Since DOJ hired Hui Chen, its corporate compliance expert, in November 2015, rumors have circulated that DOJ intended to release a list of questions to ask every company that comes into DOJ to explain the effectiveness of its compliance policy.
The wait is finally over. On February 8, 2017, the Criminal Fraud Division of DOJ published its Evaluation of Corporate Compliance Programs. While recognizing there is no “one size fits all” compliance program, DOJ notes that there are “common questions that we may ask in making an individualized determination in assessing a corporate compliance program.” DOJ has made clear that “the topics and questions below form neither a checklist or formula.” Nevertheless, review of these sample topics and questions is informative for all corporate compliance professionals.
- Analysis and Remediation of Underlying Misconduct. This should include assessment of the root cause of the misconduct, whether there were prior indications of misconduct, and what was done to address the issues to reduce the risk that the same thing won’t happen again. Were there causes and missed issues, and what was done to address such issues?
- Senior and Middle Management. Culture and “tone at the top” are critical to an effective compliance program. These topics make clear that these issues also apply to the Board and “middle management”. Oversight is addressed, and specifically whether the board has exercised oversight of the compliance and control functions.
- Autonomy and Resources. This topic includes assessment and stature of the compliance role, experience and qualifications of compliance personnel, autonomy of reporting, empowerment of compliance personnel, funding and resources, and whether compliance was outsourced. Notably, the stature function asks specifically what role compliance has played in the company’s overall strategic decisions and whether there has been turnover in the compliance department. Note also that OIG has officially stated that compliance should not report to legal or finance. See “Measuring Compliance Program Effectiveness: A Resource Guide,” HCCA-OIG Compliance Effectiveness Roundtable Meeting: January 17, 2017. DOJ has not gone so far as to adopt the OIG recommendation, but the fact that this topic addresses reporting structure indicates that is a consideration.
- Policies and Procedures. This topic includes as sub-parts design and accessibility and operational integration. This topic focuses on how policies and procedures are designed, implemented, enforced and made available to employees, as well as how the policies are integrated into the business and how did policies prevent misconduct. Note DOJ specifically included vendor management in this factor (discussed in more detail under #10). It can be worse to have a policy that isn’t followed, than to have no policy at all. You must consider what your policies are and make sure you aren’t failing to meet your own standards.
- Risk Assessment. While not specifically listed in the Sentencing Guidelines on corporate responsibility, DOJ specifically includes risk assessment as a topic that will apply to how the risks were assessed and whether the policy accounted for the risks. Risk assessment should thread throughout your entire compliance program.
- Training and Communications. Does your training appropriately address the risks identified? How effective is the training program? Each company will have different training approaches, but consider conducting some live training and make sure that ALL employees participate in the training. Executives and Board members are not exempt. DOJ will also consider senior management’s actions in informing employees about the company’s position on misconduct and the resources made available to employees related to guidance for compliance policies.
- Confidential reporting and Investigation. How well did the reporting mechanism work and
how thorough was the investigation? Moreover, what was the company’s response to the
investigation? While not specifically mentioned here, this will include the personal responsibility
assessment of the Yates Memo.
- Incentives and Disciplinary Measures. How are violations of the compliance program disciplined and specifically, was the discipline consistent, applied to all individuals involved, and who made the decision? Further, are employees incentivized, either positively or negatively, to follow compliance procedures and ethical behavior?
- Continuous Improvement - Periodic Testing and Review. Bottom line, compliance is not static. You should consider whether internal audit looked at the misconduct, was it caught, were the audit findings reported to management and the board? Are you proactively auditing your controls and updating all of your policies and risk assessments on a regular basis?
- Third party management. Don’t forget about third parties! Compliance does not stop at the front doors of your company. You must also consider the actions of your third parties, including risk assessments, implementing appropriate controls, managing relationships with third parties, and real actions and consequences.
- Mergers and Acquisitions. Consider whether the misconduct was identified during due diligence and if so, how? Is compliance being implemented into the M&A process and what lessons were learned related to implementing compliance policies and procedures at the merged company? DOJ has repeatedly stated that it is not enough to simply have a corporate compliance program, the program must be effective. If called upon by DOJ or another government entity, you must also be able to prove the effectiveness of your program.