we heard loud and clear was that the Evaluation should not to be seen as a best practices document. “It is a best among worst practices,” Chen clarified.
This is not an evaluation to determine whether an organization is good, but whether an organization is criminal.
The guidance can be helpful for compliance practitioners to understand how compliance programs are evaluated by the DOJ; however, Chen reminded the audience that the DOJ only evaluates organizations when involved in criminal wrongdoing. This is not an evaluation to determine whether an organization is good, but whether an organization is criminal. As Chen stated, “If you can come in and give fairly reasonable answers to the questions that we are asking, congratulations, you are a C student. The A students are not in front of us.”
Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.
Using the DOJ Evaluation Guidance as a Strategic Document
The Evaluation guidance ultimately exists to help federal prosecutors in their investigations of criminal activity. But organizations need not have committed a crime to learn from the document or apply its learnings.
The Evaluation does not offer an exhaustive list of questions. Therefore a robust set of answers to the questions should not be thought of as a DOJ shield.
This is a foundational document. The approach and answers to the questions should be tailored to each organization’s unique risk, business and people. Chen included a note of caution here as well. The Evaluation does not offer an exhaustive list of questions. Therefore a robust set of answers to the questions should not be thought of as a DOJ shield. Take, for instance, the DOJ’s antitrust division knocking on your organization’s door and saying a fraud investigation is underway. If “your answer to them is, ‘Oops, I didn’t think about that because it wasn’t in the guidance,’ that would not be a very good answer,” Chen said.
So How Should the DOJ Evaluation Be Used?
First, “don’t obsess over every word in this document,” says Chen. Each organization needs to take the guidance and tailor it in accordance with their compliance program goals.
Second, effectiveness was a reoccurring theme in Chen’s remarks. Along with culture, operationalization and risk, effectiveness has become an operative word in the world of compliance. However, true effectiveness is demonstrable. And more specifically, it is demonstrated through outcomes not processes.
In defining outcomes, Chen highlighted the case of effective ethics and compliance training. Compliance training can only be considered effective when it impacts how employees behave, not by how many employees participated. Effective training metrics therefore are not limited to seat time and training views, but must also include breach, violation or misconduct metrics.
In approaching the Evaluation and program effectiveness, the following steps surfaced as simple guideposts.
- Understand and be able to explain your risks: Organizations need to assess what risks or potential problems their employees could encounter. Chen said the way she has assessed the credibility of a compliance program was simply by asking the compliance officer, “Tell me about your organization’s risk profile. Half of the time, the compliance officers could not answer this question.”
- Use common sense: What in the document is relevant to your organization? How does your organization think about its programs? How are you going to measure success? Successful organizations will constantly ask themselves these questions as a part of a healthy self-evaluation.
- Focus on metrics: Compliance programs are supposed to prevent and detect criminal acts. Proving the ability to prevent and detect wrongdoing requires telling the story of effectiveness through analytics and metrics. It is one thing to say you have an effective program, it is another to show you have an effective program.
Seen as a foundational document to build upon as appropriate for each organization rather than an all-inclusive manual, the Evaluation of Corporate Compliance Programs can be instrumental in helping compliance programs continue on their path to demonstrably effective programs.