While the Federal Sentencing Guidelines’ definition of an effective compliance and ethics program continues to be the most influential set of guidelines regarding how to structure a program, a number of additional, important directives have been promulgated by the US government; multinational organizations, such as the Organisation for Economic Co-operation and Development (OECD) and the United Nations; and other governments. Many of these standards build on the guidelines’ definition of an effective program, although in some cases, they also add considerable additional detail to the guidelines’ definition.
What follows is a discussion of some of the more important standards that have been promulgated by the US government and other bodies, including those issued by the US Department of Justice and the Securities and Exchange Commission, and those contained in the Sarbanes-Oxley Act, the New York Stock Exchange (NYSE), and Nasdaq corporate governance rules. The above is just a sampling of the guidance promulgated by various authorities.
US Standards Relating to Compliance Programs
Department of Justice Evaluation Guidance
In June 2020, the U.S. Criminal Division of the Department of Justice (DOJ) issued a revised memorandum on Evaluation of Corporate Compliance Programs (DOJ evaluation guidance), which contains detailed guidance regarding how prosecutors should evaluate the effectiveness of a compliance and ethics program in the context of making charging, plea, and sentencing determinations. The 2020 revisions update a version of the guidance that DOJ released in April 2019, which, in turn, had updated a set of evaluation questions posted on the website of the DOJ’s Fraud Section in February 2017.
The DOJ evaluation guidance begins with the US government’s familiar refrain that compliance programs must be evaluated within the context of a particular criminal investigation, and the government therefore does not apply a “rigid formula” to assess a program. The DOJ instead undertakes to:
Make a reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.
The memo repeats the three questions that the government has long indicated will frame its evaluation of programs: “(1) ‘Is the corporation’s compliance program well designed?’ (2) ‘Is the program being applied earnestly and in good faith?’ In other words, is the program adequately resourced and empowered to function effectively? (3) ‘Does the corporation’s compliance program work’ in practice?” The memo then discusses a number of specific factors and questions that DOJ may consider in evaluating any given compliance program, with the caveat that, “in any particular case, the topics and questions set forth below may not all be relevant, and others may be more salient given the particular facts at issue and the circumstances of the company.” The specific criteria discussed and questions asked in the DOJ evaluation guidance are organized using those “three fundamental questions” set forth above.
Under the primary question of whether a company’s program is well designed, the guidance begins with a discussion of the effectiveness of the organization’s risk assessment process, including the admonition that “prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.” The risk assessment discussion includes questions regarding the methodology the company uses to assess the particular risks it faces; how the information obtained in a risk assessment has informed the compliance program; whether the risk assessment is current and subject to periodic review; and whether the periodic review has led to updates in policies, procedures, and controls. The 2020 revisions to the DOJ evaluation guidance added the question of whether the company has a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region.
The guidance next tackles the topic of compliance policies and procedures, including the process for designing and implementing policies and procedures, the company’s methods of communicating policies and procedures and accessibility to employees and others, the extent to which policies and procedures have been integrated into the company’s operations, and what guidance and training have been given to the gatekeepers in the control processes, meaning those who have responsibility for approvals and certifications. The 2020 revisions to the guidance added the questions of whether the policies and procedures have been published in a searchable format for easy reference and whether the company tracks access to various policies and procedures to understand what policies are attracting more attention from relevant employees.
The next topic in the program design section of the guidance is training and communications. Here, the guidance first discusses the importance of assessing whether the company has relayed information in a manner tailored to the audience’s size, sophistication, or subject matter expertise. The guidance notes that some companies “give employees practical advice or case studies to address real-life scenarios, and/or guidance on how to obtain ethics advice on a case-by-case basis as needs arise.” The 2020 revisions add that some companies have also invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions. In this section, the guidance asks a number of important questions, including:
“What training have employees in relevant control functions received?”
“Have supervisory employees received different or supplementary training?”
“What analysis has the company undertaken to determine who should be trained and on what subjects?”
“Has the training been offered in the form and language appropriate for the audience?”
“Has the training addressed lessons learned from prior compliance incidents?”
“How has the company measured the effectiveness of the training?”
“How has the company addressed employees who fail all or a portion of the testing?”
“What communications have there been generally when an employee is terminated or otherwise disciplined for failure to comply with the company’s policies, procedures, and controls (e.g., anonymized descriptions of the type of misconduct that leads to discipline)?”
“How has the company assessed whether its employees know when to seek advice and whether they would be willing to do so?”
The 2020 revisions added the questions of whether there is a process by which employees can ask questions arising out of the training and whether the company has evaluated the extent to which the training has an impact on employee behavior or operations.
The guidance then discusses the company’s confidential reporting structure and investigation process. With respect to a company’s reporting procedures, the evaluation questions include how reporting mechanisms are publicized to employees; how the company assesses the allegations it receives; whether the compliance function has full access to reporting and investigative information; and how the company collects, tracks, analyzes, and uses information from its reporting mechanisms. The 2020 revisions add the questions of whether the company takes measures to test whether employees are aware of the hotline and feel comfortable using it and whether the company periodically tests the effectiveness of the hotline, for example by tracking a report from start to finish. With respect to investigations, the guidance asks how the company ensures that investigations are properly scoped; what steps are taken to ensure investigations are independent, objective, appropriately conducted, and properly documented; and the process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations and whether investigating mechanisms are sufficiently funded.
The guidance contains a subsection on the application of a company’s compliance program to its third parties, including questions regarding the due diligence conducted on third parties, how the company ensures an appropriate business rationale and appropriate contract terms of a relationship, and how compliance of third parties is managed. The guidance also asks questions related to how companies consider compliance in the due diligence process for mergers and acquisitions and how they integrate newly acquired companies into their compliance programs.
Earnest, Good-Faith Application
The 2020 revisions modified the second primary question that prosecutors are instructed to ask about compliance programs. The question had initially read, “Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?” The question now reads as follows: “‘Is the program being applied earnestly and in good faith?’ In other words, is the program adequately resourced and empowered to function effectively?” This revision indicates an increased focus on ensuring that programs are resourced appropriately and have the authority they need to function properly. This section includes discussions of management commitment and support, autonomy and resources, and incentives and disciplinary measures. With respect to management commitment and support of the program, the guidance instructs prosecutors to “examine the extent to which senior management have clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example. Prosecutors should also examine how middle management, in turn, have reinforced those standards and encouraged employees to abide by them.” The guidance also asks what compliance expertise has been available on the board of directors, whether the internal or external auditors have held executive or private sessions with the compliance and control functions, and what types of information the board and senior management have examined in their exercise of oversight in the area in which misconduct occurred.
The subtopic of “Autonomy and Resources” contains some of the most important questions addressed in the guidance. This section instructs prosecutors to consider “the sufficiency of the personnel and resources within the compliance function, in particular, [and] whether those responsible for compliance have: (1) sufficient seniority within the organization; (2) sufficient resources, namely, staff to effectively undertake the requisite auditing, documentation, and analysis; and (3) sufficient autonomy from management, such as direct access to the board of directors or the board’s audit committee.” Some of the specific questions asked in this subsection include the following:
“Where within the company is the compliance function housed (e.g., within the legal department, under a business function, or as an independent function reporting to the CEO and/or board)? To whom does the compliance function report?”
“Is the compliance function run by a designated chief compliance officer, or another executive within the company, and does that person have other roles within the company?”
“How does the compliance function compare with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers?”
“What role has compliance played in the company’s strategic and operational decisions?”
“Do compliance and control personnel have the appropriate experience and qualifications for their roles and responsibilities?”
“Do the compliance and relevant control functions have direct reporting lines to anyone on the board of directors and/or audit committee?”
“How does the company ensure the independence of the compliance and control personnel?”
The 2020 revisions add the following questions to this subsection:
“What are the reasons for the [program] structural choices the company has made?”
“How does the company invest in further training and development of the compliance and other control personnel?”
“Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions?”
“Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?”
In the last subtopic of this section, “Incentives and Disciplinary Measures,” the guidance states that:
Some companies have found that publicizing disciplinary actions internally, where appropriate and possible, can have valuable deterrent effects. At the same time, some companies have also found that providing positive incentives—personnel promotions, rewards, and bonuses for improving and developing a compliance program or demonstrating ethical leadership—have driven compliance. Some companies have even made compliance a significant metric for management bonuses and/or have made working on compliance a means of career advancement.
Some of the questions that appear in this subsection include the following:
“Is the same process [for making disciplinary decisions] followed for each instance of misconduct, and if not, why?”
“Are the actual reasons for discipline communicated to employees? If not, why not?”
“Have disciplinary actions and incentives been fairly and consistently applied across the organization?”
“Are there similar instances of misconduct that were treated disparately, and if so, why?”
“Has the company considered the implications of its incentives and rewards on compliance?”
“How does the company incentivize compliance and ethical behavior?”
“Who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel?”
The 2020 revisions added the question of whether the compliance function monitors its investigations and resulting discipline to ensure consistency.
Works In Practice
The final primary question that prosecutors are asked to address—whether the program works in practice—explores three subtopics: (1) continuous improvement, testing, and review; (2) investigation; and (3) analysis and remediation of misconduct. With respect to the area of continuous improvement, the guidance contains the helpful commentary that:
One hallmark of an effective compliance program is its capacity to improve and evolve. The actual implementation of controls in practice will necessarily reveal areas of risk and potential adjustment. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards. Accordingly, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale. Some companies survey employees to gauge the compliance culture and evaluate the strength of controls, and/or conduct periodic audits to ensure that controls are functioning well, though the nature and frequency of evaluations may depend on the company’s size and complexity.
In this section, the guidance poses questions about compliance auditing, control testing, and continuous assessment and improvement. The 2020 revisions added the question of whether the company reviews and adapts its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks. In addition, this section of the guidance discusses the culture of compliance at a company. Specifically, it asks how often and how the company measures its culture of compliance, whether the company seeks input from all levels of employees to determine whether they perceive senior and middle management to be committed to compliance, and what steps the company has taken in response to its measurement of compliance culture.
The final area of program review also addresses compliance and ethics (C&E) investigations and response to misconduct. These sections pose questions related to the efficacy of the investigation process and “the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”
Department of Justice Antitrust Division Guidance
In July 2019, the Antitrust Division of DOJ announced a new policy (and a reversal of its longstanding former policy) that requires Antitrust Division prosecutors to evaluate an organization’s compliance and ethics program in determining whether to charge the organization and whether to adjust any resulting sentence. For decades, the Antitrust Division had used an all-or-nothing approach, granting corporate leniency to the first company to self-report an antitrust violation, but giving no compliance program credit to others, regardless of the efficacy of their programs. Under the new policy, companies with strong compliance programs may be eligible for deferred prosecution agreements even where they were not the first to self-report. This landmark change to the Antitrust Division’s approach to crediting compliance programs came after years of urging by members of the C&E community, led by Joseph Murphy.
The new policy is contained in a memorandum titled Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations. The memo also contains extensive guidance on what the division considers to be the important elements of an effective compliance program. The memo lists nine factors that the Antitrust Division asks prosecutors to consider when evaluating the effectiveness of an antitrust compliance program, including “(1) the design and comprehensiveness of the program; (2) the culture of compliance within the company; (3) responsibility for, and resources dedicated to, antitrust compliance; (4) antitrust risk assessment techniques; (5) compliance training and communication to employees; (6) monitoring and auditing techniques, including continued review, evaluation, and revision of the antitrust compliance program; (7) reporting mechanisms; (8) compliance incentives and discipline; and (9) remediation methods.”
The memo contains a list of questions that prosecutors may ask about an antitrust compliance program for each of the nine program factors listed above. For example, with respect to the culture of compliance within the company, the memo asks, among other questions:
“What is the company’s senior leadership doing to convey the importance of antitrust compliance to company employees?”
“How have senior leaders, through their words and actions, encouraged (or discouraged) antitrust compliance?”
“What concrete actions have [senior leaders] taken to demonstrate leadership in the company’s antitrust compliance or remediation efforts[,] if relevant?”
The memo then goes through an analysis of how Chapter 8 of the US Sentencing Commission Guidelines Manual can be applied to antitrust cases when considering sentencing reductions for an effective compliance program.
Department of Justice Prosecution Standards
Twenty years prior to the promulgation of the extensive guidance discussed above, in June 1999, DOJ issued its first formal incentive and guidance for organizations to implement compliance programs. It was in the form of a memo instructing federal prosecutors to consider the existence of an organization’s compliance program when determining whether to charge an organization for the misconduct of its employees and agents. The memo, entitled “Federal Prosecution of Corporations,” became known as the “Holder Memo” after its author, then Deputy Attorney General Eric Holder. The Holder Memo became the “Thompson Memo” when it was revised in 2003 (after then Deputy Attorney General Mark Thompson), then the “McNulty Memo” in December 2006 (after Deputy Attorney General Paul J. McNulty), and finally, in 2008, was again revised and incorporated into the United States Attorneys’ Manual, which has since been renamed the Justice Manual.
The DOJ prosecution standards state that, in determining whether to charge a corporation for criminal misconduct, prosecutors should consider the same factors they would consider in determining whether to charge individuals, including the sufficiency of the evidence; the likelihood of success at trial; the probable deterrent, rehabilitative, and other consequences of conviction; and the adequacy of noncriminal approaches. In addition, because of the special nature of corporations and other organizations, prosecutors should consider the following when determining whether to charge an organization:
The “nature and seriousness of the offense, including the risk of harm to the public”;
The “pervasiveness of wrongdoing within the corporation,” including the complicity of management;
The “corporation’s history of similar misconduct”;
The “corporation’s willingness to cooperate, including as to potential wrongdoing by its agents”;
The “adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision”;
The “corporation’s timely and voluntary disclosure of wrongdoing”;
The “corporation’s remedial actions, including, but not limited to, any efforts to implement an adequate and effective corporate compliance program or to improve an existing one”;
“[C]ollateral consequences, including whether there is disproportionate harm to shareholders, pension holders, employees, and others not proven personally culpable, as well as impact on the public arising from the prosecution”;
The “adequacy of remedies such as civil or regulatory enforcement actions, including remedies resulting from the corporation’s cooperation with relevant government agencies”; and
The “adequacy of the prosecution of individuals responsible for the corporation’s malfeasance.”
Thus, in making a prosecution decision, prosecutors are instructed to consider (among other things) whether the company had, and the adequacy of, its preexisting compliance program, and whether, after the alleged misconduct, the company implemented or took measures to improve its compliance program.
While explicitly stating that DOJ has “no formulaic requirements regarding corporate compliance programs,” the standards provide that the fundamental questions any prosecutor should ask are: “Is the corporation’s compliance program well designed? Is the program being applied earnestly and in good faith? Does the corporation’s compliance program work?” To answer these questions, prosecutors are instructed to consider whether the corporation has established corporate governance mechanisms that can effectively detect and prevent misconduct, such as whether directors exercise independent review, whether directors are provided with information sufficient to enable the exercise of independent judgment, whether internal audit functions are conducted at a level sufficient to ensure their independence and accuracy, and whether directors have established an information and reporting system reasonably designed to provide management and the board of directors with timely and accurate information regarding compliance. Prosecutors are also directed to determine:
“[W]hether a corporation’s compliance program is merely a ‘paper program’ or whether it was designed [and] implemented…in an effective manner”;
“[W]hether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation’s compliance efforts”;
“[W]hether the corporation’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it”; and
Whether the program is “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business.”
The Sarbanes-Oxley Act of 2002 (Sarbanes-Oxley), which passed in response to the massive corporate failures at companies such as Enron and WorldCom in the first part of this century, contains requirements regarding codes of ethics and reporting procedures—two essential components of compliance programs. The legislation is important in part because it is a federal congressional directive regarding certain aspects of compliance programs that is broadly applicable (to US issuers).
Section 406 of Sarbanes-Oxley requires issuers of securities to disclose in periodic reports whether they have adopted a code of ethics for senior financial officers and if not, to explain why. The Securities and Exchange Commission (SEC) regulations broaden the applicability of the section 406 code of ethics to include the chief executive officer (as well as the chief financial officer and controller, as provided by the legislation). Section 406 defines a code of ethics to mean written standards that are reasonably designed to deter wrongdoing and to promote (i) honest and ethical conduct, including the ethical handling of conflicts of interest; (ii) full, fair, accurate, timely, and understandable disclosure in reports and documents filed with or submitted to the SEC and in other public communications; (iii) compliance with applicable laws, rules, and regulations; (iv) prompt internal reporting of code violations to an appropriate person; and (v) accountability for adherence to the code.
Sarbanes-Oxley also requires that any amendments to or waivers of the code be immediately disclosed in a public filing with the SEC on a Form 8-K or on a company’s internet site. If posted on the internet, the disclosure must remain posted for 12 months and be available to the SEC for another five years thereafter. The law also requires that the code of ethics be publicly available (i) as an exhibit to a company’s annual report; (ii) on the company’s internet site; or (iii) by providing an undertaking in a company’s annual report to provide a copy of the code to any person without charge upon request.
Whiles section 406 does not require organizations to have codes (but instead to make a disclosure regarding whether they have them and, if not, why they do not), it has—not surprisingly—led to the adoption of codes for many organizations. In addition, the requirement that organizations publicly disclose waivers of the 406 code (that apply to an organization’s chief executive officer, chief financial officer, or controller) has caused organizations to focus closely on the language and import of these codes in a way that they may not otherwise have done. The legislation has, in other words, increased the importance of both the existence and contents of codes for many organizations.
Another provision of Sarbanes-Oxley (section 301) concerns reporting procedures. Section 301 directs the national securities exchanges and associations to prohibit the listing of securities of any company where: 1) the audit committee of the company has not established procedures for the receipt, retention, and treatment of complaints received by the company regarding accounting, internal accounting controls, or auditing matters; and 2) the confidential, anonymous submission by employees of concerns regarding questionable accounting or auditing matters. In the regulations promulgated pursuant to the law, the SEC states that it does not mandate specific requirements for reporting procedures because companies should be provided with flexibility to develop those procedures that are most appropriate to their circumstances.
This section of Sarbanes-Oxley is interesting in a couple of different respects. First, it places the onus on the audit committee of the board to establish the prescribed reporting procedures. This placement of responsibility is consistent with Delaware case law regarding a board of director’s responsibilities for oversight of an organization’s compliance program. (Note, however, that while Sarbanes-Oxley requires audit committees to establish reporting procedures, neither the legislation nor the implementing regulations require audit committees to have a management role in their implementation.) Second, the legislation specifically discusses the requirement that a company’s reporting procedures include means for employees to make confidential, anonymous submissions. This provision of Sarbanes-Oxley resulted in a substantial number of organizations developing or enhancing their hotlines and other reporting procedures. For those organizations operating in Western Europe, it also created tension between organizations’ desire to comply with this provision of Sarbanes-Oxley and European privacy laws.
New York Stock Exchange and Nasdaq Governance Rules
In 2003, again in response to Enron, WorldCom, and other corporate debacles of that time, the SEC approved corporate governance rules proposed by the NYSE and Nasdaq, including a requirement that listed companies adopt and disclose a code of business conduct and ethics applicable to all directors, officers, and employees. The NYSE rules recommend that codes address the following topics: (i) conflicts of interest; (ii) corporate opportunities; (iii) confidentiality; (iv) fair dealing; (v) protection and proper use of company assets; (vi) compliance with laws, rules, and regulations, including insider trading laws; and (vii) reporting illegal or unethical behavior. Similar to Sarbanes-Oxley, NYSE rules require that waivers of the code for directors and executive officers be made only by the board of directors or a board committee and be promptly disclosed to shareholders.
Nasdaq rules require the codes adopted by Nasdaq-listed companies satisfy the definition of a code of ethics as set forth in section 406(c) of Sarbanes-Oxley and the regulations promulgated thereunder by the SEC (discussed in the previous paragraph). Nasdaq rules also require that the code contain an enforcement mechanism, protection for reporting persons, clear and objective standards for compliance, and a fair process to determine violations and that waivers for executive officers and directors be approved by the board and publicly disclosed.
DOJ and SEC Resource Guide to the Foreign Corrupt Practices Act
In July 2020, DOJ and the SEC released a new edition of their joint document that provides extensive guidance on compliance programs—A Resource Guide to the U.S. Foreign Corrupt Practices Act, Second Edition (Resource Guide). The Foreign Corrupt Practices Act (FCPA) is a US law that prohibits individuals and organizations from bribing officials of non-US governments and certain nongovernmental organizations.
Anti-bribery laws have been particularly fertile ground for the issuance of guidance on compliance programs. In the United States, DOJ and the SEC have created requirements for specific anti-bribery programs in the form of deferred and nonprosecution agreements. However, the compliance program standards contained in the Resource Guide are of note because they are widely applicable and contain extensive information about what DOJ and the SEC consider to be the hallmarks of an effective C&E program. While the Resource Guide is directed specifically at FCPA compliance, it contains a wealth of more general C&E program information.
The Resource Guide’s discussion of C&E programs is consistent with and, in many ways, tracks the Federal Sentencing Guidelines’ definition of an effective C&E program. The Resource Guide’s discussion begins with an examination of the importance of risk assessment, recommending that compliance programs “be tailored to an organization’s specific needs, risks, and challenges.” It also warns against a check-the-box program, stating that the government’s directives on C&E program criteria should not be considered a substitute for a company’s own assessment of its particular program needs.
The Resource Guide contains an extensive discussion of C&E policies and codes of conduct, emphasizing the significance of both having clear and accessible policies and of periodic revision. The Resource Guide provides that “[t]he most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” The Resource Guide also discusses the importance of providing policies in the local language. “[I]t would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it.” With respect to periodic review and revision, the Resource Guide provides that, “[w]hen assessing a compliance program, DOJ and SEC will review whether the company has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”
The Resource Guide includes a fairly extensive discussion of C&E training, providing that “[s]uch training typically covers company policies and procedures, instruction on applicable laws, practical advice to address real-life scenarios, and case studies.” The guide emphasizes the importance of presenting training information “in a manner appropriate for the targeted audience, including providing training and training materials in the local language.” The guide goes on to provide that “companies may want to consider providing different types of training to their sales personnel and accounting personnel with hypotheticals or sample situations that are similar to the situations they might encounter.” This type of role-based training holds particular promise for increasing the effectiveness of C&E training.
DOJ and the SEC discuss C&E incentives in some detail in their Resource Guide:
DOJ and SEC recognize that positive incentives can also drive compliant behavior. The incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership. Some organizations, for example, have made adherence to compliance a significant metric for management’s bonuses so that compliance becomes an integral part of management’s everyday concern. Beyond financial incentives, some companies have highlighted compliance within their organizations by recognizing compliance professionals and internal audit staff. Others have made working in the company’s compliance organization a way to advance an employee’s career.
The Resource Guide emphasizes both disciplinary procedures and consistency and fairness in discipline for violations of applicable law and company policies. The guide provides that the government will consider “whether, when enforcing a compliance program, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation.” The Resource Guide also endorses the practice of publicizing disciplinary decisions—a practice that many companies have not yet implemented. “Many companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences.”
The Resource Guide also discusses the importance of helplines and other reporting procedures, providing that “[a]n effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.” The guide specifically mentions anonymous hotlines and ombudsmen as two appropriate types of reporting procedures.
The Resource Guide also discusses the importance of appropriate investigations, providing that:
[O]nce an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken. Companies will want to consider taking “lessons learned” from any reported violations and the outcome of any resulting investigation to update their internal controls and compliance program and focus future training on such issues, as appropriate.
Lastly, the Resource Guide discusses the importance of periodic review and revision of a company’s C&E efforts. As the guide asserts, “a good compliance program should constantly evolve.” DOJ and the SEC note that an organization’s changing circumstances (including changes to its business, the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry) necessitate changes in its C&E measures. The guide also notes that C&E programs will “inevitably uncover compliance weaknesses and require enhancements.” Review and improvement are, therefore, essential components of any program.