The Department of Justice (DOJ) updated its guidance to help prosecutors to evaluate corporate compliance programs. Prosecutors rely on this guidance when evaluating business organizations during an investigation, determining whether to bring charges or when entering into a plea agreement.
The DOJ guidance asks prosecutors to answer three questions about the organization’s compliance program including:
Is it well designed?
Is it applied effectively so that it mitigates risk identified during a risk assessment process?
Does the compliance program work in practice?
Well Designed: The DOJ’s guidance provides that the organization’s compliance program is well designed if the organization periodically performs a risk assessment process to identify and understand the organization’s risks, and maintains policies and procedures that incorporate processes that mitigate those risks. The policies and procedures should “incorporate the culture of compliance in its day-to-day operations.”
Effective: The DOJ’s guidance recommends that prosecutors assess the compliance program’s effectiveness. The “tone at the top” that is set by senior management should establish an ethical environment and culture of complying with the law. Appropriate governance should be established with independent board members to ensure that there is appropriate oversight, including auditing and well financed compliance function.
Does the Compliance Program Work? The DOJ’s guidance indicates that prosecutors should evaluate how the organization detects misconduct and the good faith effort utilized in performing remediation including the performance of a root cause analysis to understand how the misconduct occurred. The compliance program should be continuously monitoring the organization for new risk and improving the internal control system. The compliance program should include a testing program to identify any weaknesses in high risk areas, and to ensure that controls work. The organization should also investigate and remediate the root cause of misconduct.
The DOJ’s guidance provides insight on best practices that all businesses should follow. The compliance program can be customized to address an organization’s size, risk profile and strategic goals.