Like every other compliance professional who’s paying attention, I have read the updated Evaluation of Corporate Compliance Programs guidance issued by the US Department of Justice (DOJ) last month. I found it both instructive and encouraging. Instructive because it added more specificity about DOJ exceptions and how to meet them. Encouraging because it clearly reflects input solicited from risk and compliance officers prior to its publication.
There are countless papers, articles and blog posts out there already examining and dissecting this guidance in great detail, including an excellent write up by Patty Tehrani in Bloomberg Law. This is not another one. Instead, I’d simply like to share a few observations about how this new guidance will further elevate the role of compliance professionals and impact our profession going forward.
First: The expectation of proven program effectiveness.
I believe the various iterations of the Guidance have been intended to make clear that “real” programs, rather than paper programs, are key. While it acknowledges that one size does not fit all, the addition of roughly two dozen substantial edits in 2020 should make it abundantly clear that the government expects to see programs that are constantly evolving based on solid risk management processes and incorporated lessons learned (both internal and external). The organization must also be able to demonstrate how and why the program has been implemented in the way it has. Consider the three fundamental questions prosecutors are directed to ask (straight from the introduction to the Guidance):
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
If you share no other part of this guidance with your colleagues and executive leadership, make sure they see these question. Nothing makes a stronger case for your program.
Second: A positive "tone from the top" is not optional.
I believe the most compelling phrase in the above questions above is “…adequately resourced empowered to function effectively.” It essentially declares that a compliance program should be fully supported by executive leadership and the board of directors, full stop. Further, it carries an expectation that this tone be modeled at all levels of management.
Third: Prove it with data.
The Guidance is also clear in its assertion that successful programs must collect the right data, have it accessible to those in compliance who need it, and use it to make better, more informed decisions or course corrections. This in turn suggests the need for compliance program automation. Our profession currently lags behind finance, legal and HR when it comes to automated systems to support the company’s objectives. This has to change.
Further, while awareness of the potential need to be able to prove program effectiveness years after the offense occurred has been around for decades, it has been rarely discussed. This Guidance update now specifically states that the effectiveness of the program will be “reviewed both at the time of the offense and time of the charging decision and resolution.” The only way to do this is to ensure there is access to archived annual program information and documentation. In the 1990s, I literally packed a box with all of the program information at the end of every year. Now, with available technology, this archive process can and should be automated.
The June 2020 DOJ Guidance is another step forward in terms of clarity and specificity. I also believe it will make it easier for organizations to justify investment in their programs by providing both a framework of federal expectations as well as a roadmap on how to get there. That said, many of us, including me, still have questions. For those of you who do, there is an upcoming webinar you should attend.
Brian Rabbit, the former Acting Assistant Attorney General for the Criminal Division, US DOJ, will lead a Best Practices Forum (virtual event) hosted by the Ethics and Compliance Initiative on Thursday, July 30. (Full disclosure, NAVEX Global is a sponsor of the forum). Mr. Rabbit will be fielding questions submitted by compliance professionals like you. In fact, I have already submitted a few myself.