Evaluating DOJ compliance guidance in 2019 Bookmark has been added
Evaluating DOJ compliance guidance in 2019
Do you have an effective corporate compliance program?
On April 30, 2019, the US Department of Justice (DOJ) updated their 2017 guidance related to evaluating the effectiveness of a compliance program. The revised guidance poses three fundamental questions that company leaders can utilize to help ensure their compliance program is effective.
July 19, 2019 | Life sciences
In a speech to unveil the updated guidance, Assistant United States Attorney General Brian Benczkowski stressed that "an effective compliance program is the only principle that has the ability to prevent the crime from occurring in the first place." The use of the word "ability" is significant, in that it aligns to the idea of program effectiveness and reinforces the message behind the guidance—i.e., each company must develop that ability through an effective compliance program.
The new guidance is, therefore, an essential tool for companies to use when assessing whether their compliance program is in line with the standards that prosecutors will use in deciding whether to act and to what degree. All this is to say that a culture of prevention, as well as detection and correction, is front of mind for regulatory enforcers and should be the same for compliance programs.
The attorney general's office recognizes company risk profiles and solutions to reduce risk variance by company, leaving much to the discretion of individual prosecutors. Every company is unique, and no company can entirely eliminate risk, but a continual and evolving assessment of risk and its associated mitigation activities is an essential component to ensuring that a compliance program is effective.
The guidance outlines three fundamental questions that companies can expect prosecutors to ask:
- Is the corporation’s compliance program well-designed?
- Is the program being applied earnestly and in good faith (is the program effective)?
- Does the corporation’s compliance program work in practice?
The following provides additional background on these questions, along with an insight into how companies can respond to the DOJ guidance, with a focus on risk assessment as the backbone of an effective program.
Is the corporation's compliance program well-designed?
The first aspect of a well-designed compliance program that the DOJ mentions is how a company has "identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks." An effective way to evaluate the company's risk profile is to conduct risk assessments, no less than annually, to continually evaluate the controls in place across all relevant business activities, but especially the highest risk activities. It’s important that companies ensure these tools are appropriately tailored to embed the company’s culture of compliance into the operations of the business, comprehensively address controls to mitigate high-risk areas, and communicate how employees can report misconduct. By doing this, and then acting on each assessment with an appropriate mitigation plan, the design of the program continually evolves and improves as the dynamic nature of risks evolve as well.
Effective risk assessments also involve collaboration with key business leaders and other stakeholders, leading to not only better risk assessments but also to a better-educated group of business colleagues who in turn are more aware of the risks and can take an active role in mitigation efforts. All of this creates a virtuous cycle for ongoing improvements to sustain a well-designed program.
The DOJ places risk assessment first because a well-designed compliance program relies on timely and accurate assessments of risk to inform all other aspects of compliance program design. According to the guidance, other aspects of compliance program design draw heavily from risk assessments. For example:
- Policies and procedures: "Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process."
- Training and communications: "Prosecutors should assess the steps taken by the company to ensure that policies and procedures have been integrated into the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners." None of these steps are attainable without certainty about what areas of the business are subject to various compliance risks.
- Confidential reporting structure and investigation process: "Another hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct." A risk assessment should help to determine whether confidential reporting and investigation provide meaningful insights.
- Third-party management: "A well-designed compliance program should apply risk-based due diligence to its third-party relationships." Thorough due diligence cannot occur without first assessing the risks of various third-party business relationships.
- Mergers and acquisitions (M&A): "A well-designed compliance program should include comprehensive due diligence of any acquisition targets." In some regards, the role of risk assessment in M&A is quite similar to the managing of any third parties.
As the points above highlight, risk assessment is not only a factor in compliance program design but also a key component of tactical and strategic business decisions.
Is the corporation’s compliance program being implemented effectively?
The DOJ continues to emphasize that prosecutors have been instructed to probe "specifically whether a compliance program is a ‘paper program' or one ‘implemented, reviewed, and revised, as appropriate, in an effective manner." If a company last updated or reorganized their compliance program five or ten years ago and is not continuously assessing the organization’s risk profile and its active commitment to compliance, the guidance reflects that the company may be viewed less favorably by regulators in the event of a compliance concern.
The DOJ has criteria for whether a compliance program is effective to explore a range of topics, and poses a few questions for compliance professionals to consider:
- Commitment by senior and middle management: Is there a documented high-level commitment by management to a culture of compliance?
- Autonomy and resources: Do compliance professionals have the appropriate authorities and means to carry out their activities?
- Incentives and disciplinary measures: What are the means of enforcing the rules?
Evaluating the actual effectiveness of the compliance program should be measured every one to three years, and can be conducted in conjunction with the annual risk assessment program that must be implemented annually as a cornerstone for effective implementation. The very nature of the risk assessment sparks the right type of questions and mitigating actions to maintain the cyclical dynamic that an effective compliance program must have to keep from becoming dormant.
Does the corporation’s compliance program work in practice?
Although the concepts of "program effectiveness" and "work in practice" may sound interchangeable, the DOJ guidance distinguishes between whether a compliance program is effective, and whether it works in practice by focusing on "whether the corporation has made significant investments in, and improvements to, its corporate compliance program and internal control systems." Importantly, a one-off investment is not enough. The DOJ will assess whether compliance programs adapt to changing needs, and how companies respond to concerns. To prove that a compliance program works in practice, compliance programs should assess:
Continuous improvement, periodic testing, and review: In DOJ's own words, "A company's business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards." To that end, companies should have policies and clear rationales for how they approach audits and control testing. Policies on how updates occur or how a culture of compliance is fostered should be demonstrably acted on.
Investigation of misconduct: In the end, despite all efforts, misconduct can still occur. When it does, prosecutors will look carefully at how misconduct was investigated and remediated. They will probe into the authorities of the internal investigators, and they will look carefully at how the company responded. Punitive actions are not enough. Investigations should also examine root causes, and identify any systems or management shortcomings.
An effective risk assessment and mitigation planning program can serve as the backbone for answering this question and provide evidence that the company is routinely identifying risks, areas for improvements in controls, and other mitigation activities to create a cycle of continuous improvement that becomes part of the culture of the organization, allowing for long-term sustainability.
What to conclude?
Although many of the concepts in this guidance have been discussed for years by the DOJ, settlements and Corporate Integrity Agreements still occur every year. As the new guidance makes clear, "paper compliance" is not enough. Going forward, prosecutors will take the demonstrated effectiveness of a compliance program very seriously in determining how to pursue enforcement actions.
For many companies, the compliance program is responsible for reviewing and monitoring the activities within the business functions, but the compliance department itself may not undergo a meaningful assessment by an independent party. The new guidance makes it clear that going beyond self-assessment of a company’s compliance program to undergo regular outside evaluations of program effectiveness may be viewed favorably by prosecutors.
As the DOJ makes clear, compliance programs must be well-designed, effective, and work in practice. Risk assessment is essential to meeting those standards, but it is difficult for compliance programs to achieve a thorough understanding of all manifestations of risk from an insider’s perspective alone. In today's environment, it is advisable to draw on outside expertise to ensure that a compliance program is alive, dynamic, and effective, and will remain so going forward.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.