“It’s taking business intelligence and putting it into compliance.” – Jonathan Marks
Late Monday, the Department of Justice (DOJ) without fanfare, released an update to its 2019 Evaluation of Corporate Compliance Programs, the 2019 Guidance. For simplicity this new documents will be called the 2020 Update. The 2020 Update is most welcome news for every Chief Compliance Officer (CCO), compliance professional and corporate compliance program in the US and beyond. The reason is simple; it ends, once and for all, the clarion call for paper compliance programs written by lawyers for lawyers. The DOJ has now articulated what both the business and compliance communities have been learning, that being that compliance is a business process and as a process, it can be measured, managed and, most importantly, improved. Over the next several blogs posts, I will be taking a look at the update and see where it takes corporate compliance programs in 2020 and beyond. Today, I want to review the key themes to see if Jonathan Marks is correct, the 2020 Update really does take business intelligence and put it into compliance.
In the introduction, the DOJ now states, “Because a corporate compliance program must be evaluated in the specific context of a criminal investigation, the Criminal Division does not use any rigid formula to assess the effectiveness of corporate compliance programs. We recognize that each company’s risk profile and solutions to reduce its risks warrant particularized evaluation. Accordingly, we make a reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.”
This change makes clear that every policy will be evaluated on its own merits. The DOJ lays out some of the factors will it consider but such consideration will be tempered by a reasonableness standard. Borrowing language from the Antitrust Division, the 2020 Update adds that any compliance program under evaluation by the DOJ will be considered both at the time of the offense and at the time of the charging decision and resolution. The significance of this cannot be overstated as now you cannot simply remediate your compliance program and basically ask for forgiveness after the Foreign Corrupt Practices Act (FCPA) violation has occurred. This statement clarifies any confusion generated by the Benczkowski Memo that all you have to do is aggressively remediate and such post-event clean-up will lead to a declination.
Moreover, this point is further driven home by the addition to fundamental question Number 2 that prosecutors are required to ask, “Is the program being applied earnestly and in good faith?“ In other words, is the program adequately resourced and empowered to function effectively? By tying this new language to question Number 2, companies that want to cut back to a paper program and take away the ability of a CCO to effectively do their job will lose the credit going forward as this language clearly references both monetary resources and headcount.
The final addition in the introduction adds the following language, “In any particular case, the topics and questions set forth below may not all be relevant, and others may be more salient given the particular facts at issue and the circumstances of the company.” Here is an important part near and dear to my heart as it clearly equates to Document, Document, and Document. If you make changes to your program; if you lose headcount; if you are not allowed to have the most current tech solution then be prepared to explain why your company cannot do so. The only way to do so is through a clearly articulated business justification, aka a documented. You should plan to take this a step further to document how your solution then fully follows compliance guidance as robust as the 2012 FCPA Guidance, issued by the DOJ and Securities and Exchange Commission (SEC). This section also allows room for creativity and imagination in your compliance program, if you can justify it and there is documentation for it.
From the changes in the tactical information presented in the 2020 Update, it is clear that the DOJ expects a continually evolving compliance program. It once again demonstrates that the days of a paper program are dead. I would parenthetically note, it also separates the DOJ analysis away from the approach in ISO 37001 which is also a paper program approach to compliance. There are multiple references throughout the 2020 Update for using a variety of compliance tools to garner information and then incorporating that information back into your best practices compliance program on an ongoing basis so that your compliance program is a living, breathing program and not a static program dependent on policies and procedures.
Just as a compliance program begins with a risk assessment, your continual improvement continues with your risk assessment, which now needs to move from once every three years to a much more robust time frame. But your risk assessment is much more than simply the starting point of your compliance program. It is the basis of how you design, create, implement and then update your compliance program and also serves as the basis to document the decisions you made and why you made them. The 2020 Update specified, “In short, prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”
But information to update your compliance program comes from more than the risk assessment. You now need to use other information sources to engage in continuous improvement. Your policies should also be a guide to inform your compliance program. Not only should your policies and procedures now be in searchable formats but you must consider which policies are viewed with the most frequency and the attendant questions raised by employees as a part of your information to evolve your compliance regime. The 2020 Update stated, “Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?”
I began with a quote from Marks about the wedding of business intelligence to a best practices compliance program. After going through these key themes found in the 2020 Update, I am even more convinced Marks was correct. As compliance moves into the second half of 2020 and into the third decade of this century, the 2020 Update may well be seen as a key demarcation where the government demonstrated that properly viewed compliance is more than a business process, it is a business program.
Join me tomorrow where I take a deep dive into the 2020 Update to explore it from a tactical perspective.