DOJ Issues Updated Guidance on Evaluating Corporate Compliance Programs
On April 30, 2019, the Criminal Division of the U.S. Department of Justice (DOJ) issued updated guidance on the "Evaluation of Corporate Compliance Programs" (Updated Evaluation Guidance) intended to "assist prosecutors in making informed decisions as to whether, and to what extent, [a] corporation's compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations)." As with past guidance issued by the DOJ, the Updated Evaluation Guidance does not establish a "rigid formula" or a mandatory set of questions to be asked. Instead, the Updated Evaluation Guidance offers useful insights for companies regarding the DOJ's views on the design and operation of their compliance programs.
The Updated Evaluation Guidance incorporates much of the same content included in the guidance document with the same name issued in February 2017 (2017 Evaluation Guidance). However, the Updated Evaluation Guidance, which was issued by the Criminal Division as part of the DOJ's previously announced plan to provide additional training and guidance to prosecutors regarding the characteristics of effective corporate compliance programs, is intended to serve as more of a stand-alone document for prosecutors. To that end, while the Updated Evaluation Guidance retains the older document's question-and-answer format, the document has been reorganized to include 12 topic areas (instead of the 11 hallmarks that appear in the 2017 Evaluation Guidance). In addition, the Updated Evaluation Guidance provides more context for each of the topics covered, including short introductions explaining each topic's relevance and, in some cases, quotes from the Justice Manual and the U.S. Sentencing Guidelines.
The Updated Evaluation Guidance's 12 topics are grouped to track the three core questions about compliance program effectiveness contained in Section 9-28.800 of the Justice Manual:
1. "Is the corporation's compliance program well designed?"
- Topics covered include: Risk Assessment; Policies and Procedures; Training and Communications; Confidential Reporting Structure and Investigation Process; Third Party Management; and Mergers and Acquisitions.
2. "'Is the program being applied earnestly and in good faith?' In other words, is the program being implemented effectively?"
- Topics covered include: Commitment by Senior and Middle Management; Autonomy and Resources; and Incentives and Disciplinary Measures.
3. "'Does the corporation's compliance program work' in practice"?
- Topics covered include: Continuous Improvement, Periodic Testing, and Review; Investigation of Misconduct; and Analysis and Remediation of Any Underlying Misconduct.
- A More Holistic Evaluation Approach. Whereas the 2017 Evaluation Guidance included questions tilted towards a retrospective analysis of the specific misconduct at issue and the corresponding program issues, the Updated Evaluation Guidance applies a broader lens that first seeks to capture the company's general approach to compliance, and then to focus in on how the program did or did not work in connection with the alleged misconduct under investigation.
- Emphasis on Decision-Making Rationale. The Updated Evaluation Guidance includes several new questions prompting prosecutors to inquire about a company's rationale for decision-making related to the design and implementation of its compliance program—both broadly and at a more detailed level. For example, the "Continuous Improvement, Periodic Testing, and Review" section prompts prosecutors to inquire not only if internal audits occurred, but also as to the company's rationale supporting its process for determining where and how frequently audits occurred. Language included in the "Autonomy and Resources" section related to whether compliance personnel have non-compliance responsibilities drives at the same point. The inquiries do not preclude a company from choosing a particular course, but rather, suggest that a company should be prepared to defend rationales that informed program design and resource allocations.
- A Focus On Program Integration. The Updated Evaluation Guidance prompts prosecutors not only to determine if certain elements of the program exist, but also how they work in concert with other components of the program and are integrated into the day-to-day rhythms of the company. For example, the Updated Evaluation Guidance not only references the importance of having comprehensive policies and procedures, but also prompts prosecutors to ask how the policies and procedures are reinforced through a company's internal control systems.
- Operationalizing Continuous Improvement. Across various sections, the Updated Evaluation Guidance prompts prosecutors to evaluate how a company measures program effectiveness. For example, the document emphasizes in several places the importance of capturing and tracking data to analyze trends and missed opportunities. Also, additional explanatory text encourages prosecutors to go beyond simply asking if a program and its elements are effective, and instead prompts them to ask how such effectiveness is measured in practice. For example, the updated "Training and Communications" section prompts prosecutors to ask how training effectiveness is measured and improved. In the context of "Continuous Improvement, Periodic Testing, and Review," the Updated Evaluation Guidance prompts prosecutors to inquire how and how often the company's compliance culture is measured and how that analysis is used to inform the continuous improvement of the company's program.
Notable Topic-Specific Updates
- Risk Assessment as the Starting Point. The section on "Risk Assessment" was moved to be first of the 12 topics addressed in the Updated Evaluation Guidance (it was the fifth topic addressed in the 2017 Evaluation Guidance). Recognizing the current state of practice among many companies and outside compliance professionals, the Updated Evaluation Guidance emphasizes that the "starting point for a prosecutor's evaluation of whether a company has a well-designed compliance program is to understand the company's business from a commercial perspective, how the company has identified, assessed, and defined its risk profile and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks." Notably, the Updated Evaluation Guidance does not mention "manifested risks" (a focus in the earlier guidance document) but instead highlights the importance of "risk-tailored resource allocation" (i.e., "Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas[…]?"), as well as the importance of updates and revisions to a company's risk assessment and policies and procedures "in light of lessons learned." Companies can expect prosecutors to spend more time understanding how risk assessments informed resource allocations, and to scrutinize those decisions. Of course, a company can rightly hope that this line of questioning may in some cases lead DOJ to determine that a specific incident of misconduct in one area does not render the compliance program ineffective or poorly designed.
- Additional Guidance Related to Reporting Mechanisms and Investigation Response. The Updated Evaluation Guidance includes a twelfth topic by splitting the earlier guidance's "Confidential Reporting and Investigation" element into two separate sections—"Confidential Reporting Structure and Investigation Process" and "Investigation of Misconduct." The Updated Evaluation Guidance includes new questions as to whether the company has established and publicized an anonymous reporting mechanism, underscoring the DOJ's concerns regarding retaliation against reporting of compliance issues. In addition, the Updated Evaluation Guidance includes new inquiries related to the timing and quality of the company's responsiveness to the results of investigations and the remediation of identified issues. It also underscores the importance of tracking and learning from investigation results (consistent with the Updated Evaluation Guidance's more general theme of capturing and tracking data to inform continuous improvement).
- Emphasis on Proactive Justification of Business Rationales for Third Parties. The 2017 Evaluation Guidance included a question related to retroactively reviewing the business rationale for the use of third parties in question in the investigation; the Updated Evaluation Guidance's section on "Third Party Management" assesses how the company ensures appropriate business rationales for the use of third parties, more generally. These questions evidence the view that the first, and arguably most important, step in managing compliance risk posed by third parties is to evaluate whether there is a clear business need to engage them and, if so, to articulate what qualifications are required to meet that need. Companies will be well served to consider whether their compliance programs require this step and, if so, whether it is documented and maintained as part of the due diligence file.
For more information, please contact:
This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.