Compliance Programs Must Track and Adapt to Changes and Risks

1. Is the corporation’s compliance program well designed?
2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
3. Does the corporation’s compliance program work in practice?

In updating its Guidance, DOJ did not change the criteria previously explained in our prior alert. Instead, DOJ’s 2020 Update emphasizes the need for a tailored program that continuously adapts and evolves based on individual risk factors and requires updating based on lessons learned by the company, as well as the marketplace. DOJ further poses a number of questions prosecutors may consider when evaluating compliance programs.

A Well-Designed Program in 2020 Requires Tracking Internal and External Lessons.
In the 2020 Update, DOJ reiterates that a one-size-fits-all compliance program is not appropriate because many factors can impact a compliance program, such as “the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations.” DOJ further recognizes that a company may need to structure its compliance program in a particular way to deal with foreign laws. Once again, however, this underscores the need for companies to have a thoughtful approach and be in a position to readily explain the reasons for the structure they ultimately choose for their compliance programs.

Moving beyond the program’s structure, in the 2020 Update, DOJ emphasizes the need for constant program evolution and improvement, taking into account “operational data and information” across functions, and for learning not just from the company’s own experiences, but also from “those of other companies operating in the same industry and/or geographical region.” Thus, DOJ highlights the need for awareness of flags being raised not only by data and information from one’s company, but also risks in the marketplace.

Preventing and detecting misconduct are always the goals of a well-designed program. In the 2020 Update, DOJ underscores the importance of communicating these goals. Companies should thus consider whether:

• their policies and procedures are accessible to all employees as well as to third parties;
• to publish policies and procedures in a searchable format for ease of reference;
• to track access to specific policies that appear to attract more attention from relevant employees;
• “online or in person, there is a process by which employees can ask questions arising out of the trainings”;
• to evaluate “the extent to which the training has an impact on employee behavior or operations.”

The logic of these additions is evident: companies must ensure that their well-structured programs are understood by employees and third parties. Such communication is critical to “enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.”

Regardless of how well a compliance program is structured, employees and third parties constitute the eyes and ears of a company. These individuals need to be aware of the mechanisms by which to report misconduct (e.g., a hotline), and to feel comfortable using them. Part of effectiveness, as underscored in the 2020 Update, is to track reports of misconduct, track the investigations, analyze the reports and ensure that the investigation leads to findings and recommendations. These procedures should also result in a review and update of existing policies to improve those policies.

Of course, third-party risk continues to be significant. As DOJ notes, third parties—such as agents, consultants, and distributors—“are commonly used to conceal misconduct.” Accordingly, the 2020 Update suggests that assessing risk only during the onboarding process may not be sufficient; rather, companies may want to consider risk management throughout the lifespan of the relationship, including monitoring and training third parties, exercising audit rights over books and accounts of third parties, and imposing actual consequences, such as suspension or termination, when a third party does not pass due diligence or engages in misconduct.

A Corporation’s Compliance Program Must Have Adequate Resources and Be Empowered to Function Effectively.
In the 2020 Update, DOJ highlights that even if well-designed, a compliance program may be rendered ineffective if it is lax or under-resourced. Despite the global turmoil existing at the time of this 2020 Update, DOJ, nevertheless, emphasizes the need for sufficient resources to be deployed to manage compliance programs. An appropriately resourced program includes:

• ensuring personnel have “sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions”;
• removing impediments that limit access to relevant sources of data;
• investing in further training and development of the compliance and other control personnel;
• monitoring and tracking of investigations and resulting discipline to ensure consistency; and
• reviewing and updating compliance programs after analysis of lessons learned.

Significantly, in the 2020 Update DOJ broadens the concept of “tone from the top” to emphasize that the tone should be at “all levels” and not just the very top. Commitment to compliance indeed starts with company leadership, through their words and actions, but must be shared by senior and middle management, and should empower compliance personnel to have sufficient autonomy and stature to enable compliance personnel to report “up the chain.” Without resources that empower compliance personnel, even the most well-structured program is not likely to be effective.

A Corporation’s Compliance Program Works in Practice if It Prevents and Detects Misconduct.
The goals of an effective compliance program are straightforward: (1) detect potential misconduct; (2) allocate resources to investigate misconduct; and (3) remediate any misconduct discovered. A root cause analysis, to determine the cause of misconduct, can enable companies to assess the degree of remediation required to prevent a similar event from occurring in the future. Where systems have failed, new systems should be promptly implemented to address the failures identified in the root cause analysis.

Moreover, if misconduct does not result in disciplinary action, or if discipline is not enforced consistently, then the program, even if well-designed, will not be considered effective by prosecutors. The same holds true if remedial steps are not taken upon a finding of misconduct. Without incentives for compliance (or discipline for non-compliance), a program is not likely to prevent misconduct.

In the 2020 Update, DOJ emphasizes the need to adapt a compliance program based upon lessons learned from the company’s own misconduct as well as that of other companies facing similar risks. Companies must continuously review and audit existing compliance programs by testing internal control systems, analyzing its collection and analysis of compliance data, and regularly interviewing employees (of all levels) and third parties in order to establish that the compliance program is, in fact, working in practice.

Conclusion
The 2020 Update builds upon the criteria developed in DOJ’s 2019 Guidance to enable companies to develop and demonstrate effective corporate compliance. The 2020 Update should remind companies that compliance must be more than a paper program; it must be a dynamic program that evolves over time. A company must adapt compliance procedures specific to its particular risk and history, devote more resources for compliance-related processes, analyze data and lessons learned both internally and externally, and develop adequate responses to risk characteristics. These will all be important factors analyzed by prosecutors in 2020 and beyond. A well-structured compliance program that is effective at preventing and detecting misconduct and that works in practice will greatly assist companies in defending themselves when faced with a DOJ investigation.