The U.S. Department of Justice’s updated guidance on evaluating corporate compliance programs issued this spring focused on three fundamental questions that guide prosecutors in determining whether a compliance program was in effect on the date of an offense and also whether the compliance program was effective in practice at the time of a charging decision.

This is Part 2 of our two-part series on creating effective compliance programs, which discusses what an “effective” program looks like and the prosecutor’s responsibilities in connection with the April updated guidance.

The three fundamental questions center on whether the compliance program was well-designed, whether it was being applied earnestly and in good faith, and whether the compliance program worked in practice.

Is the compliance program well-designed?

The first question on whether the program was well-designed has a number of assessment points. Prosecutors are encouraged to evaluate compliance programs based on the following:

• How well the company has identified its risk profile
• How the compliance program addresses those risks
• Whether the program would detect the sort of misconduct expected to occur in the company’s business operations

A number of elements contribute to effectively assessing risk, including the location of the business, type of business being conducted, competitiveness of the market, regulatory framework that governs the business operations, and the types of transactions and clients served by the company. A key concept in risk assessment is “risk-tailoring,” which uses appropriate metrics to manage risk; tailors the allocation of resources to high-risk areas versus low-risk areas, and identifies whether risk assessment is appropriately updated and revised as lessons are learned and as circumstances may change.

Well-designed compliance programs also should memorialize best practices and ethical norms in policies and procedures. These best practices include a code of conduct committing to a culture of compliance. According to the guidance, in the course of evaluating policies and procedures, prosecutors may consider such factors as:

• How the company designs and implements new policies
• The comprehensiveness of the company’s policies
• Whether employees have access to policies and procedures for referential purposes
• Who in the organization has responsibility for integrating policies and procedures into the company’s daily operations
• Assessing whether “gatekeepers” at key points in the operation have been trained appropriately on their role in assuring compliance are parameters that should be considered

Per the guidance, prosecutors may also evaluate whether training of employees and ongoing communication have been designed to effectively communicate policies and procedures based on the audience, subject matter, and sophistication of what is communicated and the audience to whom it is addressed. In conducting this evaluation, the guidance notes that prosecutors may consider whether employees in key control functions have received risk-based training, the form and content of training, whether guidance is available on an ongoing basis, and, particularly, whether the company has made its position on things like misconduct well-known. Training resources should also be evaluated for effectiveness using tools such as pre-and post-testing and other metrics that can show trending data over time.

Another assessment point for a well-designed compliance program is whether the program provides for a confidential reporting mechanism as well as an investigative process. Factors that a prosecutor may consider, according the guidance, include:

• Whether the company has a confidential reporting mechanism in place
• Whether it is used
• How the company assesses the seriousness of reported issues
• Whether investigations are properly scoped
• Whether investigations are conducted by qualified and empowered personnel
• If investigations are completed promptly
• If appropriate follow-up insures accountability and feedback for policies and procedures

Well-designed compliance programs should also include assessment of third-party entities, such as suppliers, partners, consultants and distributors. Companies should know the reputation and the relationship of its third-party entities through due-diligence and ongoing monitoring of the same type of risk assessment as the company conducts for its own operations. This would include confirming that third parties have appropriate control mechanisms, particularly in risk areas such as payments, contractual relationships, metrics to measure areas of potential misconduct, and appropriate responses to any identified issues.

Finally, well-designed compliance programs provide for comprehensive due diligence of entities that may be targets of a merger or an acquisition. In addition to comprehensive due diligence, the means by which a merger or acquisition target is included in the company’s compliance program is also indicative of a well-designed compliance program. Assessment factors may include how quickly or thoroughly policies and procedures have been established at the new entity and whether other aspects of the compliance program have been extended to the new entity.

Is the compliance program being implemented effectively?

Compliance programs should be implemented with sufficient resources for auditing, review and documentation of the program’s effectiveness. Prosecutors should, according to the guidance, evaluate the corporate culture, particularly with regard to senior and middle management, as well as the independence and resources provided to those charged with monitoring the corporate compliance program.

The guidance also notes that prosecutors may look at the conduct and actions of management, recognizing that senior management sets the tone for the rest of the company. Senior managers who support a culture of compliance, modelled appropriate behavior for subordinates and encouraged others to always act in an ethical manner provide good indication of an effective program.

Similarly, best practices dictate that compliance professionals should be afforded sufficient authority and standing within the company to implement the compliance program. Generally, this means:

• Compliance professionals have an appropriate seniority level within the company
• Necessary autonomy to go directly to the board of directors
• Requisite experience and qualifications to perform analysis and review activities

Prosecutors should consider where the compliance function falls in the organizational chart, and whether the designated compliance personnel are dedicated to compliance activities, or if they have other duties within the company.

Effective compliance programs generally have some form of incentive to encourage compliance and an established disciplinary process to de-incentivize non-compliant behaviors. In assessing this aspect of effective compliance programs, prosecutors may look at human resources processes, consistency within the organization, and other considerations such as bonuses, awards, and disciplinary activities.

Does the compliance program work in practice?

A compliance program that works in practice has characteristics that are vibrant and evolving.

While an instance of misconduct does not invalidate the efforts of a compliance program, prosecutors are encouraged by the DOJ guidance to give consideration to how the misconduct was identified, what resources the company had in place to investigate or review the misconduct situation, and what sort of remedial action resulted from the misconduct.

Programs that seek continuous improvement, testing and review are considered better in practice than programs that remain static. Feedback processes for compliance programs can include internal audits, control testing, regular updates to the program including policy and process reviews, and other activities focused on fostering a culture of compliance within the company.

Additionally, a working compliance program has a funded and timely investigation process, which can scrutinize issues promptly as they are identified, provide quick response, and assist management with maintaining accountability throughout the company. Effective investigations also provide an important source of feedback to the compliance program and can identify weaknesses and vulnerabilities in existing policies and procedures.

Much like a quality improvement program, compliance programs should be engaged in periodic review and validation of policies and procedures. Reviews of this type should focus on root cause analysis, review of past weaknesses or vulnerabilities, and accountability. Special attention should be given to relationship-driven issues, particularly with third parties, vendors, and through payment or compensation systems.

Conclusion

Prosecutors are given wide discretion to determine whether corporate compliance programs may be considered as a mitigating factor in prosecutions.

A company should be prepared for these sorts of circumstances by establishing a well-designed and effective compliance program that encourages a culture of compliant behaviors throughout the company, but also has elements that lead to discovery and resolution of misconduct.