Corporate Compliance Alert: What Risk Management Pros Need to Know about the DOJ's Recent Guidance Updates

On June 1st, the US Department of Justice Criminal Division published a revised version of its corporate compliance program evaluation guidance. In an article reviewing the latest changes, Harry Cassin, the publisher and editor of the FCPA blog notes, “Most of the changes are to make sure compliance programs aren’t “snapshots” but dynamic, and updated to fit new circumstances.” How does your existing corporate compliance program stack up? 

6 changes to corporate compliance program evaluation

The changes to the guidance are the result of both the DOJ’s experience and feedback received from companies and compliance experts around the country. The new guidance builds on a 2019 release that focused on three key areas of focus:

1. Design of the company’s compliance program
2. Implementation of that compliance program
3. Effectiveness of the compliance program in practice

Now, the DOJ pushes the evaluation standards further, at a time that many organizations are being forced to make budget cuts due to the economic disruption caused by the coronavirus pandemic. We’ve been tracking the impact of COVID-19 on the risk landscape here. 

But as the Volkov blog on "Corruption, Crime & Compliance" noted in January—before COVID-19 had reached pandemic proportions—"Corporate leaders cannot mouth their support for the company’s compliance program, while quietly removing or reducing resources needed to carry out an effective compliance program.  In these unfortunate circumstances, the message is clear—cut your compliance program at the company’s risk and prepare for potential harm—risks will increase, detection by government investigators is more sophisticated, and companies could suffer significant legal and reputational risks." And the latest DOJ guidance seems to affirm this message.

Here’s what you need to know

1. Adequate resourcing is key. Good faith implementation is not enough to protect your company. The DOJ states that it will further look at whether a company’s compliance program receives adequate resources to function effectively. This isn’t limited to personnel needs. Companies must also ensure that risk management staff have the tools and data resources to manage risk effectively. The bottom line: Any austerity measures implemented as a result of economic fallout of COVID-19 should be weighed against the potential costs of failing to identify compliance risk and the subsequent financial penalties and damage to brands that might come from an FCPA investigation.
2. Ethics and compliance must be ingrained in the corporate culture—from the top down. The DOJ guidance, specifically states that it is “… important for a company to create and foster a culture of ethics and compliance with the law at all levels of the company.”
3. Compliance programs must evolve to meet emerging risk considerations. The latest guidance suggests that the DOJ will consider whether a company periodically conducts a risk review and adapts its compliance program accordingly. The guidance says that the DOJ will consider whether a company has “a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region.”
4. Metrics matter. As H. James Harrington, author and expert consultant on management performance improvement has said, “Measurement is the first step that leads to control and eventually to improvement. If you can’t measure something, you can’t understand it. If you can’t understand it, you can’t control it. If you can’t control it, you can’t improve it.” The DOJ has echoed this sentiment in the latest guidance, highlighting the importance of measuring compliance program effectiveness through monitoring and testing of policies.
5. Training should be an ongoing process. The latest DOJ guidance suggests that companies must not only provide training to its employees, but they must ensure that it has a process in place to enable employees to ask follow-up questions post training, ensure employees feel comfortable reporting potential compliance issues and offer ad-hoc training sessions to “allow employees to bring up timely issues.” And, in a nod to the measurement push, the DOJ also will evaluate whether companies have assessed the effectiveness of training.
6. Third-party due diligence should be complemented by ongoing third-party monitoring. We’ve said before that a “one-and-done” approach to third-party due diligence leaves companies vulnerable to third-party risk. The new guidance supports a more comprehensive approach to identifying emerging risk, recommending that prosecutors evaluate whether a company “engage[s] in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process.” It’s safe to assume that if a company relies on on-boarding due diligence alone, it could be viewed negatively in the event of an FCPA investigation. This extends to M&A deals as well.

The release of the updated guidance now only emphasizes that despite the current disruption, enforcement has not been placed on the back burner. As a result, companies must continue to make corporate compliance programs a top priority. Are you confident your program could stand up to DOJ scrutiny? Find out how Nexis® Solutions can help.