Roaring into the 2020s in Compliance: Revamping Your Compliance Program in Light of DOJ’s April 2019 Guidance

As we roar our way into the 2020s, this century’s roaring decade might not have the same excesses as last century’s. At least if the Department of Justice (DOJ) has its way. DOJ has emphasized corporate compliance programs and is seemingly requiring all companies to think critically about their own culture of compliance. And rightfully so. Corporate compliance programs are essential to effective corporate governance and can help protect an organization from potential liabilities—both civil and criminal—that flow from unlawful conduct. And when in the trenches of a government investigation, an effective corporate compliance program can provide a much-needed life line when the investigation does not go as planned. 

For years, DOJ has highlighted the importance of corporate compliance programs in various policy statements and guidance documents. DOJ reiterated that importance in April 2019 when it published additional guidance as to what an effective corporate compliance program entails. See U.S. Department of Justice Criminal Division, Evaluation of Corporate Compliance Programs (April 2019). While DOJ offered a similar guidance document in 2017, the 2019 Guidance is more than twice as long and includes 61 explicit factors in evaluating compliance programs. 

At its core, the 2019 Guidance asks three basic, common-sense questions when evaluating the effectiveness of a compliance program: (1) “Is the corporation’s compliance program well designed?”; (2) “Is the program being applied earnestly and in good faith?”; and (3) “Does the corporation’s compliance program work in practice?” While it is safe to say that the answers to each of these questions are equally important, of these three questions, the government dedicated the most ink to the first—the design of the program. Here, the government is really inquiring on key topics such as whether the program properly assesses risks, whether an organization has developed policies and procedures that reflect a true commitment to compliance and has taken steps to integrate those policies and procedures through appropriate training and communications, whether there are mechanisms for misconduct to be reported confidentially, whether an organization properly investigates reported misconduct, whether an organization conducts proper due diligence in choosing third party management, and whether an organization conducts proper due diligence prior to any merger or acquisition. 

While it is advisable to read DOJ’s 2019 Guidance in full, here are 10 key takeaways:

1. Periodic Updates are Mandatory: DOJ does not prescribe the timing of these risk assessments. However, DOJ emphasizes that revisions to compliance programs should reflect “lessons learned.” A good rule of thumb is to assess risk annually or, in the least, every two years.
2. Focus on Areas of Past Misconduct: DOJ’s guidance emphasizes, at multiple points, the focus on making enhancements in response to “specific instances of misconduct.”
3. Importance of Compliance Personnel: DOJ has explicitly identified the importance of compliance personnel and ensuring that those assigned to compliance are not just properly resourced, but also properly credentialed.
4. Responsibility for Third Parties: DOJ is now expressly asking whether a company has an “appropriate business rationale” for the use of third parties (relative to keeping a function inside the company).
5. Termination of Third Parties: Related to Takeaway #4, DOJ is now expecting that companies immediately terminate suppliers or business partners upon a finding of misconduct.
6. Cascading Tone from the Top: DOJ is now expecting that companies ensure this tone cascades down to middle management and to employees on the ground. Therefore, it is essential to ensure that middle management reinforces the standards above. And as appropriate, disciplinary action may be necessary for failure to supervise.
7. Assessment of Reporting: Periodic assessments should be undertaken to determine whether employees know about risk-reporting mechanisms and are also using them.
8. Perform Robust Internal Investigations as Needed: DOJ’s 2019 Guidance underscores the need for robust internal investigations when alleged misconduct is reported.
9. Develop a Plan for Internal Audits: DOJ is seemingly requiring that companies have a process and rationale for determining where and how frequently internal audits are performed.
10. Consider Compliance an Opportunity, Rather than a Risk: Those companies that are best equipped to deal with this new guidance will be those that view compliance as an opportunity for self-improvement, rather than a risk.

DOJ’s 2019 Guidance provides a healthy reminder of how important it is to ensure organizations have effective corporate compliance programs in place. With the holidays behind us, and the new year now well into full swing, if you have not taken a recent look at your compliance program (or if you still need to develop one), there is no better time to do so than now.

This article first appeared in the Association of Corporate Counsel Newsletter Tampa Bay on January 24, 2020.