On 1 June 2020, the US Department of Justice (DOJ) updated its Evaluation of Corporate Compliance Programs guidance. This guidance is used by DOJ prosecutors in assessing the adequacy and effectiveness of corporate compliance programmes, providing a window for compliance officers into the ever-developing standards expected of the programmes they create and manage.
The updated guidance retains much of the previous text from April 2019, with the new elements reflecting the greater dynamism now expected. Key messages from this update are that programmes must be ‘adequately resourced and empowered to function effectively’ – this meaning that the DOJ will look beyond the programme on paper to ‘how’ it functions. Also, that there should be compliance of culture ‘at all levels of the company’.
Even if the US guidance does not apply directly to your business, good practice lessons can be taken from it in benchmarking and updating your own programme.
This blog does not substitute a detailed review of the guidance (and its updates) for those who intend to use it as a benchmarking tool. A redline comparison of the April 2019 versus this June 2020 version will be the most efficient means of doing this.
What follows are indicators to changes in the guidance. For each area, there are direct quotes of some of the key changes (in the text box), followed by suggested questions these changes might lead you to ask of your own programme.
Policy management and accessibility
- Have the policies and procedures been published in a searchable format for easy reference?
- Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?
- How are policies and related written procedures (including updates) made available for relevant employees?
- Can they be easily found by all relevant employees?
- Is policy activity monitored and reported upon?
Companies have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.
Whether online or in-person training, is there a process by which employees can ask questions arising out of the trainings?
How has the company addressed the employees who fail all or a portion of the testing?
Has the company evaluated the extent to which the training has an impact on employee behavior or operations?
- Does the current training format allow for the timely identification of issues?
- Is blanket training provided or is there a risk-based provision?
- What is the Q&A feedback process from training?
- What happens where relevant employees fail all, or a portion of, testing? Are there remedial measures and are these enough?
- Is there a means of evaluating the impact of training?
- Is there enough investment in (and encouragement for) further training and development of the compliance team and any relevant others, such as legal, audit, risk?
- Is this training and development recorded?
For further information on measuring the effectiveness of training see, Training as a compliance tool: measuring effectiveness.
Third party risk assessment
Does the company engage in risk management of third parties through the lifespan of the relationship, or primarily during the onboarding process?
- Is the third part risk management process at on-boarding or beyond?
- If it goes beyond, is the on-going process enough? For example, is due diligence done on a regular basis (such as annually) or is it regularly monitored via red-flag monitoring software/system?
Risk assessment and lessons learned
Is the periodic review of the risk assessment that the program is based upon limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures and controls?
Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?
Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned from the company’s own prior issues or from those of other companies facing similar risks?
- Is the risk assessment underpinning the programme sufficiently ‘live’?
- How are changes in the risk assessment findings implemented?
- Is there a lessons learned recording and reporting practice in place?
- Is there a change and implementation process as an output of lessons learned?
- How is the market monitored (such as via law firm alerts, practical law legal updates or resources, monitoring of court or regulatory rulings and/or deferred prosecution agreements) and is this sufficiently recorded?
For guidance on lessons learned reporting, including what data to include, how they may be communicated and what to do with their output see, Implementing lessons learned reports.
Prosecutors should endeavour to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.
- Is there an established and detailed timeline of the evolution of the programme?
- Does this currently include enough detail on the ‘why’ and ‘how’ both decisions were made, and actions taken?
- Is the timeline sufficiently detailed in how it relates to (i) the risk assessment process, and (ii) programme review processes?
- How is maintenance of this timeline managed?
Access to relevant data
Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions?
Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?
- How is the control and related transactional data being recorded?
- Is the full suite of relevant data being collected? For example, is relevant data from other areas of the business such as HR being recorded?
- Is the means of pulling this data together the best way of doing so? Consider both manual and technical processes if applicable.
- Is this data being monitored on a regular basis?
- Is this monitoring effective to identify breaches of control and weaknesses in control structure?
- Does the compliance (or legal/risk/internal audit) team have sufficient access to the data?
- Is the team able to use the systems (including any analytical and reporting tools) that are recording the relevant data?
- Does the compliance team have the autonomy and/or senior support to drive changes/additions to control data management practices?
M&A post acquisition due diligence and compliance integration
A well-designed compliance program should include a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.
Flawed or incomplete “pre- or post-acquisition” due diligence “and integration” can allow misconduct to continue at the target company, causing resulting harm to a business’ profitability and reputation and risking civil and criminal liability.
- Is pre-acquisition due diligence routinely reviewed in order to identify any gaps that should be plugged by post-acquisition due diligence?
- How effectively and timely is the compliance programme implemented into new acquisitions?
- Is there a process in place to monitor this implementation?
- Is this implementation sufficiently audited?
For general information on assessing the bribery risk associated with an acquisition and related due diligence see, Bribery Act 2010: acquisitions and joint ventures.
Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it?
How is the reporting mechanism publicized to the company’s employees and other third parties?
Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?
- Is there a whistleblowing line/hotline in place?
- Is this adequately promoted to all relevant employees? How is this monitored and tested and how frequently does this take place?
- Are the protections around those using it adequately promoted? How is this tested?
- How is the effectiveness of the hotline tested and how frequently?