With the roar of a (mute) lion, on June 1 the US Department of Justice quietly issued updated guidance for prosecutors on assessing the effectiveness of corporate compliance programs. How has the Criminal Division modified its thinking? In at least six ways:
Individualized Assessment: Prosecutors are now encouraged to evaluate whether a company’s program is designed to detect and mitigate its own specific risks. Recognizing that each company is unique, prosecutors should be highly sensitive to the commercial circumstances and business realities of each target company as it developed and maintained its program. (This will be an interesting exercise for career prosecutors with no in-house experience.)
Continuous and Demonstrable Evolution: On the other hand, the DOJ expects that companies continuously identify their respective unique risk factors and demonstrate resultant updates to policies, procedures, and controls. (This is yet another shot at the idea of “compliance in a box”; one size will never fit all.) Static programs will likely not be considered “effective”. A company can show continuous improvement by demonstrating its program’s evolution.
Consistency of Discipline: “Organizational justice” means that employees believe in the fairness of a company’s internal investigations: its policies, processes, systems, and results. To achieve this, Washington wants us to show consistency of application in terms of discipline (and also incentives, but that is a longer conversation). We need to have good, measurable data that demonstrates no divergence or favoritism of judgment or discipline (or at least actively monitor internal investigations to assess any partiality.) For additional data, feel free to review our (free!) presentation on Investigations 2.0 at https://wallensteinlawgroup.com/resources/.
Integrated Policies and Procedures: Our enforcement authority now expects that drafted policies and procedures be accessible, easy to use, and actually used. In fact, they challenge companies to develop metrics to “understand what policies are attracting more attention from relevant employees.” (Today’s resource-constrained companies will appreciate this additional requirement.)
Tailored Training and Communications: The DOJ has now doubled down by recommending “more targeted training sessions” designed “to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.” In other words, check-the-box training is insufficient: instead, effective training both (1) sensitizes your employees to specific red flags and (2) incents them to escalate concerns through easy-to-access channels. (Be prepared to demonstrate how this works.)
Third Party Monitoring: Whole seminars have been designed around the difference between monitoring and auditing high-risk third parties. (Yours truly is one! Ask me for slides if helpful.) And…many companies continue to do neither. Warning: our prosecutors are now being asked to assess, among other things, whether a target company assessed risk and mitigation solely (or primarily) during the onboarding process, or whether continual monitoring resulted in the evolution of any controls or mitigation strategies. (Again, show me.)
In sum, we’re now being asked to be able to (1) measure and monitor the effectiveness of our programs and (2) demonstrate continual evolution. You can find the updated Evaluation document on my website, under “Free Resources”.
Please contact us if we can assist you with these efforts!