Authors: Kyle Wombolt, Jeremy Birch and Charlotte Benton
The US Department of Justice Criminal Division (DOJ) has issued updated guidance on the Evaluation of Corporate Compliance Programs (guidance). Under the guidance, DOJ prosecutors evaluate the effectiveness of a company’s compliance programme when conducting an investigation, determining whether to bring charges or negotiating plea or other arrangements.
“Whether in the US, Asia Pacific or elsewhere, the guidance sets out useful prompts for a best practice compliance framework” observes Hong Kong corporate crime and investigations partner, Jeremy Birch. “Given the propensity of regulators to borrow from each other’s procedures and practices, it will also be of interest to companies subject to regulatory scrutiny, investigation or enforcement outside the US, as a benchmark for appropriate remediation and resolution.”
The guidance covers many of the same areas as the previous version, providing additional context to the multifactor analysis of a compliance programme.
Key takeaway: substance over form
Where misconduct occurs, it does not, by itself, mean that a company’s compliance programme was ineffective at the time of the misconduct. The guidance states: “if a compliance program did effectively identify misconduct, including allowing for timely remediation and self-reporting, a prosecutor should view the occurrence as a strong indicator that the compliance program was working effectively.” Today’s regulators scrutinise compliance programmes for how they are monitored, measured and developed over time. A paper programme, which ticks the boxes without real impact, likely will not attract the same credit as one that effectively promotes a sound compliance culture through an outcomes-based approach. The questions raised by the guidance set out a roadmap – rather than a checklist – for compliance practitioners and advisers in regulatory proceedings alike. This highlights an effective, risk-based compliance programme which minimises the risk of misconduct occurring and, where it does occur, mitigates the potential consequences for the company.
Individualised, risk-based scrutiny
The guidance emphasises that the DOJ does not use a checklist or rigid formula to assess the effectiveness of corporate compliance programmes. Instead, each company’s risk profile and the solutions it has taken to reduce its risks warrant their own, individualised, evaluation.
Notwithstanding this approach, the guidance recognises that there are common questions to ask in the course of making an individualised evaluation of a compliance programme. This is organised under three overarching questions:
(1) Is the compliance programme well-designed?
Prosecutors will examine whether a compliance programme is well-designed and comprehensive, ensuring there is a clear message that misconduct will not be tolerated, and that policies and procedures are in place to integrate the programme into the company’s operations and workforce.
To evaluate the effectiveness of a compliance programme, prosecutors are encouraged to consider factors including:
- Risk assessment: how the company has identified, assessed and defined its risk profile, taking into account the particular types of misconduct most likely to occur in its line of business. Whether the risk assessment is an iterative process and the programme is revised in light of lessons learned.
- Policies and procedures: whether policies and procedures give effect to ethical norms and address the particular risks identified in the risk assessment. The guidance also examines the policy design process, accessibility and communication of policy and who is responsible for integrating policies and procedures.
- Training and communications: whether policies and procedures are integrated through periodic, tailored training, which addresses lessons learned. Whether real-life case studies are used in training and whether anonymised communications are issued when an employee is terminated or disciplined for compliance failures.
- Confidential reporting structure and investigation process: whether there is an efficient and trusted mechanism for anonymous or confidential breach reporting. Whether investigations are properly scoped, independent and conducted in a timely manner and whether and how their outcomes are tracked and recommendations implemented.
(2) Is the compliance programme implemented effectively?
The guidance draws a distinction between a “paper program” or one “implemented, reviewed, and revised, as appropriate, in an effective manner.” To evaluate the effective implementation of a compliance programme, prosecutors are encouraged to consider:
- Commitment by senior and middle management: in line with the increasing scrutiny of the role of managers in enforcing compliance programmes, the guidance asks whether tone is set from the top and what actions are taken, including by middle management, to demonstrate their commitment to compliance.
- Autonomy and resources: whether those responsible for compliance have sufficient seniority and stature within the business, resources (funding and appropriately experienced and qualified staff) and independence from management. Sufficiency is assessed with the size, structure and risk profile of the particular company in mind.
- Incentives and disciplinary measures: whether there are incentives for compliance and disincentives for non-compliance, which are consistently and fairly applied across the organisation
(3) Does the compliance programme work in practice?
Due to the backward-looking nature of an investigation, the guidance requires prosecutors to evaluate the adequacy and effectiveness of a company’s compliance programme both at the time of the offence and at the time of the charging decision, as well as any remedial efforts.
To evaluate whether a compliance programme works in practice, prosecutors are encouraged to consider:
- Continuous improvement, periodic testing and review: whether the programme has the capacity to improve and evolve, particularly as implementation of controls in practice reveal areas of risk and potential adjustment. How frequently internal audit undertakes an audit of risk areas and how the company measures its culture of compliance.
- Investigation of misconduct: whether there is a well-functioning and appropriately-funded mechanism for timely and thorough investigations, which is properly-scoped and conducted by qualified personnel. Whether investigations are used to identify root causes and system vulnerabilities, and the process for responding to investigative findings.
- Analysis and remediation of misconduct: where misconduct does occur, whether there is a through root cause analysis and timely and appropriate remediation. Whether a root cause analysis points to systemic issues and control failures, and whether there were prior opportunities to identify the misconduct.
If you would like to discuss your compliance programme in light of the DOJ’s guidance, please contact the authors.