Without fanfare or forewarning, the US Department of Justice released new anti-corruption compliance guidance on February 8, 2017. The eight page document provides rare insight into the government’s evaluation of corporate compliance programs. Companies designing compliance programs, conducting internal investigations, or facing a bribery or books and records-related government inquiry can now look to the appropriately titled “Evaluation of Corporate Compliance Programs” for a hint at the types of questions they should be prepared to answer.
As emphasized in the Department of Justice and Security and Exchange Commission’s November 2012 FCPA Resource guide, DOJ’s recent guidance again reinforces that a compliance program should be individualized to a company’s risk profile, and so should the government’s evaluation of the program. The guidance is clearly not a checklist that applies to all. It does, however, provide more detail about the way a company should evaluate its own program. Companies can leverage the information to design more robust compliance programs and better respond to potential violations.
What’s New about the New Guidance?
The February 8 document differs substantially in form from the FCPA Resource guide. Rather than lay out broad rules or principles, the new guidance provides a series of detailed questions the government may ask when making fact-specific determinations about a compliance program. The questions are grouped into eleven categories, each of which has multiple sub-categories. The categories, which offer a framework for the essential elements of a well-functioning compliance program, are:
- Analysis and Remediation of Underlying Misconduct;
- Senior and Middle Management;
- Autonomy and Resources;
- Policies and Procedures;
- Risk Assessment;
- Training and Communication;
- Confidential Reporting and Investigation;
- Incentives and Disciplinary Measures;
- Continuous Improvement, Periodic Testing and Review;
- Third Party Management; and
- Mergers and Acquisitions (M&A).
Select Takeaways from the New Guidance
Review known problems thoroughly. The vast majority of the categories listed above track to the FCPA Resource Guide, with one notable addition: Analysis and Remediation of Underlying Misconduct. This section suggests that conducting a thorough root cause analysis of any identified issues, including looking at whether there are systemic problems, is key.
Engage departments outside of Compliance. From a design perspective, the new guidance underscores the importance of having stakeholders from all aspects of a company invested in the compliance program and culture. For example, the document suggests the government may ask: “how have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question” and “what specific actions have senior leaders and other stakeholders (e.g., business and operational managers, Finance, Procurement, Legal, Human Resources) taken to demonstrate their commitment to compliance, including their remediation efforts?” Compliance programs should not be siloed within the Compliance department, and companies should be prepared to show how multiple key departments are engaged in the compliance function.
Think beyond the paper. The new guidance also makes clear that having policies on the shelf is not enough. Policies and controls must be accessible and well understood, and leaders must take concrete steps to set examples. Static or inflexible compliance programs appear to be especially disfavored. The guidance stresses that problems should be analyzed thoroughly, and the program itself should constantly evolve and adjust in response.
Companies often spend considerable time and expense predicting what the US Department of Justice will think about their compliance program because the government’s evaluation often has a tremendous impact on the outcome of enforcement actions. Companies with robust programs are more likely to receive lenient treatment. They may avoid charges altogether if the company self-reports an isolated violation. On the other hand, companies with weak compliance programs often endure extended investigations, which may result in significant penalties. Armed with the detailed criteria laid-out in the 2017 Evaluation of Corporate Compliance Programs, companies can now be better prepared to answer tough questions about their compliance program.