In February 2017, the Department of Justice (DOJ) issued its “Evaluation of Corporate Compliance Programs” document. Exactly a year later, it remains an incredibly valuable, evergreen how-to guide to operationalizing your organization’s compliance program. While not official DOJ Guidance, it provides significant guidance for every compliance practitioner.
In this two-part series, we will explore the 11-point list of questions laid out in the document that capture the DOJ’s current thinking on compliance program best practices.
The Evaluation provides a useful DOJ resource that can help a compliance practitioner test how deeply your compliance program is woven into the fabric of your organization. The DOJ cautions that these questions “form neither a checklist nor a formula,” indicating that the topics and questions may be more relevant for some organizations than in others, depending on the facts at issue.
The Evaluation follows the DOJ’s and Securities and Exchange Commission’s (SEC) “Ten Hallmarks of an Effective Compliance Program,” released in the 2012 Foreign Corrupt Practices Act (FCPA) Guidance. It also builds on the DOJ’s evolving best practices for an effective compliance program that began the Compliance Counsel metrics laid out by former Assistant Attorney General Leslie Caldwell in November 2015 and the DOJ’s FCPA Pilot Program regarding effective compliance programs found in Prong 3 Remediation. Several key concepts were also advanced in the new DOJ FCPA Corporate Enforcement Policy, released in November 2017.
Best Practices for Effective Compliance
The Evaluation outlines what constitutes an effective compliance program and provides solid information for the greater compliance community. The questions included in the document demonstrate a clear understanding of compliance programs. The document is used by prosecutors when considering if a company under a FCPA investigation had an effective compliance program.
“Also notable is what is not in the list: a focus on legal issues. Instead, the list squarely looks at how the business operates and how the company integrates compliance into its business functions,” observed Adam Turteltaub, Vice President of Strategic Initiatives and International Programs, the Society of Corporate Compliance and Ethics. “The word ‘legal’ appears once and ‘law’ not at all. By contrast, ‘training’ appears eight times, “board” seven, “management” eleven and “process” a whopping twenty-nine times.”
This DOJ Evaluation provides compliance practitioners with:
- Clear standards to use to evaluate their own compliance programs.
- Solid guidance on government regulators’ expectations for what compliance programs should include, how they should be implemented, and the future direction they should take.
- A valuable teaching tool to lay out the clear requirements for any best practices compliance program for your Board and senior management.
The document re-emphasizes that a compliance practitioner must listen when the DOJ communicates its expectations for corporate compliance. Beginning with the initial public remarks of Hui Chen and comments by former Assistant Attorney General Leslie Caldwell in November 2015, through the announcement of the FCPA Pilot Program in April 2016 and subsequent public remarks by Caldwell, former Deputy Attorney General Sally Yates and Chief of the FCPA Unit, Daniel Kahn, the DOJ has consistently articulated the need to operationalize a corporate compliance program. This trend continued in 2017 with the Evaluation and later, the FCPA Corporate Enforcement Policy.
Indeed, one can draw a straight line from Caldwell’s November 2015 remarks at the SIFMA Compliance and Legal Society New York Regional Seminar where she presented the requirements to operationalize compliance in discussing compliance program metrics.
In this blog post, we will explore the first five areas of inquiry in the DOJ’s Evaluation.
Evaluation No. 1 – Analysis and Remediation of Underlying Conduct
One of the most interesting considerations is Evaluation No. 1, which addresses the analysis and remediation of underlying conduct. In this area, it is essential to understand the root cause of any incident: Is it systemic and who made the analysis? You will also need to evaluate the detection prong of your compliance regime. For example, if the conduct was missed, why was it missed? Finally, you will need to explain the remediation. This area was added to the new FCPA Corporate Enforcement Policy.
Next is the area of senior and middle management where you will need to evaluate the specific conduct of senior management in discouraging employees from engaging in conduct in violation of the FCPA. You also need to review the role of senior management in remedial actions. How do senior leaders and other stakeholders model appropriate behavior? How do they share information on compliance throughout the organization? How is that conduct monitored on an ongoing basis?
Finally, the Board’s role is re-emphasized as the Evaluation asks the following questions, “What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?” If you have listened to the podcast series on , you will recognize these as significant issues that many Boards have yet to deal with adequately. The Evaluation also looks at the CCO and compliance function’s upward communications with the Board by looking at reporting lines, CCO access to the Board and independence of the compliance function within the organization.
Evaluation No. 2 – Autonomy and Resources for the CCO
This section followed the FCPA Pilot Program Prong 3 on remediation by inquiring into the professionalism and expertise of both the CCO and the compliance function. It also asks about the stature of the CCO and compliance function within the organization, including specifically “compensation levels, rank/title, reporting line, resources, and access to key decision-makers.” It also asks about turnover and promotion opportunities. You need to evaluate the role of compliance in strategic planning and whether the compliance function is truly “empowered” within an organization. This final point will entail documenting any “specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns.” Also echoing the Pilot Program Remediation Prong was an inquiry into funding and dollar resources available to the compliance function. These concepts were taken forward in the new FCPA Corporate Compliance Program.
Evaluation No. 3 – Outsourced Compliance Functions
In a new area of review, the Evaluation considers “outsourced compliance functions” for the first time. It asks the following questions, “Has the company outsourced all or parts of its compliance functions to an external firm or consultant? What has been the rationale for doing so? Who has been involved in the decision to outsource? How has that process been managed (including who oversaw and/or liaised with the external firm/consultant)? What access level does the external firm or consultant have to company information? How has the effectiveness of the outsourced process been assessed?”
Evaluation No. 4 – Policies and Procedures
In the Evaluation’s “Policies and Procedures” section, we see a clear operationalization inquiry requiring evaluation of whom had input into the design of your compliance policies and procedures and the process for drafting, all coupled with consultation with the business units. A compliance practitioner must also look at the specific policies and procedures that may have failed and determine how and why they failed. There are also some inquiries into “gatekeepers, e.g. the persons who issue payments or review approvals” regarding their training and ongoing monitoring.
Evaluation No. 5 – Operational Integration
This section explores who is responsible for integrating your policies and procedures throughout your organization, what internal controls are in place and specific inquiries into the role of the company payment system in any FCPA violation. This last inquiry is combined with a review of your vendor management program going forward.
In Part 2 of A Primer on the DOJ’s “Evaluation of Corporate Compliance Programs,” we will explore items 6 through 11 of the document, including Risk Assessments, Training and Communications, Confidential Reporting and Investigations, Incentives and Disciplinary Measures, Third-Party Controls, and Mergers and Acquisitions.
Tom Fox is the Compliance Evangelist™ and one of the nation’s leading experts on compliance, risk management, and corporate governance. His seminal work “The Complete Compliance Handbook” will be published in April, 2018. He is the founder of the Compliance Podcast Network. He can be reached at firstname.lastname@example.org.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author.