The DOJ Evaluation of Corporate Compliance Programs, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on operationalizing your compliance program as the questions posed are designed to test how far down your compliance program is incorporated into the very DNA and fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program over the past 18 months and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation.

As there are 11 areas of inquiry and 10 Hallmarks, one of the interesting considerations is Evaluation No. 1 – the analysis and remediation of underlying conduct. In this area, you understand the root cause of any incident, is it systemic and who made the analysis? You will also need to evaluate your detection or if the conduct was missed, why was it missed? Finally, you need to explain the remediation.

Next is the area of senior and middle management where you will need to evaluate the specific conduct of senior management in not only discouraging FCPA violative conduct but also the role of senior management in remedial actions. How do senior leaders and other stakeholders model appropriate behavior and share information on compliance throughout the organization and how is that conduct monitored on an ongoing basis?

Finally, the Board’s role is re-emphasized as the Evaluation asks the following questions, “What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?” If you followed my month long series of One Month to a Better Board, you will recognize these as significant issues that many Boards have yet to adequately deal with going forward. The Evaluation also looks at the CCO and compliance function’s upward communications with the Board by looking at reporting lines, CCO access to the Board and independence of the compliance function within the organization.

Next is the area of autonomy and resources for the CCO and the compliance function. This section follows the FCPA Pilot Program Prong Three on remediation by inquiring into the professionalism and expertise of both the CCO and the compliance function. It also asks about the stature of the CCO and compliance function within the organization, including specifically “compensation levels, rank/title, reporting line, resources, and access to key decision-makers”. It also asks about turnover and promotion opportunities. You need to evaluate the role of compliance in strategic planning and whether the compliance function is truly “empowered” within an organization. This final point will entail documenting any “specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns”. Also echoing the Pilot Program Remediation Prong was an inquiry into funding and dollar resources available to the compliance function.

In a new area of review, the Evaluation considers “outsourced compliance functions” for the first time. It asks the following questions, “Has the company outsourced all or parts of its compliance functions to an external firm or consultant? What has been the rationale for doing so? Who has been involved in the decision to outsource? How has that process been managed (including who oversaw and/or liaised with the external firm/consultant)? What access level does the external firm or consultant have to company information? How has the effectiveness of the outsourced process been assessed?”

In the area of “Policies and Procedures” we see a clear operationalization inquiry as you are required to evaluate who had input into the design of your compliance policies and procedures and the process for drafting, all coupled with consultation with the business units. You also need to look at the specific policies and procedures which may have failed and determine how and why they failed. There are some inquiries into “gatekeepers, e.g. the persons who issue payments or review approvals” regarding their training and ongoing monitoring.

Next, and once again following on the operationalization of your compliance program, is a section entitled “Operational Integration” which includes who is responsible for integrating your policies and procedures throughout your organization, what internal controls are in place and specific inquiries into the role of the company payment system in any FCPA violation. This last inquiry is coupled with a review of your vendor management program going forward.

In the area of risk assessments, you need to consider the methodology the company used to identify, analyze, and address the particular risks it faced, coupled with the metrics your company has collected and used to help detect the type of misconduct in question and, most interestingly, how this information has “informed the company’s compliance program”? In a section entitled “Manifested Risks” the Evaluation poses the following question, “How has the company’s risk assessment process accounted for manifested risks?”

Three Key Takeaways

  1. The Evaluation follows a consistent theme of DOJ pronouncement over the past 18 on to operationalize your compliance program.
  2. There is one new area with a focus on root cause analysis and risk assessments.
  3. There is a greater consideration of how the CCO is treated and viewed within an organization.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to