DOJ Issues Updated Guidance on the “Evaluation of Corporate Compliance Programs”

The U.S. Department of Justice’s Criminal Division (“DOJ”) recently updated its Evaluation of Corporate Compliance Programs guidance, which provides a framework for assessing the effectiveness of a company’s compliance program.¹  

The 2019 Evaluation of Corporate Compliance Programs (“2019 Guidance”) elaborates on prior guidance the DOJ issued in 2017, demonstrates a consistent critique of “paper programs,” and identifies three fundamental questions central to an assessment of a company’s compliance program:

1. Is the corporation’s compliance program well designed?
2. Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
3. Does the corporation’s compliance program work in practice?

To help answer the first question, the 2019 Guidance identifies six components of a well-designed program: use of and reliance on a risk assessment, comprehensive policies and procedures, tailored training and communications, a confidential reporting structure for misconduct and a meaningful investigation process, risk-based third-party management, and a detailed mergers and acquisitions due diligence process. 

Regarding effective implementation, the 2019 Guidance focuses on whether a company’s program exists on paper only, or is “implemented, reviewed and revised.”  As part of that analysis, the 2019 Guidance outlines the following factors for evaluation: commitment to compliance by senior and middle management, the compliance function’s autonomy and resources, and the company’s incentives and disciplinary measures related to compliance.

The third question measures whether, at the time of the alleged misconduct, the company’s compliance program was working effectively.  This analysis acknowledges that a compliance program cannot prevent all bad behavior, but focuses more realistically than past guidance on the degree to which the program was subject to continuous review and improvement, how investigations of misconduct were handled, and whether the company undertook analysis and remediation of identified misconduct.

Key Takeaways from the 2019 Guidance

Although non-exhaustive, the list below highlights key questions that companies should be asking themselves in formulating and implementing their compliance programs:

• Risk-based design: Has the company assessed and tailored its compliance program to the varying risks presented by its business model, including the location of its operations, its industry, regulatory landscape, use of third parties, interactions with government officials, and charitable and political donations, among other risks?
• Third-party oversight and management: Does the company apply a risk-based due diligence process for its third-parties and employ appropriate business rationale for the use of third parties, including implementing processes to monitor the third-parties’ work on behalf of the company?
• Continuous improvement framework: Does the company periodically update and review the criteria it uses to build and evaluate its compliance program, including incorporating any lessons learned into its approach, or adjusting to shifting risks or a changing legal landscape?
• Independent and compliance-trained resources: Does the company have sufficient personnel to analyze the company’s compliance efforts? Do those individuals have appropriate experience and qualifications, sufficient seniority, sufficient resources, and sufficient autonomy?
• Executive-level awareness and support: Have senior and middle management demonstrated a commitment to compliance and set a tone for the company’s culture of compliance, including whether they promote compliance and demonstrate adherence to the law through their own conduct?
• Investigation/remediation process: Does the company have a well-functioning mechanism for investigating reports of misconduct, including a process by which stages of an investigation are documented and remedial measures taken in response to an investigation are recorded?
• Proper incentives (and disincentives): Does the company maintain clear and consistently enforced disciplinary procedures related to instances of unethical behavior or non-compliance? Are personnel rewarded or recognized for ethical leadership and commitment to compliance?

Winston’s Approach

While the 2019 Guidance is a refreshingly more-detailed statement than had previously been issued by DOJ, it largely builds upon existing guidance, and reinforces the advice that Winston & Strawn has been giving our clients for years.  At Winston, we strive to provide our clients with actionable, practical, risk-based advice and common-sense compliance counseling.  Our team includes lawyers with experience as in-house compliance professionals, more than a dozen former Department of Justice prosecutors, a former Treasury official, and more than 100 white collar attorneys globally.  We understand the value of solution-oriented advice that takes into consideration how compliance programs are developed, funded, staffed, cross-functionally implemented, and evaluated from the in-house perspective.  Our team is also fully versed in how government investigators view compliance programs and make decisions about a company’s responsibility for employee or third-party wrongdoing.  

---

¹_{U.S. DEP’T OF JUST., CRIMINAL DIVISION, EVALUATION OF CORPORATE COMPLIANCE PROGRAMS (2019), https://www.justice.gov/criminal-fraud/page/file/937501/download.}