Earlier this week (more specifically: June 1st, 2020) the Department of Justice released updated compliance guidelines. This refreshed version of the Evaluation of Corporate Compliance Programs replaces the previous which was published just over a year ago in April 2019. This marks the third iteration of the guidelines since they were originally published in 2017.
While the changes require a fine-tooth comb to find, they reflect a prioritization of data, resources, and having an empowered compliance function. Before we dive into how the revisions could impact your program, let’s take a step back: why do the updated compliance guidelines matter to corporate compliance officers?
In the words of the Department of Justice (DOJ), from the Evaluation of Corporate Compliance Programs guidelines:
“This document is meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate”
As most of us in the compliance community know, these are the standards by which our program will be scrutinized if an issue were to arise in the future. The best way to be prepared for that moment is to align your program closely with the standards it would be measured by. It’s the line in the sand that compliance professionals are always sprinting towards so when that line is moved, compliance officers need to know how far and in what direction. Let’s discuss the updates in each of the main sections:
A Well-Designed Program
The Department of Justice mentions six critical factors every compliance program should address:
- Risk Assessment
- Policies and Procedures
- Training and Communications
- Confidential Reporting Structure and Investigation Process
- Third Party Management
- Mergers & Acquisitions
The changes are mainly focused on the last section, Mergers & Acquisitions. The updated section reads:
“A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls. Pre-M&A due diligence, where possible, enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.”
These updates indicate an emphasis on activities leading up to and directly after a merger or acquisition. Not only does due diligence need to be conducted when companies are going through this organizational transformation but the compliance program(s) can not be forgotten. If both parties have an existing compliance function, the teams should merge together as one to adopt new policies and ensure that compliance processes are swiftly rolled out to all employees. If only one of the parties has a robust compliance program in place, it is expected that the current program is quickly adopted by the other organization.
The inclusion of “pre- or post-acquisition due diligence and integration” further indicates that compliance’s role is not just to check the box but rather to wholly protect the new, larger entity from future risks by maintaining an effective compliance program during times of organizational change and beyond.
Adequately Resourced and Empowered to Function
“Even a well-designed compliance program may be unsuccessful in practice if implementation is lax, under-resourced, or otherwise ineffective.”
The section above was not a new addition with the latest update, but the importance of resources dedicated to a compliance program should be emphasized. If you flip the phrase to suggest what makes a program successful: implementation should be deliberate and the department should be well-resourced.
Although compliance has long been a “do-more-with-less” function, that approach needs to shift for compliance programs to reach their full potential, and measure up to the standards the DOJ is recommending. Compliance officers should use this information to their advantage to secure more headcount, additional budget, and better tools.
The new inclusion for this section falls under the Autonomy and Resources section:
“Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”
This was the largest addition to the guidance as data has become more and more critical to building an effective program. Data, and its proper usage, was already a priority for best-in-class compliance programs. However, this addition brings the importance of data management and data analytics to the forefront.
The question “Do any impediments exist?” highlights the fact that gathering all compliance data in a central location and then performing meaningful analysis on those data sets often comes with complications. The very mention of “impediments” implies that there are typically hurdles for compliance functions in accessing data.
This section also negatively mentions a “paper program” indicating that digital, automated, and technology-enabled programs are preferred. Proper data management and harnessing the power of big data has only become more critical to the effectiveness of a compliance program. Paper or manual programs will soon be a thing of the past.
The DOJ then goes on to make a case for additional headcount and resources to be allocated to the compliance function. Although this request is not new, it is still a win for the industry and sets the stage for compliance teams to be agile, impactful, and data-driven. Case in point: the guidance notes that “compliance should be empowered within the organization”.
If your organization is not currently empowering the compliance function, what can you do to change that? Educating others (typically executives) on the importance of compliance and the risk of not taking the program seriously could be a transformative step in the right direction. To learn other helpful tips, read A Step-By-Step Guide to Elevating Your Compliance Program. This eBook will be your guide to strategically deciding when, where, and how compliance should be elevated within your organization.
As the DOJ notes in the guidance, one of the main factors is: does the corporate compliance program work in practice?
Under the Continuous Improvement, Periodic Testing, and Review section, an additional question was added to the list of ways programs can ensure updates are evolving:
“Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?”
If you are not already looking to companies who are in the same industry, of similar size, or that operate in the same regions that your organization does, this might be a smart project to take on. The addition of this sentence is basically stating: don’t let history repeat itself. Learn from your mistakes and the mistakes your peers have made.
Establishing and maintaining an effective compliance program has long been the industry’s common goal but the paths organizations take to get there are often different. Understanding the unique factors of your organization, including risk tolerance, and then looking to find other real-world examples of similar companies can greatly improve your program.
When talking about program effectiveness it’s essential to consider metrics. How do you know if a compliance program is, indeed, effective? What metrics, dashboards, and reports do you access to ensure your program works? Enhanced reporting functionality is critical.
What the Updated Compliance Guidelines Mean
The revisions to the Evaluation of Corporate Compliance Programs reflect a prioritization of data analytics, becoming a well-resourced program, and having an empowered compliance function. This is good news for the industry because it can help compliance officers make the case for additional resources, better tools, and a seat at the table.
To implement these changes within your organization, start small and scale. Which of these changes will you begin to tackle within your own compliance program?