June 8, 2020
The U.S. Department of Justice (DOJ) published on June 1, 2020 an update to its April 2019 guidelines for the Evaluation of Corporate Compliance Programs (guidance) to reflect updated regulator and compliance professional experience and feedback. In the event of a violation, prosecutors and regulators will continue to take into account the quality of corporate compliance programs when making charging and/or penalty decisions. Chief compliance officers, general counsels, and their teams should understand the changes to the guidance, which reflect evolving regulator perspectives and expectations about the operationalization and implementation of compliance programs and assess how these changes impact their existing compliance program.
Key highlights from the updated guidance reflecting changes from the April 2019 version include:
DOJ recognizes that not all compliance programs are alike – but each must be properly empowered and resourced
The guidance notes that evaluation of a compliance program will be “reasonable” and based on company size, industry, geographic footprint, regulatory landscape, and other internal and external factors. However, the guidance clarifies the meaning of a program being properly implemented by adding emphasis on the program being “adequately resourced and empowered.” An important first step in creating a reasonable compliance program is to ensure the company has done an adequate self-assessment, starting with a review of whether it has identified the universe of compliance requirements, identified the resourcing needed to address those requirements, and then developed and allocated its resources efficiently and effectively.
A continuous – not a snapshot – approach to compliance risk assessment
The guidance states a risk assessment for a compliance program is not a “snapshot”. Instead, it is an evolving perspective based on continuous access to operational data and information, as well as the company’s own prior issues and those of similarly-situated companies in the same sector or market. In turn, this evolving risk assessment allows for appropriate updates in program policies, procedures, and controls. Compliance professionals should think about integrating their compliance risk assessment into their organization’s existing Enterprise Risk Management (ERM) program. A useful benefit to this approach is that it integrates business and compliance risks, engaging the company’s varied stakeholders in an ongoing discussion and developing shared awareness.
Leverage data analytics to understand what employees are thinking and identify new potential risks
The guidance further develops treatment of employee accessibility to compliance guidance, indicating that companies should publish policies and procedures in searchable format, and that the company track access to policies to understand what areas are attracting the most employee attention. Similarly, the compliance program should have unencumbered access to relevant sources of data to enable timely and effective monitoring or testing. Compliance professionals should develop an existing inventory of data systems, recognize what types of data are housed in them and the compliance insights that can be drawn, and then extract risk-relevant information.
Dispense with the long training sessions. Short, simple, and interactive is better
Reflecting the continued regulator emphasis on training, the guidance suggests companies invest in shorter, targeted, role-based training sessions to enable employees to identify and raise potential issues. Regardless of whether training is online or in-person, employees should have an opportunity to ask questions or seek clarification. Similarly, the guidance suggests compliance professionals follow up with employees who do not do well on training assessments.
Test your whistleblower hotline . . . before you need it
The guidance states that a company should periodically test its whistleblower hotline to ensure a complaint is received and processed appropriately. Of note, the guidance also indicates that a whistleblower program should be distributed to third parties, as well as employees.
Integrate the operational perspective on third party management
Compliance officers should understand and document the business rationale for third party engagement (e.g. vendors, suppliers, agents and joint venture partners) as well as the compliance risks presented. Moreover, continual or periodic third-party risk assessments should be conducted throughout the lifespan of the business relationships, not just at the time of onboarding, to assure that evolving and emerging risks are regularly identified and mitigated. Of particular note, given recent U.S. government mandates around using China-sourced technology, companies should consider downstream compliance risks within their supply chain and identify how compliance requirements can be managed through integration into contract clauses (e.g. audit clauses), as well as through continuous risk monitoring and risk/compliance-aware engagement design.
How We Can Help Compliance Professionals and Counsel
Compliance Risk Assessment: Our professionals, many of whom have served in senior compliance officer roles or in key regulator positions, can assist you in conducting an actionable, individualized assessment to identify and assess areas of compliance risk, integrate lessons learned from other companies, develop a conversation about compliance risk across the organization, and put in place mechanisms to continually enable access to evolving perspectives and insights on risk. Finally, our professionals can assist you in developing action items and mitigation road maps to affirmatively address priority risks facing the company.
Compliance Program Development: Our professionals can work with you to develop concise policies and processes that implement and operationalize your compliance program objectives, ideally into your existing business processes, to reduce cost and maximize impact and sustainability. And, at the same time, our team can work with you to integrate data analytics and automation into your compliance program, develop effective, role-focused training that communicates organizational values, and institutionalize leading practice in compliance.
Compliance Audit: An effective compliance audit against key applicable laws and regulator guidance can identify gaps and weaknesses in your compliance program. Further, it becomes evident where your program is doing well and where opportunities exist to better allocate resources, especially in light of the current state-of-the-art programs in your industry. Our experienced compliance professionals have conducted compliance audits across a range of compliance domains including anti-corruption, export controls, cyber, trade sanctions, data privacy, and CFIUS. We assist our clients to address control deficiencies, identify issues requiring remediation, and conduct root cause analyses.
Investigations and Response: If needed, our compliance and investigations professionals deploy skilled and experienced investigators, many of whom have worked in government, law firms, and in-house positions conducting white collar investigations. Our personnel also bring to bear industry-leading technology-assisted investigations capability and forensic accounting expertise. Finally, our team has decades of collective experience engaging government regulators and investigative bodies in connection with internal investigations, prosecutions, and consent agreements positioning us to achieve optimal results for our clients.
Continuous Compliance Monitoring and Data Analytics: As described above, the DOJ is focused on continuous compliance monitoring as a critical element of well-designed and implemented corporate compliance programs. We have a dedicated group that works with our clients to deploy state-of-the-art technology-assisted compliance monitoring, data analytics, and business intelligence tools.
Supply Chain Risk Management: Our team works with our supply chain professionals to help our clients identify potential risks in their supply chain and implement effective risk management controls and processes. We regularly assist our clients to articulate business rationale for engagement of third parties and understand and address the potential compliance risks, including market-and sector-specific compliance risks, originating from such relationships.