Deeper Than the Headlines: DOJ Update: “Evaluation of Corporate Compliance Programs”

The DOJ recently published this document, which provides additional insight into their practices of evaluating compliance programs.

Recall that back in November of 2015, the DOJ hired a full-time compliance expert, Hui Chen, to “help prosecutors develop appropriate benchmarks for evaluating corporate compliance and remediation measures and communicating with stakeholders in setting those benchmarks.” https://www.justice.gov/criminal-fraud/file/790236/download

It seems consistent with the hiring of Chen that the DOJ would publish a document outlining the types of questions they want answered regarding the effectiveness of an organization’s compliance program. The content of the document is consistent with other foundational documents that conscientious compliance officers have relied upon for years to assess the effectiveness of their compliance programs, including the United States Attorney’s Manual and the United States Sentencing Guidelines.

However, some of the questions demonstrate how the DOJ really wants to get to the heart of the matter, which is, whether the compliance program can demonstrate it is serious about, and effective at, preventing, detecting and correcting non-compliance. Keep in mind, these questions are being asked in the context of a DOJ investigation of a corporate entity, which suggests there is some suspicion that wrongdoing has already occurred.

Questions the DOJ Might Ask

Let’s take a look at some of the questions they might ask to determine compliance program effectiveness in that context:

1. “Root Cause Analysis – What is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis?”

The DOJ seems to be asking, what was the true cause of the misconduct, not some superficial guess, but the actual root cause. What evidence and/or documentation does the compliance program possess to demonstrate this?

2. “Prior Indications – Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed?”

They seem to be asking, if you’re claiming to have an effective compliance program, then what went wrong in this case and why? Granted, a compliance program does not have to prevent all wrongdoing to be deemed effective, but it should be asking these questions whenever non-compliance has occurred. Does your organization track allegations and complaints, so if you were asked, you could demonstrate due diligence, appropriate investigation and/or timely resolution of problems when complaints were received?

3. “Conduct at the Top – How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How does the company monitor its senior leadership’s behavior? How has senior leadership modeled proper behavior to subordinates?”

The questions about “Conduct at the Top” seem consistent with the themes of the Yates’ Memo which we’ve blogged and spoken about previously. The keywords that stand out to me in the questions above include “through their words and actions,” “concrete actions,” “monitor its senior leadership’s behavior,” and “modeled proper behavior.” DOJ seems to want evidence, not lip service. Can your compliance program demonstrate these actions of senior leadership? Have you been tracking and documenting these efforts on a prospective basis or will you need to hunt down any evidence 5-8 years after they occurred?

4. “Accountability – What disciplinary actions did the company take in response to the misconduct and when did they occur? Were managers held accountable for misconduct that occurred under their supervision? Did the company’s response consider disciplinary actions for supervisors’ failure in oversight? What is the company’s record (e.g., number and types of disciplinary actions) on employee discipline relating to the type(s) of conduct at issue? Has the company ever terminated or otherwise disciplined anyone (reduced or eliminated bonuses, issued a warning letter, etc.) for the type of misconduct at issue?”

The “Accountability” questions seem to stick to the Yates’ Memo concepts, too. Specifically, questions about supervisors and managers and their level of oversight for compliance failures seems to be consistent with these messages. Compliance needs support from those on the “front-line,” so-to-speak. The Compliance Officer cannot drive home the message alone. Operational personnel and middle management need to send the message that they support the compliance program. This will be demonstrated by a record of appropriate disciplinary actions taken over the years. Let’s hope your answer won’t be, “nobody ever did anything wrong.”

5. “Risk-Based Training – What training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred? What analysis has the company undertaken to determine who should be trained and on what subjects?”

Most compliance programs offer training, but what’s interesting about the questions above is the reference to “tailored training” and the analysis undertaken regarding who should be trained and on what. Given the evolution of compliance programs, I think the days of a generic, one-hour annual compliance training for everyone in the company might be over. Sure, some general training might be a good idea, but it seems the DOJ wants compliance programs to be thoughtful and smart in the training. Train effectively on the key areas of risk. Tailor the training to the employees given their exposure and job functions.

These are just a few of the questions found in the eight-page document published by the DOJ. Though many experienced compliance officers will find the messages contained in the questions to be consistent with their professional experience and training, the questions are pointed enough to drill home some new messages. All compliance officers and those responsible for oversight of the compliance program (i.e., Boards and Senior leadership), should take a moment to read and answer the questions now, of their own accord, as opposed to when the DOJ might ask the questions themselves in the event of an investigation. Taking a good look in the mirror now is one way to demonstrate your organization takes its compliance efforts seriously.