In early June, the Department of Justice (DOJ) published an updated guidance for the evaluation of corporate compliance programs. The sufficiency of a corporate compliance program is an important factor for prosecutors to consider when determining whether to bring charges against an organization and/or when making appropriate sentencing recommendations. While this document is designed to be used by prosecutors, it is also an instructive guide for business organizations in the design and review of their corporate compliance programs.

The DOJ explained that while each evaluation is an individualized inquiry, there are three overarching questions that must be examined.  First, is the program well-designed?  Second, is the program being applied earnestly and in good faith? And, third, does the compliance program work in practice?

DOJ makes clear that there is no such thing as a cookie-cutter compliance program. Organizations must understand the rationale for why their compliance programs have been designed and implemented in the manner that they have.  A necessary component of this analysis is the undertaking of a risk analysis.  In fact, the guidance instructs prosecutors to consider the “effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment.” Simply put, compliance programs must be fit-for-purpose and designed based on the specific business operations that the company engages in.

Any well-designed compliance program must have written policies and procedures that set forth how the organization ethically conducts business in compliance with local, state, federal, and, where applicable, international laws. The core of any compliance program is the Code of Conduct, which sets forth the company’s ideals and values, as well as a commitment to compliance with all relevant laws and regulations. The Code of Conduct must be applicable and accessible to all employees and is the first step to creating a culture of compliance within the day-to-day operations of the company. The Code of Conduct highlights a company’s values and puts all employees on notice of their ethical responsibilities when conducting business on behalf of the company.

Additional policies and procedures must be implemented that are aimed at reducing the risks identified by the company in its risk assessment. The guidance instructs that the overall process used to design and implement these policies is an important component.  For example, to help ensure effectiveness, relevant business units been should be consulted in the design of policies and procedures. Additionally, policies and procedures must be communicated to relevant stakeholders in an effective and easily accessible manner. Companies should ensure that the integration of policies and procedures is responsibly managed – all company personnel should understand the content and associated expectations and know who to contact for questions.

The guidance also emphasizes the importance of training, explaining that companies must ensure that policies and procedures have been integrated into the organization. Companies should have periodic, effective trainings and certifications for all employees and relevant stakeholders. The trainings should address any consequences of misconduct, including risks posed to the company and potential disciplinary action to employees. Importantly, these trainings must be fully understood by employees. Employees must also know how to seek additional guidance and have the opportunity to ask follow-up questions. Companies should prioritize training on the departments and conduct, which poses a higher risk of misconduct. Additionally, providing a one-size-fits-all approach to training employees is inefficient and can over encumber employees with information that may not apply to their position and detract from particularly poignant training for their role. Management should be provided supplemental training to address any possible conduct from their subordinates and disseminate the finer points of proper conduct to employees.

The guidance advises prosecutors to review the systems in place for reporting and investigating misconduct by personnel. Thus, corporate compliance programs should include mechanisms for personnel to anonymously and confidentially report any breach of the Code of Conduct or other policies. The anonymity and knowledge of reporting mechanisms are essential to foster a workplace environment without the fear of retaliation and to afford whistleblower protections. An effective mechanism for reporting, such as hotlines, must be used and effectively-known by and available to all personnel. A company must also have investigation procedures in place outlining the following: how to evaluate the legitimacy of reports; how to determine whether the conduct was in violation of the company’s policies and procedures or any relevant laws; and how the compliance stakeholders will remediate any deficient conduct. Without an effective and well-known reporting/investigation program, any compliance program will be woefully inadequate to cultivating a culture of compliance.

It is also fundamental that a well-designed compliance program extends beyond policies, procedures, and training. The guidance makes clear that in order to create a true culture of compliance, a high-level commitment by company leadership is needed. In other words, the company’s top executives set the tone for the company’s compliance program in how they convey the company’s ethical standards, demonstrate their commitment by example, and encourage middle managers to reinforce these standards and to act ethically. Moreover, the effective implementation of a well-designed compliance program is dependent upon ensuring that personnel charged with the compliance program’s oversight are afforded sufficient authority and autonomy to carry out the program’s functions responsibilities. The guidance advises prosecutors to assess whether those responsible for compliance have sufficient seniority within the organization; sufficient resources, in particular, sufficient staff to effectively undertake the requisite tasks; and sufficient autonomy from management, considering the particulars of the company’s size, structure and risk profile.

Company compliance also extends to all of a company’s third-party relationships. As such, companies must have a system of monitoring such relationships. There must be a process to detect red flags and how to meaningfully resolve such red flags. In the context of mergers/acquisitions, due diligence must be carried out dutifully when targeting a company. Upon integration, compliance programs should be integrated into the acquired entity, and a monitoring system should be implemented to ensure policies and procedures are enacted, effective, and being followed. Uniformity and oversight, when engaging in third-party relationships, is a large risk area for companies, but with the right knowledge and experience, companies can protect themselves.

Understanding the DOJ’s guidance is essential to every corporate compliance program. Armed with the knowledge of how federal prosecutors evaluate the adequacy and efficacy of compliance programs, companies can adapt to limit risk and display a commitment to compliant business practices. As outlined above, implementing a “well-designed” corporate compliance program is the first step. Drafting complaint procedures, conducting effective trainings, reviewing/investigating potential misconduct, and ensuring third-party relationships follow compliant practices can lead to an effective program. However, just reaching the baseline of implementing a “well-designed” program isn’t enough. The DOJ is also concerned with how dutifully the program is implemented and if the program is continuously reviewed and improved. Given the inherent complexity involved, companies would be well served to work with counsel who has extensive experience with compliance programs in high-risk industries.