Recently, the US Department of Justice (“DOJ”) issued updated corporate compliance guidance1.
What Stays the Same? DOJ continues to urge companies to:
- Adopt a risk-based compliance program, based on results of a rigorous assessment of the company’s risks,
- Embed preventative and detective controls tailored to those particular risks, and
- Be data driven in monitoring the effectiveness of those controls.
What Changes? The update suggests that the DOJ will be looking more closely at whether a company’s compliance program:
- Is adequately resourced,
- Has formalized processes to evaluate its effectiveness on an ongoing basis,
- Incorporates the use of data analytics, and
- Addresses relevant cross-border implications.
Why is This Important? More than ever, company reputation impacts shareholder value. A well-run compliance program is important to company reputation. It can give investors, employees (current and prospective), suppliers, customers, and communities a real sense of the company and its commitment to integrity. Compliance is also a key element in risk management.
What Does This Mean for Boards Oversight of Risk and Compliance programs? To get a better understanding of what the DOJ update means for your company and board, here are a few questions that directors might want to ask the company’s Chief Compliance Officer (“CCO”) at the next CCO report to the board or board committee (and which CCOs should prepare to answer). If such a report is not on the agenda, it would be good to add it!
Are We Resourcing Our Program Appropriately? In the past, the DOJ’s asked whether your compliance program was “being implemented effectively.” Going forward, the DOJ is likely to also ask whether your program is “adequately resourced and empowered to function effectively.” As COVID is prompting companies to cut budgets where they can, it would be good to talk with your CCO about whether the company is providing appropriate financial resources and authority to run the compliance program. Might not be a “yes” or “no” question – and it’s a good one to ask regularly as the company’s business evolves.
Data is a resource too. Your CCO may have thoughts about IT support provided to the compliance function. This is important because the DOJ is looking for companies to provide compliance personnel with the data they need for “timely and effective monitoring and/or testing of policies, controls, and transactions.”
How Are We Using Ongoing, Data-Driven Processes to Ensure Our Program’s Effectiveness? The DOJ is still looking at whether your compliance program is effective. However, now the DOJ wants to see that your company has formalized processes to evaluate your program, those processes are generating useful data, and your company is updating its program based on those evaluations and data.
No more will you receive credit for updates made “in light of lessons learned.” We suggest that you talk with your CCO about how your company would demonstrate that:
- Review of your compliance program is “based upon continuous access to operational data and information across functions,” and
- Your program includes a formalized tracking process to track your company’s and compliance developments in your industry.
Are We Making It Easy for Employees to be Compliant? The DOJ also wants companies to make compliance easy for employees. This is an opportune time to talk with your CCO about whether your company’s policies and procedures are readily available and searchable so employees can find pertinent provisions. And it would be good to ask how the CCO tracks the most accessed policies and what that tells the CCO?
Is Our Training Effective? Compliance training can take many forms. The DOJ will ask and therefore you might want to ask your CCO:
- How is our company evaluating our training’s effectiveness?
- How do our employees get answers to questions or issues prompted by our training?
Contemplating Buying a Company? Ask whether the integration plan includes a post-compliance compliance audit.
In What Ways are We Multi-National? Few companies are purely domestic. Supply chains, IT/data and sales can easily take a “domestic” company outside the US.
It’s not easy to structure a multi-national compliance program given variations in laws and circumstances in each of the countries where the company does business. We suggest talking to your CCO about the how the company’s compliance program takes into account the multi-national aspects of your business and what rationale your company uses in support of compliance decisions made in a multi-national context, including how those decisions “maintain the integrity and effectiveness” of your compliance program.
Hopefully, these suggested questions can form the basis for an ongoing, dynamic interchange between the board (or the audit or risk committee) and your CCO. And that interchange can help the CCO and company in efforts to improve compliance and mitigate risk in line with DOJ guidance. An enhanced corporate reputation may result as well.
1 U.S. Dep’t of Justice, Criminal Division, “Evaluation of Corporate Compliance Programs” (June 1, 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download.
(C) Copyright 2020 Corporate Governance Partners, Chicago, IL
Connect With One of Our Experts
Does your board need help with decision-making? We're happy to help.