Top Ten Lessons for Compliance Officers from the Update to the DOJ’s Compliance Program Evaluation Guidance Part I

0
1812

Post By: Kristy Grant-Hart, Chief Executive Officer, Spark Compliance Consulting

In April of 2019, the Department of Justice issued its game-changing Evaluation of Corporate Compliance Programs guidance. The guidance was a feast for the compliance profession. The format of the guidance came in questions a prosecutor would ask in an investigation, which in turn signaled the answers a company would be expected to give.

On June 1, 2020, the DOJ updated its guidance document to reflect, as Assistant Attorney General Brian Benczkowki said, “additions based on our own experience and important feedback from the business and compliance communities.[i]

The new language in the guidance is fascinating because it sets out the updated expectations of prosecutors. Companies are once again on notice that the line in the sand has shifted, and they need to respond now to meet those new expectations. Following are the top ten lessons compliance officers can learn from the new guidance, and what to do now to update your program based on this new information.

Lesson One:  Today’s Best Practices are Becoming Expectations Already

Many times when outside experts perform compliance program reviews, companies are provided with recommendations for immediate changes, as well as more aspirational best practices found in very mature programs. The new DOJ guidance includes references to many of these best practices, meaning that they are likely to become expectations in the very near future. These best practices include:

  • Ensuring that online training programs have “a process by which employees can ask questions arising out of the training.”
  • Conducting post-acquisition auditing at newly acquired entities.
  • Ensuring that the “company engage(s) in risk management of third-parties throughout the lifespan of the relationship.”
  • Making micro-training available. The guidance notes that companies have “invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit or other risk management function.”
  • Evaluating “the extent to which the training has an impact on employee behavior.”

There are challenges here. Most online training programs do not have the capacity to pass questions along automatically to the compliance department, and many training companies do not yet have micro-learning available. In addition, tracking how training affects employee behavior is a big undertaking.

WHAT TO DO NOW:  Review the list above and determine whether you can implement any of these practices. If you can, do so. If you cannot, begin planning to implement them in the future. Contact the technology providers with which you have relationships and ask them when their technology will be updated to accommodate these expectations.

Lesson Two:  You Need Access to Data

The DOJ is clear: you need data, and good data comes from good technology. While most of the updates in the guidance come in the form of single sentences, the section on data comes in a whole new paragraph. Prosecutors are to ask, “Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?” These points about data dovetail with the multiple mentions of monitoring and metrics in the guidance. Without good data, good monitoring can’t take place. Without good monitoring, the effectiveness of the program is almost impossible to judge.

WHAT TO DO NOW: Inventory all existing programs that can give you data. Don’t just look at the programs you interact with each day – look at the programs available to Human Resources, Information Technology, Information Security, Procurement, Legal, and Audit.  Find out whether the data their programs track could be useful to you. Prosecutors included the question, “Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?” Use this question to your benefit if you receive pushback from getting the data you need.

Lesson Three:  You Need Good Technology for Your Policy Management

The promotion of many current best practices into expectations comes at a cost, and that cost is an investment in technology. While the investment in technology isn’t explicitly spelled out, it underpins several of the new questions in the guidance. For instance, prosecutors are told to ask, “Have the policies and procedures been published in a searchable format for easy reference?” Many companies have unsearchable policies housed in PDFs in some dark corner of the company’s intranet – or worse – on a SharePoint no one accesses.  The new guidance also asks prosecutors to ask which policies and procedures “are attracting more attention from relevant employees.” This task requires IT to help with click tracking.

WHAT TO DO NOW: First, go to the Information Technology team and ask if they have the capacity to make your policies searchable. Then ask if they can track how many clicks each policy receives in the month/quarter. If they can’t, go out to the market to find policy management software to implement. While these programs can be pricey, they can also help you to manage policies effectively. Policy management can save you headaches in the future, and help you to defend against an employee who still has the 1998 version of the gifts and hospitality policy and said he didn’t know there was an update.

Lesson Four:  You Need a Culture Survey (or its Equivalent)

The new guidance includes the question, “Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it?” Culture surveys can be expensive, but obtaining information from the employee population and aggregating it see whether employees really trust management and know how to report misconduct can save millions upon millions in fines later on.

Whistleblower hotlines are even more important now than they usually are. Steven Peikin, co-director of the SEC’s enforcement division reported that the SEC received 4,000 whistle-blower tips, complaints, and referrals of possible corporate wrongdoings from mid-March to mid-May of this year, which represented a 35% increase from the same time last year. The Wall Street Journal quoted Peikin in its analysis, finding that, while many reports are COVID-19-related, many others are in “traditional areas.”[ii]

WHAT TO DO NOW: Talk to management about the possibility of performing a culture and ethics survey across the organization. If you can’t get approval, try to get whistle-blower-related questions included in the annual engagement survey. If you still can’t get any buy-in, you can either launch your own survey through services like Survey Monkey or Survey Anyplace, or you can conduct focus groups representative of the company’s employee population to get the information you need.

Lesson Five:  You Must Document WHY You Make the Choices You Make

There’s nothing like contemporaneous note-taking to show a prosecutor why you made the choices you made. In two different parts of the new guidance, prosecutors are told to inquire about why and how choices were made. Under the section on risk assessments, prosecutors are told to “endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.” Later in the guidance, the new question is asked, “What are the reasons for the structural choices the company has made?”

WHAT TO DO NOW: Take stock of how the compliance program began, and how it has evolved over time, then write down a timeline of how the program has changed. For many companies, compliance was born from a subset of activities assigned to the Legal Department that evolved into a full-blown, independent program. Write down how and why these changes were made. In the future, as the program expands or contracts, keep notes about why those decisions were made.

Be sure to check out Part 2 of this blog.

 

[i] https://www.wsj.com/articles/justice-department-adds-new-detail-to-compliance-evaluation-guidance-11591052949

[ii] https://www.wsj.com/articles/tips-to-sec-surge-as-working-from-home-emboldens-whistleblowers-11591003800

[iii] https://www.wsj.com/articles/justice-department-adds-new-detail-to-compliance-evaluation-guidance-11591052949