Article
DOJ 2020 update to evaluation of corporate compliance programs
Jul 08, 2020 · Authored by
Background
Without any fanfare, the U.S. Department of Justice Criminal Division has once again revised its Evaluation of Corporate Compliance Programs (ECCP). The ECCP remains organized around three overarching questions that prosecutors ask when evaluating compliance programs, with some revisions, which are in bold text below:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program being implemented adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
While most of the document is identical to the 2019 Guidance, there are subtle and noticeable revisions. The updates appear to provide additional clarity when answering the above three questions.
The one new question, “Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?” We believe this question accentuates the importance of root cause analysis, places a strong emphasis on business intelligence*, and sets the expectation compliance is a journey.
“Today’s revised guidance on the Evaluation of Corporate Compliance Programs reflects additions based on our own experience and important feedback from the business and compliance communities,” Assistant Attorney General Brian Benczkowski of the Justice Department’s Criminal Division said in a statement. “Although much of the substance of the prior version remains unchanged, the updates we have made are in keeping with our continued efforts as prosecutors to improve our own policies and practices to ensure transparency and the effective and consistent enforcement of our laws.”
The details that help answer the three overarching questions are in three Parts within the ECCP.**
Part I
Discusses various hallmarks of a well-designed compliance program relating to risk assessment, company policies and procedures, training and communications, confidential reporting structure and investigation process, third-party management, and mergers and acquisitions.
Part II
Details the features of effective implementation of a compliance program, including the commitment by senior and middle management, autonomy and resources, and incentives and disciplinary measures.
Part III
Discusses metrics of whether a compliance program is operating effectively, exploring a program’s capacity for continuous improvement, periodic testing, and review, investigation of misconduct, and analysis and remediation of underlying misconduct.
2020 ECCP
The 2020 revision includes updates and clarifying language for each of these parts.
Part I – Is the Corporation’s Compliance Program Well Designed?
The newly issued guidance contains additional questions and clarifying language related to the evaluation of the hallmarks of an effective compliance program, including the following areas:
Risk assessment – The updated version of the guidance places more emphasis on proving the value and effectiveness of the risk assessment process. The DOJ requires more clarity on how the compliance program has evolved and proof that the program is genuinely risk-based. The DOJ seeks more information on the process used to conduct the risk assessment and evidence that companies are allocating resources to the appropriate risks and not only those low-risk areas. Additionally, companies must demonstrate their efforts to align the results of the risk assessment with company policies, procedures, and controls and take measures to monitor and track these risks to ensure they are appropriately mitigated.
Policies and procedures– Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process. The updated guidance requires companies to issue policies that are risk-based and incorporate the culture of the company. Companies must also take steps to elevate awareness and ensure the accessibility of these policies. The guidance also encourages companies to provide proper risk-based training for gatekeepers since they play a unique role in deterring and detecting compliance failures impacting the company.
Training and communications – Prosecutors are encouraged to assess the steps taken by the company to ensure that policies and procedures are integrated into the company, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners. The updated guidance requires companies to demonstrate strong efforts to communicate the elements of the compliance program through risk-based, targeted training, and awareness. The training must consider the roles and responsibilities of attendees and include relevant content, which consists of a reflection of prior events, findings of a root cause analysis, and case studies to highlight lessons learned. This consists of a discussion of disciplinary actions taken and remedial efforts for substantiated cases of fraud and misconduct. The DOJ asked companies to test the employee’s knowledge of the content and assess the effectiveness of the training, and to seek ways to conduct the training using techniques that permit employees to ask questions and interact with the trainer.
Regarding the form, content, and effectiveness of the training, new questions added direct prosecutors to ask the following:
- “Whether online or in-person, is there a process by which employees can ask questions arising out of the trainings?”; and,
- "Has the company evaluated the extent to which the training has an impact on employee behavior or operations?”
Confidential Reporting – All companies should implement an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct. Additionally, prosecutors are encouraged to evaluate the process used to investigate these complaints. The June guidance elevates expectations for testing the awareness and tracking the results of these processes. There is also an additional requirement of assessing the results of investigations to uncover trends or patterns of misconduct and include the results of this analysis in other parts of the compliance program. If employees are not comfortable using the reporting system, it is essentially useless. The periodic tracking of an allegation from triage through the issuance of a final report and radiation of the compliant provides evidence of the effectiveness/ineffectiveness of the program.
Third-Party Risk Management – A well-designed compliance program should apply risk-based due diligence to its third- party relationships. Prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions. The 2020 ECCP requires companies to provide more rigor around this process since many compliance failures involve the use of third parties. Companies should track substantiated instances of misconduct and determine if third parties were involved in the matter. Additionally, the company should be prepared to explain the business rationale for choosing to use third parties and also provide them with training and incentives to demonstrate compliant and ethical behavior. Third parties must become a part of the company’s ongoing risk management process, and efforts must be made to review third party transactions for unusual or inappropriate activity continuously. The risk management of third parties must occur throughout the lifespan of the relationship and not primarily during the onboarding process.
Mergers & Acquisitions (M&As) – An effective compliance program should include comprehensive due diligence of any acquisition targets. Pre-acquisition due diligence, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls, is essential. Due diligence enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be owned by the target. Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing harm to a business’s profitability and reputation and risking civil and criminal liability. Therefore companies must demonstrate their M&A due diligence efforts and document the steps they took as well as the response plan and approach for addressing any red flags uncovered during the due diligence.
Part II. Is the Corporation’s Compliance Program Adequately Resourced and Empowered to Function Effectively?
Autonomy and Resources – New questions in this section include: “What are the reasons for the structural choices the company has made?” and, regarding experience and qualifications, “How does the company invest in further training and development of the compliance and other control personnel?
Data Resources and Access – This language is new to the ECCP. Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data, and, if so, what is the company doing to address the impediments?
Part III. Does the corporation’s compliance program work in practice?
Evolving Updates – The 2020 ECCP stresses the “lessons learned” eight (8) times as it pertains to the evolution of a compliance program. One new question is, “Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?”
Board
The Board of Directors should read and understand the ECCP carefully. Although its eyes open, nose in, and hands-off, that does mean the Board should be stepping on, not in, management shoes when appropriate to see if they are awake and taking all reasonable steps to ensure the compliance program is designed appropriately, is effective, and evolving.
At a minimum, the Board should be able to answer the following question: Has our company made the compliance department a priority by providing it with the necessary, funding, staffing, and authority to perform its function effectively?
Specifically,
- Does our company create and foster a culture of ethics and compliance with the law at all levels of the company?
- Do we support and genuinely have a high-level commitment to implement and sustain a culture of compliance from the middle and the top of the company?
- Does management update its risk assessment when there are changes or events inside and outside the company?
- Is the company’s compliance function adequately resourced and empowered to function effectively?
- Is there a move towards integrated risk management?
- Are we using feedback and lesson learned to enhance compliance?
Lastly, the Board should add compliance to its agenda, if it’s not already there. The Board should document the key changes to the compliance program in the minutes. The board minutes then become evidence if there’s ever a question about the evolution of the compliance program.
Internal Controls – Practice Pointer
I think this is a perfect time to document your compliance controls, much like many of us have done with anti-fraud controls. This exercise should also include an independent review of those controls to ensure they are designed appropriately to meet the objectives. After reviewing and possibly enhancing the controls, revisit the appropriate policies and procedures, and make necessary changes or enhancements to them. Once this exercise is completed, Compliance should work with internal audit and have them test those controls for effectiveness, which will help in the overall monitoring initiative.
An “internal control” is an action or a process of interlocking activities designed to support the policies and procedures detailing the specific preventive, detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes or the objective(s). This, along with on-going/continuous monitoring and training reasonably assures:
- The achievement of the process objectives linked to the organization’s objectives;
- Operational effectiveness and efficiency;
- Reliable (complete and accurate) books and records (financial reporting);
- Compliance with laws, regulations, and policies;
- The reduction of risk: fraud, waste, and abuse; which,
Aids in the decline of process and policy variations leading to more predictive outcomes.
Closing
Many years ago, the Federal Sentencing Guidelines for Organizations provided the elements of a compliance program; the 2017 ECCP outlined what prosecutors should be looking for; the 2019 ECCP included the elements to make sure the compliance program is effective, and the 2020 ECCP has evolved and emphasizes the compliance program being risk-based and operationalized.
In essence, having a compliance program is not enough; it must be continuously evaluated and revised accordingly (regularly) using business intelligence, including lessons learned! This is a step towards Enterprise Resiliency, which can be defined as an organization’s capacity to anticipate (by monitoring), react, and adapt to changes and new risks, not only to survive but also to evolve. In summary, compliance needs to be proactive. Specifically, it needs to be a dynamic, continually adapting process.
Lastly, the DOJ is expecting organizational justice. Failure to consistently and timely discipline wrongdoing is an excellent way to destroy a culture.
We welcome your thoughts and suggestions. Baker Tilly is here to assist. Please contact us with any questions you have.