When establishing and implementing a compliance program, most organizations attempt to follow the U.S. Federal Sentencing Guidelines for Organizations (FSG) § 8B2.1 Effective Compliance and Ethics Program.[1]
The elements of an FSG compliance program include:
-
High-level company personnel who exercise effective oversight and have direct reporting authority to the governing body or appropriate subgroup (e.g., audit committee);
-
Written policies and procedures;
-
Training and education;
-
Lines of communication;
-
Standards enforced through well-publicized disciplinary guidelines;
-
Internal compliance monitoring;
-
Response to detected offenses (including remediation of harm caused by criminal conduct) and corrective action plans (including assessment and modification of the compliance and ethics program); and
-
Periodic risk assessments.
While the FSG set forth basic elements of an effective compliance program, they make clear that no single compliance program design fits every organization, and an organization’s industry, size, structure, and mission all influence program design and operation.
The challenge for compliance professionals trying to implement and monitor an effective FSG compliance program is that nothing happens if you do your job really well and have a little luck. Thus, every compliance officer faces the challenge of how to answer the same existential question: “Is your compliance program effective?”
Compliance professionals can take heart that recently, the U.S. Department of Justice (DOJ) Criminal Division has provided an updated guidance memo that sets forth additional detail regarding its expectations of effective compliance programs. In this article, we synthesize the recent DOJ guidance and provide suggested best practices. Also, new tools—such as Capability Maturity Models (CMM)—are discussed, which can be adapted for measuring compliance program effectiveness.
Evaluation of Corporate Compliance Programs, March 2023 update
In March 2023, DOJ updated its Evaluation of Corporate Compliance Programs.[2] This 20-page document provides specificity into the elements required of a corporate compliance program. While not exhaustive, the guidance provides a critical roadmap for compliance professionals to benchmark their programs in the event of a worst-case-scenario review and enforcement action from DOJ. While DOJ is the focus of this article, compliance professionals should note their industry-specific regulators that may have additional requirements for an effective corporate compliance program (e.g., U.S. Department of Health & Human Services, Office of Inspector General; Securities and Exchange Commission; Department of Commerce; Department of State; Department of the Treasury; and local attorneys general).
The 2023 memo poses three guiding questions when evaluating a compliance program:
-
Is it well designed? In other words, does it provide maximum effectiveness in preventing and detecting wrongdoing?
-
Is it adequately resourced and empowered to function effectively? In other words, is the program implemented, reviewed, and revised as appropriate in an effective manner? This includes resourcing and communications about the compliance program.
-
Is it working in practice? In other words, how is misconduct detected and remediated, and how has the program grown since the misconduct?
DOJ provides a good amount of information in its memo on what it wants to see related to design and resourcing/effectiveness. In the area of design, DOJ wants to see processes around risk assessment, policies and procedures, training and communications, confidential reporting and investigations (with incentives and discipline), third-party management, and due diligence around mergers and acquisitions.
In the area of resourcing and effective functioning, DOJ wants to see a culture of compliance from the top and middle of the organization, with the compliance program having the appropriate level of independence and resourcing. The March 2023 memo also focuses on compensation structures and consequence management, with a goal of enhancing individual accountability. DOJ now will be assessing whether the organization internally publicizes disciplinary actions and tracks data related to disciplinary actions to ensure effectiveness. Extensive guidance is also now in place for how compliance must effectively and consistently be built into promotion criteria and clawback actions throughout an organization’s human resources (HR) process, disciplinary measures, and financial incentives for employees.[3]
This article focuses on assessing whether a compliance program is actually working in practice.
Measuring program effectiveness: What does DOJ want to see?
In its 2023 memo, DOJ outlines several parameters on how to assess if a compliance program is working in practice to promote individual accountability. DOJ’s focus on individual accountability—and DOJ’s desire to see compliance programs designed around individual accountability—is not unique among federal authorities. The U.S. Federal Trade Commission, for example, recently finalized a remarkable order against online alcohol marketplace Drizly and, notably, its CEO, James Cory Rellas. The order, which arises from a consumer data breach, imposes certain information security requirements on Drizly and Rellas individually, even if Rellas moves to a different company.[4]
Generally, DOJ wants to see continuous improvement, monitoring, and testing with an emphasis on root cause analysis. The program must also incorporate lessons learned through culture surveys, audits, investigations, and updated risk assessments, policies, and practices. DOJ also has specific guidance related to root cause analysis. It needs to be timely in looking at the numbers of misconduct involved, the control failures for the misconduct, the prior opportunities to correct the misconduct beforehand, and the specific remediation and accountability steps going forward.
The March 2023 DOJ memo also outlines two new sections. The first requires compliance investigators receive appropriate compensation and discipline to be able to promote an ethical culture and adjudicate misconduct throughout an organization.
The second section extensively discusses third-party messaging applications that may contain company information relevant to an investigation. This section covers present-day methods of communication, including use of social media/ephemeral messaging applications and the common practice of employees bringing their own device for use in official company communications. Prosecutors will now ask two things: “What electronic communication channels do the company and its employees use, or allow to be used, to conduct business?” and “What mechanisms has the company put in place to manage and preserve information contained within each of the electronic communication channels?”[5]
To have an effective compliance program, companies will need clear policies that permit the company to maintain, preserve, and retain company messages, data, and information transferred using private phones or messaging applications on the company’s record-keeping systems. These policies must also be communicated, followed, and enforced in practice. In a recent speech, DOJ even announced it will go to the lengths of verifying the access to communication channels if a company claims it cannot provide information to DOJ.[6]