Is Your Compliance Program More than a Paper Program? DOJ Issues Revised Guidance for Evaluating Corporate Compliance Programs
On June 1, 2020, the Department of Justice (“DOJ”) issued an updated version of its “Evaluation of Corporate Compliance Programs” (the “DOJ Guidance”), available here. The DOJ Guidance is an update to guidance first issued by the DOJ in February 2017 (which we described in our prior blog post), and was last updated by the DOJ in April 2019. Although the DOJ Guidance is directed to prosecutors, it is a useful roadmap for corporations in seeking to ensure their compliance program is effectively preventing, detecting and responding to improper conduct, and is not a program on paper only.
The DOJ Guidance is intended to be used by prosecutors to assist them “in making informed decisions as to whether, and to what extent, [a] corporation’s compliance program was effective at the time of [an] offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).” Thus, in the event that there is an investigation into alleged improper conduct, having a compliance program that operates in line with the DOJ Guidance may lead to a more favorable resolution than there otherwise would be.
The DOJ Guidance notes that there are three “fundamental questions” a prosecutor should ask when evaluating compliance programs:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
The DOJ Guidance sets forth a number of sample topics under the heading of each of the three questions listed above, which it says are not a checklist or formula, but are the topics “that the Criminal Division has frequently found relevant in evaluating a corporate compliance program both at the time of the offense and at the time of the charging decision and resolution.” The DOJ Guidance emphasizes the importance of a compliance program being not merely a “paper program,” but rather one that is “implemented, reviewed, and revised, as appropriate, in an effective manner.”
The most recent updates to the DOJ Guidance reflect the DOJ’s increased focus of taking a functional and dynamic approach to evaluating the effectiveness of a company’s compliance program. The revisions explain new factors prosecutors may consider in the areas of risk assessment, policies and procedures, training and communications, mergers and acquisitions, and more in their assessment of corporate compliance programs. Organizations should use the DOJ Guidance, including a consideration of these new factors, when evaluating the effectiveness of their compliance program.
Key revisions to the DOJ Guidance are summarized below.
Risk Assessments. The DOJ Guidance directs prosecutors to consider whether a company has “a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region.” Prosecutors are also instructed to evaluate whether a company takes a continuous assessment approach to compliance review and updates, as opposed to a “snapshot-in-time” approach. Thus, it is imperative that compliance teams at an organization perform regular assessments, stay up-to-date on compliance problems, and incorporate lessons learned into the risk assessment process.
Policies and Procedures. The DOJ Guidance continues to emphasize the importance of adequately communicating compliance policies and procedures throughout the company. The update includes two new questions related to the accessibility of policies and procedures: “Have the policies and procedures been published in a searchable format for easy reference?” and “Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?”
Training and Communications. New questions in the DOJ Guidance instruct prosecutors to evaluate whether a company is evaluating the effect of its training program on employee behavior or operations. Additionally, the DOJ will be assessing whether employees have opportunities to ask questions and whether the company overall has “relayed information in a manner tailored to the audience’s size, sophistication, or subject-matter expertise.”
Confidential Reporting. The revisions also address confidential employee hotlines and other reporting mechanisms. Prosecutors will assess whether confidential reporting mechanisms are publicized both to employees and third parties, and whether a company is periodically testing the mechanism’s effectiveness.
Third-Party Management. The DOJ Guidance adds a new question about a company’s management of third-party relationships: is risk assessment conducted only during the onboarding process or throughout the lifespan of the engagement?
Mergers and Acquisitions. The DOJ has always considered comprehensive due diligence of acquisition targets to be an important part of a compliance program. The recent revisions to the DOJ Guidance, however, recognize that pre-acquisition due diligence may not always be possible. Where such pre-acquisition diligence is not conducted, the DOJ Guidance indicates that a company should have a legitimate reason for not conducting it, and that the company should conduct post-acquisition diligence and audits. In addition, an acquired entity should always be timely integrated into a company’s existing compliance program structure.
Compliance Resources. Adequate resources are essential for effective implementation of a compliance program. The DOJ Guidance instructs prosecutors to ask whether a company’s compliance program is “adequately resourced and empowered to function effectively.” Companies should continue to invest in the training and development of personnel and in the compliance program more broadly, throughout all levels of the organization.
* * *
Overall, the revised DOJ Guidance affirms previous guidance and stresses that compliance programs should be well-resourced, dynamic, and tailored to a company’s unique size, structure, and needs. The DOJ Guidance also serves as a reminder that even in the midst of a global pandemic, the compliance function of an organization must remain robust and ever-adapting. Healthcare organizations should use the DOJ Guidance and other existing resources to thoughtfully design, assess, and revise their compliance programs.
Dorsey attorneys have substantial experience with assisting health industry clients in implementing compliance programs following the elements of an effective compliance program from the Department of Health and Human Services Office of Inspector General, in updating compliance programs, and in evaluating the effectiveness of existing compliance programs in line with the DOJ Guidance and other guidance. For assistance with your organization’s compliance program, please contact the authors or your regular Dorsey attorney.