What the New DOJ Guidelines on Corporate Compliance Programs Mean for You
What the New DOJ Guidelines on Corporate Compliance Programs Mean for You
Organizations are understandably concerned about ensuring compliance with a wide range of rules and regulations in corporate compliance law. Fines for noncompliance can be significant and are just the tip of the iceberg when you consider the cost of defending lawsuits or damage to your corporate brand and reputation. But, beyond the costs associated, the importance of a corporate compliance program is to ensure your workplace promotes the utmost ethical standards through effective policies and training to build a culture that’s supportive of employees and empowers them to work most efficiently and impactfully.
The purpose of corporate compliance programs should be to build a strong and supportive culture rather than checking boxes. And yet, both are necessary.
The DOJ’s new Guidance on the “Evaluation of Corporate Compliance Programs” is a recent example of new rules that companies should comply with. The document is intended to offer federal prosecutors information to help them make decisions about whether corporate compliance programs are effective. The extent these programs are effective, in turn, assists prosecutors in determining whether to file criminal charges, negotiate a plea agreement or other resolutions, assess any monetary penalties and what form of monitoring, if any, the organization should be subject to.
The DOJ has been quick to point out that it doesn’t use a “rigid formula” to determine an organization’s compliance. Instead, the Guidance is designed to take a look at three important questions:
- Is the compliance program well-designed?
- Is the compliance program implemented effectively?
- Does the compliance program work in practice?
Let’s take a look at each of these in more detail to see what the DOJ is really trying to assess.
Is the Compliance Program Well-Designed?
The purpose of corporate compliance programs should be to ensure that instances of misconduct do not occur and, in the event that they do, that there are confidential and effective means for employees to report noncompliance. This applies not only to misconduct that occurs by or between employees; but employers must also demonstrate that their program addresses the behaviors of third parties—e.g., vendors, business partners, even customers.
Beyond the actual design of a program, prosecutors will also consider how the elements of the program are communicated to employees through training and other channels. Is communication ongoing? Does it sufficiently address what the company considers to be unacceptable behaviors? Does it provide clear guidance to employees both in terms of their own personal responses to objectionable behavior and in terms of how to report incidents of misconduct? These questions are asked to decide if the organization in question has an effective corporate compliance program.
Importantly, the new Guidance goes beyond the question-based approach in the original Guidance issued in 2017 to emphasize a risk-based approach that is unique to each company. The expectation is that companies will assess their situation and identify where areas of risk may exist, allocating resources to areas of greatest risk, and periodically update their corporate compliance programs to reflect current risks “in light of lessons learned” when employee misconduct or other problems are discovered.
Is the Compliance Program Implemented Effectively?
The DOJ’s Guidance poses the question: “Is the program being applied earnestly and in good faith?” This is really an assessment of whether the walk meets the talk. It’s not enough for an organization to have a program, regardless of how well employees are trained or how often the company communicates with them about the elements of the program. Rather, organizations must be able to sufficiently demonstrate the implementation of an effective corporate compliance program. How well do senior leaders and managers demonstrate their commitment to the requirements of the program? How quickly and effectively do they act in the event of noncompliance? What is the company’s response to reports of non-compliance? Are disciplinary procedures clear and consistently enforced? What does the evaluation process entail?
Here the DOJ focuses specifically on “commitment by senior and middle management, autonomy and resources, and incentives and disciplinary measures.”
Does the Compliance Program Work in Practice?
By “work,” the DOJ is not necessarily focusing on the lack of complaints, but instead on whether the organization has a process in place for testing, review, and analysis, and a method for making process improvements as data is gathered. In fact, as we know, when these types of programs are well-communicated, reports may initially go up, followed by a decrease in complaints and information about the lack of [employee misconduct] derived from climate surveys.
As the Guidance suggests, “some companies survey employees to gauge the compliance culture and evaluate the strength of controls…” Measuring whether learners have retained knowledge and built skills, whether through climate surveys or other means, is a critical factor here for considering the “analysis and remediation of underlying misconduct.” Organizations must implement these processes to ensure an effective corporate compliance program for its employees.
Compliance as a Driver of Culture Evolution
Employers that seriously embrace a culture of compliance built around mutual respect can benefit from a focus on designing, implementing, and continuously evaluating the effectiveness of compliance efforts. Not through a “one-size-fits-all approach”, but through a thorough understanding of the various types and levels of risk that different parts of the organization may experience.
As we know, the traditional ways of attempting to stop harassment and misconduct simply haven’t worked. Success here requires going beyond “checking the box” on corporate compliance law to a comprehensive approach directed at engaging employees in the process of establishing a culture of respect, transparency, and trust. Not because companies fear to be subject to fines and public exposure, but because they recognize that a culture of respect will lead to employee engagement, loyalty, productivity, and longevity.