Earlier this month, the Department of Justice (DOJ) updated its Evaluation of Corporate Compliance Programs guidance. The updated guidance does not suggest that corporations will be rewarded for deemphasizing or not financially supporting effective compliance programs during these difficult and uncertain times. Rather, the guidance states that an evaluation of the efficacy of compliance programs should "address the sufficiency of the personnel and resources within the compliance function." One measure of the sufficiency of personnel and resources is funding. If funding cuts are made in compliance areas, those cuts need to be offset with increased efficiency and process improvements. And DOJ emphasizes its own flexibility in evaluating corporate compliance programs and recognizes that one size does not fit all. There must be "a reasonable individualized determination in each case." Thus, factors to be considered by DOJ include a company's "size, industry, geographic footprint and regulatory landscape."
Specifically, compliance programs will be evaluated by DOJ using three primary criteria:
- Is the compliance program well designed? A prior criterion.
- Is the compliance program adequately resourced and empowered to function effectively? This criterion has new language and emphasis in DOJ's updated guidance.
- Does the compliance program work? Again, a prior criterion.
Criterion two implicates current economic realities. However, the need to maintain effective compliance programs will force companies to increase the use of technology and do more with the same or fewer resources.
Reasonable, Flexible Responses to Promote Compliance
The current economic downturn caused by the COVID-19 crisis and the economic uncertainty associated with a potential "second wave" of the virus have impacted every facet of business. In austere and uncertain times, companies often make cost cuts in areas not deemed as vital as those associated with the greatest creation of economic value – revenue profits, and stock prices. For example, a manufacturer might determine that assembly line workers are more critical than occupational safety professionals. Since the first evaluation criterion is whether the compliance program is well-designed, the conduct of frequent evaluations of the efficacy of compliance programs should always be a continuous and ongoing process. A comprehensive evaluation of the compliance program should identify opportunities for improvement and increased efficiency using technology, data analysis, increased collaboration/breaking down "stove pipes," and improved internal communications, from employee input to board awareness.
Companies still need risk management, continuous improvement, quality, safety, internal audit, legal counsel, finance, accounting, human resources, security (cyber, physical, information and personnel), project management and other functions. Now, they just need these functions to be more efficient, collaborative, proactive and process driven as opposed to slow, reactive and defensive. These enhancements cannot be accomplished in corporate silos.
Added to criterion two in the guidance is "access to relevant sources of data" for continual monitoring and testing. To meet the updated guidance emphasis on ongoing risk assessments and implementing lessons learned, companies should consider using information sharing technology, such as SharePoint or dashboards, to continuously share and evaluate data and other information that impacts, or could impact, corporate risk and performance across functional boundaries. A coordinating group, whether it be called a compliance committee, risk committee or a quality committee, should include human resources, legal counsel, security, IT, internal audit, finance/accounting, as well as business unit representation to share and discuss risks, data trends, performance trends, customer complaints and other matters that impact compliance or indicate potential misconduct. This group should report to senior management and have the power to recommend compliance program improvements and internal investigations when compliance problems or employee wrongdoing is suspected.
In following the updated guidance's emphasis on "access to relevant sources of data," the types of data that should be mined as part of a well-functioning corporate compliance program will vary depending on the industry. At a minimum, financial data should be analyzed to determine compliance with company policies. For example, disbursements could be compared to approved vendors to determine whether payments have been made to improper parties. These and other third-party risks are highlighted in the updated guidance. Even obtaining compliance certifications from third parties could be implemented. Audits of new acquisitions and continual vetting of third parties may also enhance compliance.
Employee and customer data can help. Employee facility access data could be used to determine whether employees are working at unusual hours or visiting areas where they have no legitimate business reason to enter. Customer survey data could be searched to determine if there are common complaints that might be associated with compliance problems. IT system monitoring data can reveal inappropriate access to files and significant downloads of company information. Worker injury data, surveys and environmental data could be monitored to provide insights into the workforce's overall attitude towards compliance.
These examples are far from exhaustive. Determining what data should be analyzed as part of a corporate compliance program will require comprehensive knowledge of the industry and company culture and significant brainstorming. Again, this cannot be accomplished by a few low-level "compliance" personnel. It will require significant collaboration and open communications among all departments and company leadership, including the C-Suite and Board. One of the more significant evaluation factors described in the DOJ guidance is the commitment of company leadership to "implement a culture of compliance from the middle and the top." In addition, information obtained from more traditional sources such as employee hotline complaints (with employee training and tracking), complaints to HR or management, exit interviews, whistleblower complaints, and vendor or customer complaints should continue to be evaluated and addressed. Finally, there needs to be follow-up to ensure a problem does not occur again and, if appropriate, employee disciplinary action should be taken. Testing and assessment of the program will be key under the updated guidelines.
Tying Corporate Compliance and Internal Investigations
One of the hallmarks of an effective corporate compliance program is the ability to have qualified individuals conduct well-scoped, appropriately funded, independent, objective and thoroughly documented investigations. Just as in the prior DOJ 2019 guidance, reporting mechanisms and investigations are one of the 12 topics considered as a basic element for achieving an effective compliance program. Companies should have established and consistently followed processes for conducting internal investigations. These investigations need to be conducted thoroughly and in a timely manner.
Although some of the procedural aspects of conducting internal investigations have been impacted by the current business realities (remote workers, social distancing, limited travel, etc.), the need to conduct them properly remains, as underscored by the recent update to the DOJ guidance. It would be imprudent for a company to defer an investigation because of travel impacts, remote workers or some other COVID-19-related reason. If there is a deficiency or alleged misconduct that warrants investigation, the investigation still needs to be done without delay. In meeting the DOJ guidance emphasis on testing, the effects of corporate compliance programs are not just preventing misconduct but also catching misconduct, investigating and remediating, and learning from the experience, then tweaking and enhancing the program.
If you have any questions, please contact one of the authors or any member of Baker Donelson's Government Enforcement and Investigations Team.