The U.S. Department of Justice (DOJ) recently updated its guidance for federal prosecutors: “Evaluation of Corporate Compliance Programs.” With an emphasis on data, I was reminded of how valuable this document is for compliance leaders and legal teams as they evaluate their own compliance programs.
The main purpose of this updated guidance is to assist prosecutors as they investigate corporate compliance programs after an incident has occurred. But it can also help us, as legal and compliance pros, to address any faults and weaknesses within our business processes. I’ve never met anyone that said, “my compliance program is perfect,” so let’s use this document to be the best we can.
No Compliance Program Will Ever Be Perfect
It’s important to begin by saying no organization will ever achieve perfect compliance—that’s an impractical goal. Shifts in business models, consumer preferences, competition, regulations, and social trends are enough to continuously introduce new risk factors—internally and externally. Something is bound to go wrong at some point.
This isn’t meant to be pessimistic; people make mistakes, and breaches in compliance are more common than you might think. In 2019, for example, the health-care industry alone saw 418 total HIPAA compliance breaches and 1.4 data breaches of 500 or more records per day. It’s not a question of “if”, but “when” a company trips up on a compliance issue.
When an issue inevitably arises and your business is evaluated, it’s important to showcase, with clear data, that your business has done everything commercially reasonable to identify, mitigate and alleviate said risk.
Prosecutors will not only evaluate your compliance program at the point of contention: they will also consider what was in place before and after—so be prepared to prove you had an effective process in place prior to the incident, and after, to showcase lessons learned. In essence, prosecutors are willing to consider good intent and effort, but the data has to prove it.
By using these guidelines, you can both determine if your compliance program is on par with the DOJ’s current standards or otherwise build a more effective compliance program.
Leveraging the Guidance
The DOJ has very clearly outlined considerations for prosecution across 20 pages of content. It includes three critical questions and countless sub-factors to consider—each of which put a strong emphasis on data. Without evaluating every detail of the document, or providing a list of the data you’ll need (which Matt Kelly, CEO of Radical Compliance, has already done in this blog post), I’d like to briefly highlight how you can use the guidance for your company’s benefit.
First, let’s set the expectation that evaluating your program will take time. Answering the first question alone, which delves deep into compliance management processes like risk assessments, could take months to complete. Begin by reading through the guidance, and create a task list for yourself and other stakeholders to respond to.
Digging Into the Evaluation
Let’s explore the first section of the guidance, which begs the question: “Is the corporation’s compliance program well designed?” The answer, of course, is not “yes” or “no.” It’s a loaded question and much more complex.
The DOJ has identified six processes to consider when evaluating whether a program can adequately prevent, detect, and correct misconduct. These factors include (1) risk assessment, (2) policies and procedures, (3) training and communications, (4) confidentiality of reporting and investigation structures, (5) third-party management, and (6) M&A activity.
To analyze your own program’s design and effectiveness, walk through those six factors and the questions posed. You will either respond confidently, require additional insights from other stakeholders, or immediately become aware that your processes need work.
Take, for example, the first factor, which evaluates whether or not your company has the appropriate risk assessments in place, and data-backed proof. In this part of the evaluation, prosecutors will ask questions such as:
- What methodology has the company used to identify, analyze, and address the particular risks it faces?
- What information or metrics has the company collected and used to help detect the type of misconduct in question?
- How have the information or metrics informed the company’s compliance program?
How would you have done in this portion of the investigation? Do you manage your compliance-related data effectively to answer these questions? If you wavered in your response to these initial questions, or are concerned about your ability to pull compliance-related metrics, let me raise a red flag. As I’ve alluded to, data is a critical component used by prosecutors in their evaluation of this section.
Manage Data to Achieve Compliance
The U.S. Justice Department consistently emphasizes the need for data for effectively managing compliance programs. If you’re not sure why you struggled to answer the questions above, consider your toolkit. Have you implemented technologies such as hotline reporting systems and integrated risk management tools?
Hotline reporting systems, for example, can capture and investigate ethics and compliance reports across entire organizations (including third parties) in one centralized database. Integrated risk management tools can enable legal teams and compliance officers to seamlessly identify and address risk and compliance concerns, also from a centralized system. Within centralized databases, responding to the DOJ’s questions, and your own, should be seamless.
Equipped with data, compliance officers, legal teams, and executives can confidently read through the DOJ’s evaluation guidance, and quickly address whether or not they have new risks that need tending. Using the guidelines, you will not only establish a compliance program that can justly stand up to an investigation, but also feel confident that you have created the best possible compliance program for your company and its stakeholders.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Shon Ramey is general counsel of NAVEX Global where he is responsible for the legal department and provides direction and oversight to the human resources and global privacy functions. During his more than 25 years of practicing law, he has managed corporate law departments, counseled multi-national corporations on transactional and compliance matters, served as general counsel for various publicly traded and private companies, and been a partner or senior counsel in some of the world’s largest law firms, including Baker & McKenzie and SNR Denton (now Dentons).