This summer, the Department of Justice issued an updated Evaluation of Corporate Compliance Programs document (the “Guidelines”). The Guidelines provide factors and questions for federal prosecutors to consider when investigating a company, determining whether to bring charges, and negotiating a potential plea agreement.

While the changes included in the Guidelines offer specific guidance discussed in greater detail below, the Guidelines:

• take a more comprehensive approach to evaluating corporate compliance programs rather than focusing on a checklist of policies or actions; and
• suggest companies should focus their efforts and resources on implementing an effective and comprehensive compliance policy for issues that are relevant to their business and structure.

Design of the Compliance Program

The Guidelines encourage prosecutors to better understand the structure of a company’s compliance program by asking “why,” i.e., “why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”

With respect to third-party management, the Guidelines suggest that the question of “why” may be as relevant as “whether” a company conducted risk-based due diligence of third parties. Prosecutors should consider the “need for” a company’s risk-based due diligence of its third parties “based on the size and nature of the company or transaction.” And, with respect to mergers and acquisitions (“M&A”), the Guidelines suggest that when a company claims that pre-M&A due diligence was not possible, prosecutors should ask “why not” and assess any post-acquisition audit efforts.

Companies should, therefore, consider these “why” questions when designing their compliance programs.

Companies should make internal data analysis and implementation a focus when designing their compliance programs, as the Guidelines now encourage prosecutors to:

• distinguish between a review “limited to a ‘snapshot’ in time” versus one “based upon continuous access to operational data and information across functions;”
• examine not only if there have been updates to policies, but if any updates are the result of lessons learned from periodic review; and
• assess whether a company has identified and incorporated lessons from internal issues as well as issues from third parties in the same industry or geographical region.

Similarly, the Guidelines encourage companies to design their compliance programs with more sophisticated training programs, distinguishing a training program that has been administered uniformly from one tailored to the “audience’s size, sophistication, or subject matter expertise.” The Guidelines cite, as an example, companies that have “invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.”

In addition, when examining the form, content, and effectiveness of training, the Guidelines suggest consideration of:

• “Whether online or in-person, is there a process by which employees can ask questions arising from the trainings?”
• “How has the company addressed employees who fail all or a portion of the testing?”
• “Has the company evaluated the extent to which the training has an impact on employee behavior or operations?”

According to the Guidelines, companies should design their compliance programs so that third-party due diligence will be more robust. Companies should also design their compliance programs to ensure continuous engagement of risk management of third parties, extending its third-party due diligence beyond the onboarding process. Thus, post-onboarding, companies should provide relevant third parties access to easily searchable company policies as well as company-wide reporting functions, such as a reporting hotline.

Implementation

Rather than focusing on the mere existence of a corporate compliance program, the Guidelines focus on whether the compliance program is adequately resourced and empowered to function effectively. This provides clearer, but also more rigorous, guidance as to what “effective implementation” looks like.

To meet these more specific standards, a compliance program should have dedicated staff, or access to external resources, and enough funding to be able to function effectively.

The updated Guidelines also require a culture of compliance “at all levels,” stressing the importance of creating a company-wide awareness and compliance. One factor that can help contribute to a culture of compliance is to establish continued training and development of compliance personnel.

The Guidelines further stress the importance of compliance personnel’s access to relevant data in order to act quickly and effectively. This reflects the importance of creating a program that is considerate of, and responsive to, risks that are specific to the company. In order to work effectively, compliance and control personnel should have access to any relevant data.

Compliance Program in Practice

In order to be effective, a company should review its compliance policies in response to identified hypothetical risks of misconduct or the misconduct of similarly situated companies.

Companies cannot merely rely on their existing program because they have not had any significant issues; they must be aware of and responsive to internal and external risks. Specifically, the Guidelines ask whether a company has adapted its compliance program based on “lessons learned.” Monitoring actions against similarly situated companies can help a company be aware of potential risk and update its policy accordingly.