The release of updated compliance guidance by the Department of Justice on April 30, coupled with clarifying remarks from Assistant Attorney General Brian A. Benczkowski, makes clear companies still have a lot of work to do to validate and strengthen their compliance programs, particularly if they want to receive reduced fines, penalties, and less strict compliance obligations (like a monitor or other reporting obligations) resulting from a government investigation.
Despite what’s been written about the updated guidance, companies and their counsel might be left wondering what practical steps to take to ensure their compliance program will pass DOJ muster.
To get started, below are four new themes and several tips for addressing some of the DOJ’s new questions about designing, implementing, and enhancing an effective compliance program.
Focus on These Four New Themes
Substantially like the 2017 compliance framework, the updated guidance adds a new theme—investigation of misconduct—to the existing 11 focus areas with additional detail on how to test the strength of all 12 factors.
Below are four key themes where companies and their counsel should pay the closest attention.
1. Beyond Risk Assessment. It is not enough to just complete a risk assessment anymore. Companies must be able to tie the company’s response to a risk assessment and defend how they responded to the risks, including resources and controls. Five questions were added that focus on the funding of reporting/investigating mechanisms and if the compliance function is appropriately staffed and resourced, including if those responsible for compliance have adequate resources to audit the effectiveness of the compliance program.
2. Reporting Structure and Investigation Process. The DOJ added eight questions for testing the investigation process, which address the existence and sufficiency of a whistleblower hotline, investigations of red flags, the expertise of investigators, and how the outcomes of investigations are tracked and analyzed.
3. Testing the Effectiveness of Training. Five new risk-based training questions were added, including how trainings are conducted, if learnings from prior compliance incidents have been addressed and understood by employees through testing, and how companies handled employees that failed this testing. Case-studies are also recommended to address real life improper activity to ensure they are properly trained on identifying similar misconduct in the company.
4. Validating a Corporation’s Compliance Program Works in Practice. There are seven questions calling attention to the need for “continuous improvement, periodic testing and review” of the existing compliance program, the “investigation of misconduct” when fraudulent activity is detected, and the “analysis and remediation of any underlying misconduct” to ensure a company’s compliance program is constantly evolving.
How to Satisfy Updated Compliance Guidance
Clearly, the DOJ will further scrutinize the effectiveness of compliance programs, not just their existence, in future investigations, potentially imposing harsher punishments and fines for companies failing to meet governmental expectations. Therefore, this is an opportunity for companies to try to prevent misconduct from happening in the first place to avoid financial penalties, lengthy investigations, and the risk of the appointment of a monitor.
You must also ask how your compliance program measures against the amended guidance.
Act now, and document your work. Below are some simple tips related to the new themes to test, validate, and audit a compliance program.
1. Beyond Risk Assessment. Review risk assessments and compare key metrics (e.g., number of existing resources, allocation of resources, budget) against risk levels, and, if necessary, reallocate resources to higher risk areas. Review also those aspects of the compliance program have been audited for effectiveness and develop a roadmap to integrate areas that have been neglected, in upcoming audit planning. Document your work.
2. Reporting Structure and Investigation Process. Analyze data and metrics from reporting mechanisms (e.g., length of time to close investigations, types of allegations, business unit/function/region involved in allegation) and compare to the risk assessment. Develop a remediation and auditing/monitoring plan to address patterns of misconduct and other control weaknesses. Document your work.
3. Testing the Effectiveness of Training. Review training programs for high risk areas identified in the risk assessment. Identify the means to conduct training (e.g., online, in-person, case studies), pass/fail metrics and develop a plan to enhance the effectiveness of the training. Document your work.
The DOJ guidance makes clear companies must implement a risk-based approach to evaluate design and test compliance program operating effectiveness, both as individual components and holistically as a single program.
Companies that regularly test (and document) all of their compliance program’s elements, tackle the DOJ’s new questions, and implement the tips above will be better positioned to face a government investigation and ensure they meet the DOJ’s expectations.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Michele Edwards is a partner based in StoneTurn’s Chicago office and specializes in assessing, implementing and remediating antifraud and compliance programs, including as part of corporate compliance monitorships, fraud risk assessments, fraud and compliance training, fraud detection and forensic investigations.
Stephen Martin is a partner based in StoneTurn’s Denver office and works with companies across the globe in the areas of compliance & monitoring, risk assessment and corporate internal investigations, often in connection with regulatory inquiries.