DOJ’s Approach to Evaluating Organizations Evolves Along with Maturing Compliance Programs

carrie-penman.png

This week, the U.S. Department of Justice (DOJ) announced updates to its guidance document “Evaluation of Corporate Compliance Programs” (the Evaluation). I was in the audience when Brian Benczkowski made the announcement at ECI’s Impact 2019 conference in Dallas and heard first-hand the Assistant Attorney General’s perspective on the document’s evolution and impact.

We have always been an industry hungry for the enforcer’s perspective and this week we got an additional 10 pages of discussion...

If you are in the compliance community, you are most likely aware of the original version of the Evaluation released in early 2017, and the frenzy it set off within the compliance industry. We have always been an industry hungry for the enforcer’s perspective and this week we got an additional 10 pages of discussion and an official DOJ seal in the letterhead (which the original document did not have).

The updates are more of the same, and I mean this in the best way. When asked about his thinking and approach to this update, Benczkowski described his experiences in private practice when corporate clients came into his office with the list of the original guidance questions attempting to show how they met the DOJ expectations. He kept this in mind as they developed the update.

Desire for More Transparency & Clarity

The key theme in Benczkowski’s address was transparency between the DOJ and the organization’s they investigate. “We have sought to provide additional transparency in how we will analyze a company’s compliance program….We hope this updated version provides additional insight to both prosecutors and companies with respect to the evaluation of compliance programs.”

The updated Evaluation has been reorganized to acknowledge that no matter what a company’s particular circumstances might be (and those circumstances will vary enormously), prosecutors will want to answer three fundamental questions:

  1. Is the compliance program well designed?
  2. Is the program being implemented effectively?
  3. Does the program work in practice?
     

The DOJ says the answers to these questions are “fundamental” to investigations, will play a major role in prosecutors’ decisions, and “may be more salient” than a particular case’s facts. 

The DOJ says the answers to these questions are “fundamental” to investigations, will play a major role in prosecutors’ decisions, and “may be more salient” than a particular case’s facts. While this is not new, it does expand on and clarify some of the Justice Department’s thinking on compliance programs and indicates that the prosecutor community is evolving with – and recognizing best practices in – corporate programs. It does so in other ways as well.

Discuss Your Compliance Program Comprehensiveness with a Representative

Significance of Program Design

Program design is one of the themes that stands out to me, particularly its additional emphasis on how evaluations will be tailored specifically to the individual organization, industry, size, market, and other nuances unique to the compliance program. One-size-fits-all programs have never worked.

Design also refers to keeping pace and responding to evolving risk. Circumstances change for an organization every day; its business and compliance risks change. To prove that a compliance program is well designed, compliance officers must assess compliance risks regularly, and then document any updates to the program the chief compliance office may (or may) not make.

Importance of Program Documentation

Even the best compliance programs can’t prevent the occasional bad actor from popping up. But the new guidance reinforces why, if and when that bad actor emerges, compliance officers must be able to demonstrate the state of the compliance program when the offense happened, the steps taken since then and the state of program now.

If and when that bad actor emerges, compliance officers must be able to demonstrate the state of the compliance program when the offense happened, the steps taken since then and the state of program now.

Documentation is critical to do this – and to prove that the program is – and WAS – effective. Specifically, the guidelines say prosecutors will evaluate “the adequacy and effectiveness of the compliance program at the time of the offense, as well as at the time of a charging decision.”

If you think about it, evaluation discussions with the DOJ are likely to take place years after the offense. Without adequate documentation, how can an organization prove that it had an effective program in place years earlier? In my early days as an ethics officer, my team and I literally packed up a box of documentation at the end of every year and sent it to corporate archives for this very reason.

Evaluation Process Tied to Department Guidance on Use of Monitors

In October 2018, Benczkowski announced guidance on how the Criminal Division would determine whether a monitor is appropriate in a given case. In his presentation this week, he said that “in determining whether a monitor is appropriate, we will look to several key factors, most notably, the investments and improvements a company has made to its corporate compliance program and internal controls, and whether remedial measures have been tested for the ability to prevent or detect similar misconduct in the future.”

Like All Compliance Programs, the Evaluation Is a Work in Progress

In all, the updated Evaluation does not launch us into any major new directions. The main criteria for evaluating a compliance program – issues such as risk assessment, training, policies and procedures, autonomy of the chief compliance officer, internal reporting mechanisms, and so forth – all descend directly from the U.S. Sentencing Guidelines. Likewise, none of the points first raised in 2017 have been omitted here; so everything compliance officers have been trying to do, they will still need to keep doing. But the DOJ has been making one thing more and more clear – “check-the-box” programs will not be acceptable when they come knocking on the door.

Take a Look at NAVEX Global's Comprehensive Compliance Management Platform


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.


Beyond Due Diligence: Ongoing Third Party Risk Management

Due diligence screening of existing or new third parties is just an initial step – it is not the entirety of third party risk management. Assuming that the third party passes the due diligence review, there are a number of continuing obligations needed to manage risk. Learn how to go beyond due diligence and introduce a consistent application of rules and procedures.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Benefits of a Compliance Program Under FCPA Corporate Enforcement Policy

Learn what the first three FCPA enforcement actions of 2019 teach ethics and compliance programs about the varying degrees of penalties based on self-disclosure, cooperation and remediation. 

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Comments