The US Department of Justice (DOJ) recently published an updated version of its guidance on the Evaluation of Corporate Compliance Programs.
The guidance provides direction regarding corporate compliance best practices and addresses the three fundamental questions that should be used to evaluate a corporate compliance program.
The guidance states “Because a corporate compliance program must be evaluated in the specific context of a criminal investigation, the Criminal Division does not use any rigid formula to assess the effectiveness of corporate compliance programs. We recognize that each company's risk profile and solutions to reduce its risks warrant particularized evaluation.” There are three questions however that prosecutors should use when making a determination.
Is the corporation’s compliance program well designed?
Is the program designed to prevent and detect employee misbehavior with maximum effectiveness? Is corporate management upholding and enforcing the program?
A starting point in answering these questions is the company’s risk management program. The company's Policies and Procedures and whether they have a robust Code of Conduct should also be examined, along with assessing whether a culture of compliance has been incorporated into day-to-day operations.
Appropriate training and internal communications are also key components of a well-designed compliance program. Do employees adequately understand what is expected of them? And if they need to report an incident, is the process accessible, anonymous, and handled in a timely manner?
A well-designed program should address risk within third-party relationships. Are comprehensive controls in place along with ongoing actions and consequences—not just at the beginning of the relationship? Due diligence of any merger and acquisition targets is a requirement of an adequate compliance program as well. Read more about best practices for high-performing corporate compliance programs.
Is the program being applied earnestly and in good faith?
In other words, is the program adequately resourced and empowered enough to truly be effective? Even the best designed program will fail if implementation is lacking or staffing is insufficient. Do Senior and Middle Management show ongoing commitment to the program? A culture of compliance requires both committed and demonstrated leadership throughout the company, and from the top down.
Prosecutors should also evaluate if compliance personnel have adequate training and experience. Do they have the resources and autonomy required to their jobs effectively? Is the program well-staffed and well-funded? Are there incentives for compliance, and discipline for misbehavior? Is there a consistent compliance process with consistent application?
Does the corporation’s compliance program work in practice?
“Due to the backward-looking nature of the first inquiry, one of the most difficult questions prosecutors must answer in evaluating a compliance program following misconduct is whether the program was working effectively at the time of the offense.”
To make that assessment, prosecutors need to evaluate if the company tests their program on an ongoing basis and makes improvements accordingly. Are investigations handled in a thorough and timely manner? And if misconduct is found, is the issue remediated and the root caused addressed?
We sat down with Susan Divers, Senior Advisor at LRN, a little while ago to talk about what makes an effective and high-impact compliance program. According to Susan, research at LRN shows that compliance programs based on values as well as rules have a much bigger impact on the choices employees make. Susan also notes that a big key in a high impact compliance program is inspiring the commitment to ethical behavior. You can read Susan’s 5 tips to create a high-impact compliance program here.
We can help you manage your Corporate Compliance challenges.
MCO's Corporate Compliance solution comprehensively addresses the challenges of regulatory compliance and potential fraud through our Know Your Employee and Know Your Third Party compliance suites. Both suites access a central database providing organizations with a compliance “system of record” and allow for easy recordkeeping and reporting.
Ready to learn more? Let us know and one of our experts will be in touch.