On June 1, 2020, the Department of Justice (DoJ) released its third round of guidance for its Evaluation of Corporate Compliance Programs, which was first issued in 2017.
The 2020 release continues to provide guidance for prosecutors to 1) conduct investigations of corporations, 2) determine the necessity of bringing charges against a corporation and 3) conduct plea or other agreements. The guidelines emphasize the importance of evaluating the corporation’s compliance program and system of internal controls, including how these endeavors may deter or discover future misconduct.
The impact on your company
This guidance can be used by your company to further determine and clarify what your compliance obligations are and how your compliance program must operate. The 2020 release is especially helpful for companies in terms of making it easier for them to understand what they should be doing, instead of only covering what they should not be doing.
The timing of this guidance is also a good thing because there’s no denying the impact the COVID-19 pandemic has had on each company’s internal controls. Organizations must take a step back and ask themselves, “How are we operating now, and how does that compare to how we operated prior to March? Has our compliance program adjusted to these changes?”
If your company has changed how you do business because of COVID-19 — whether it’s moving to a remote workforce, adjusting the products or services you offer or changing business relationships with third parties — you must make sure these changes are reflected in your compliance program. Not doing so further puts your company at risk of DoJ scrutiny and its consequences.
What has changed in the 2020 update?
Now that we’ve covered the importance of this update, let’s dive into what changes the DoJ made.
First, the 2020 guidance reiterated that the Criminal Division does not use a rigid formulaic approach to evaluating a corporation’s compliance program, but it does go beyond the 2019 guidance to describe some of the factors it will consider, such as the company’s size, industry, geographic footprint, regulatory landscape and other factors, both internal and external to the company’s operations.
Second, the guidance provided additional clarifications to these three fundamental questions:
- Is the corporation’s compliance program well designed?
- Is the corporation’s compliance program adequately resourced and empowered to function effectively?
- Does the corporation’s compliance program work in practice?
To better align with these three questions, the DoJ made updates to the twelve compliance areas noted in previous versions of the guidance. Below are nine key areas and changes you should be aware of:
1. Risk assessment
New guidance clarifies that prosecutors will 1) attempt to understand why the company has set up its compliance program the way it has, and why and how it has evolved over time, 2) assess whether the company’s internal review of its compliance program is at a point in time or an ongoing, continuous review across all functions, and whether that continuous review has led to appropriate updates to policies, procedures and internal controls and 3) evaluate the company’s process tracking and incorporating lessons learned from the company’s own prior issues or those of similar companies.
Companies can perform risk assessments to identify gaps in compliance, weak internal controls, business changes that weren’t reflected in the compliance program and other risks, which then allows them to take action to mitigate those risks.
2. Policies and procedures
Policies and procedures should be accessible in a searchable format, and the company should have the ability to track which policies and procedures are attracting the most attention from employees to determine which policies are the most relevant.
3. Training and communications
The company should implement a process so that employees can ask questions precipitating from training sessions regardless of the format and venue of the training, and the company should evaluate the impact of the training on employee behavior and company operations.
4. Confidential reporting structure and investigation process
The company should verify whether employees are aware of the company’s anonymous reporting hotline and their comfort level with it. This should also include periodic testing of the effectiveness of the hotline by tracing a reported incident from start to finish.
5. Third-party management
The company should continue the vendor management process and assessment of risk related to a specific vendor throughout the entire relationship with that vendor and not just during the onboarding process.
6. Mergers and acquisitions
The company should have a process for bringing an acquired entity into the company’s compliance program and internal control structure in a timely and orderly fashion. In the event of an investigation, and with respect to the due diligence process prior to an acquisition, prosecutors will consider when the misconduct or risk of misconduct of an acquired entity was discovered by the acquiror.
7. Autonomy and resources
The company should be able to document and support the choices it has made related to the company’s compliance structure. The company is also expected to adequately invest in the training and development of compliance and internal controls personnel, and for those personnel to have sufficient access to relevant sources of company data to allow for timely and effective monitoring and testing of policies, controls and transactions. You can expect that impediments to this access will be addressed, and the independence of those personnel will be ensured.
8. Incentives and disciplinary measures
A key component of any compliance program incorporates incentives for compliance and disincentives for noncompliance. Consider to what extent the organization’s communications emphasize the importance of ethical conduct and the implications of unethical conduct. How effective are the incentives, and does the organization respond appropriately to instances of noncompliance? As part of this, the company should ensure that its compliance function monitors its investigations and any disciplinary actions in a consistent fashion.
9. Continuous improvement, periodic testing and review
Of particular importance given the changes forced on organizations by COVID-19, how does the organization adapt and change over time? In addition to responding to external forces of change, the company should review and adapt its compliance program based on its own internal lessons learned and lessons learned from other companies facing similar risks. Also, the organization can’t just rest on the design of its compliance efforts, it needs to periodically test and review the effectiveness of its program. If you changed your program in response to COVID-19, have you tested and evaluated the effectiveness of those changes?
Get assistance updating your corporate compliance program
While there isn’t a deadline for your company to comply with the DoJ’s updates, there’s no shortage of companies who have been investigated, charged and subjected to fines and other penalties over the years. How well you can stand up to scrutiny depends on how robust your compliance program is.
The DoJ does recognize that the larger and more complex a company gets, the more difficult it becomes to know exactly what’s being done across the entire organization and what actions individual employees are taking. However, the outcomes of an investigation are dramatically different for two organizations with compliance issues when one organization proactively updated its compliance program to more effectively manage risk, and one organization did not.
We recommend being proactive and assessing your compliance program now, particularly if you haven’t adopted changes to address the impact of COVID-19, to determine what updates you need to make to better protect your organization, its employees and its clients, and to stand up to DoJ scrutiny.
Wipfli can help. We can assist you with performing risk assessments, developing areas to strengthen your compliance program, monitoring compliance, performing internal investigations, augmenting your internal resources, and more. As you consider the impact COVID-19 has had on your business, its operations and its compliance program, contact us to gain an independent and objective perspective on how you can identify and mitigate new risks.
Employee fraud: What you need to know
Information security and the employee exit checklist: Part I
Why fraud-based due diligence is critical in healthcare M&A transactions
Using data analytics to identify errors, waste and abuse