What companies can learn from the DOJ’s approach to evaluating corporate compliance programmes
April 2017 | SPECIAL REPORT: MANAGING RISK
Financier Worldwide Magazine
In late 2015, the US Department of Justice (DOJ) Criminal Division Fraud Section kicked off a compliance initiative with the hiring of a full time compliance expert whose role is to “help prosecutors develop appropriate benchmarks for evaluating corporate compliance and remediation measures and communicating with stakeholders in setting those benchmarks”.
In February of this year, the transparency of this process was enhanced by publication of 11 sample topics and questions that may be considered in making individualised determinations in particular cases. The Fraud Section has emphasised that its compliance initiative is not limited to Foreign Corrupt Practices Act (FCPA) compliance, but rather extends across the full spectrum of cases falling within its jurisdiction. In addition, given the tendency of other DOJ sections to follow the Fraud Section’s lead when it comes to investigation and prosecution of business organisations, companies should expect that the Fraud Section approach to evaluation of corporate compliance programmes likely will serve as a resource and model for other sections as well.
Although the publication was accompanied by a disclaimer that the sample topics and questions were not intended as a checklist or formula, companies can draw some valuable compliance conclusions by measuring their own compliance programmes against the standards suggested by the topics and questions.
Not surprisingly, given that the DOJ’s compliance focus arises in the context of criminal investigations, the first topic on the list is analysis and remediation of underlying misconduct. Key takeaways are the importance of a thorough root cause analysis when violations occur, including the identification of any systemic issues or missed opportunities to detect the misconduct, and the need to tie specific remedial efforts to the results of this analysis.
‘Tone at the top’ is the next topic addressed. The DOJ makes it clear that actions speak louder than words, and that it will focus on the words and actions of both senior and middle management across all facets of a company’s operations. Effective oversight by the board of directors also is expected.
The autonomy of the compliance function and the resources allocated to it will be examined. The sample questions devoted to this topic suggest that the DOJ views direct reporting to headquarters and the board of directors as critical to the autonomy of compliance personnel, and that outsourcing of compliance functions will be scrutinised carefully. Compliance personnel must have appropriate experience and qualifications, as well as funding and resources consistent with the company’s risk profile.
Policies and procedures will be reviewed both from a design and accessibility perspective as well as from an operational integration perspective. The DOJ will look for clear guidance regarding prohibited conduct and effective communication of expectations to relevant employees, gatekeepers and third parties. The DOJ’s questions signal that involvement of business units and divisions in the development of policies and procedures will be viewed as fostering better ‘ownership’ of compliance requirements and more effective implementation and accountability. On the operational integration front, the DOJ will want to see effective roll out and training to ensure that policies and procedures are understood, and will review the role of payment systems and approval processes in the misconduct.
The company’s risk assessment process will be analysed. The DOJ will expect a connection between known risks and the company’s compliance programme, but also will consider the extent to which appropriate information or metrics are gathered and analysed in order to detect misconduct.
Training and communications are critical to an effective compliance programme. Among other things, the DOJ will consider whether high-risk and control employees have received appropriate training and whether employees feel free to ask for guidance about compliance issues and know how and when to do so.
A company’s compliance programme should provide for confidential reporting and investigation of possible violations. The DOJ will examine how the company responds to allegations of misconduct and whether its investigations of such reports lead to identification of root causes or system vulnerabilities and appropriate remedial responses.
The DOJ will ask whether a company has implemented an appropriate disciplinary response to both the underlying misconduct and any related lapse in supervisory oversight. Fair and consistent application of disciplinary actions across an organisation should be the goal. Beyond discipline, the DOJ also will seek evidence that compliance and ethical behaviour is incentivised – for example, by making ethical behaviour a key performance indicator when deciding on promotions and awards.
Continuous improvement, periodic testing and review of a company’s compliance programme is expected. Such continuous improvement should begin with periodic review of the company’s risk assessments and whether its policies, procedures and practices address the risks the company is currently facing. A company’s risk profile changes and grows over time, and its compliance programme must keep pace. On a more granular level, periodic internal or external audits and testing of compliance controls should be undertaken and accompanied by appropriate reporting and followup.
Management of a company’s relationships with third parties is a key DOJ focus, particularly, but not exclusively, in FCPA cases. Third-party relationships will be expected to have a business rationale and be appropriately documented and monitored. Due diligence is expected, as is appropriate resolution of any ‘red flags’ identified during the due diligence review. Compliance issues must lead to consequences, including, where appropriate, termination of the relationship.
Given the number of enforcement actions resulting from merger and acquisition (M&A) activity, the DOJ will examine the relationship between a company’s compliance programme and its M&A due diligence process. Involvement of compliance personnel in both the due diligence function and the post-acquisition integration process will be critical to tracking and remediating risks or misconduct identified during due diligence and ensuring effective compliance by the acquired business going forward.
Although the DOJ’s evaluation of corporate compliance programmes takes place in the context of investigating potential criminal conduct and making decisions to bring charges or enter into plea agreements or other resolutions, companies can benefit from performing their own self-evaluations in two ways. By asking the questions the DOJ would ask, a company can determine how its compliance programme would be viewed by the DOJ and make any necessary improvements that would put the company in a better position if an investigation is initiated. More importantly, however, through self-analysis and improvement of its compliance programme, a company can substantially reduce the risk of violations that could lead to DOJ involvement.
Barbara D. Linney is a member of Miller & Chevalier Chartered. She can be contacted on +1 (202) 626 5806 or by email: blinney@milchev.com.
© Financier Worldwide
BY
Barbara D. Linney
Miller & Chevalier Chartered
FORUM: Ransomware risk management
Leading cyber security from the boardroom
Cyber security is creating significant cyber insecurity: new EU regulation only adds to the anxiety
The changing landscape of corporate risks
What companies can learn from the DOJ’s approach to evaluating corporate compliance programmes
Risk management trends and developments: what are leading asset managers and investors now doing?
Brexit: the legal contract review and repapering dilemma
Supply chain risks under US and EU sanctions and export controls
Litigation risk for companies which historically used fluorinated chemicals in manufacturing
Get ahead of the curve with IFRS 15 & 16 compliance