Next week, in a five-part podcast series sponsored by Affiliated Monitors, Inc. (AMI), I visit with Eric Feldman, Senior Vice President of AMI to consider the Department of Justice (DOJ) Evaluation of Corporate Compliance Programs, (the “2019 Guidance”), which was released in April 2019. The 2019 Guidance asks three fundamental questions prosecutor should ask; all other questions are divided into these categories: (1) “Is the corporation’s compliance program well designed”; (2) “Is the program being applied earnestly and in good faith?” In other words, is the program being implemented effectively? Is it real? and (3) “Does the corporation’s compliance program work” in practice? Today, I want to consider the question “Is your program well designed?”
One of the most important items in this section was the emphasis on risk assessment. The 2019 Guidance notes that it is the starting point for a prosecutor’s evaluation of whether a program is well designed and that you have to understand the company’s business from the commercial perspective and not simply from ethics perspective. The 2019 Guidance poses such questions as: How the company has identified its risks? Has it devoted appropriate resources to each risk that an individual company faces? In other words, they’re asking the question, if you don’t know your company’s risks, how can you design an effective program? The bottom line is that the DOJ is much more focused on asking the compliance practitioner to think about the commercial aspects of your company and then wrap your policy around those aspects of your organization starting with your risk assessment.
Policies and Procedures
Under this prong, Feldman noted the 2019 Guidance begins to reinforce the DOJ’s focus on corporate culture. Feldman said, the “very first thing is that prosecutors should assess whether the company has established policies and procedures that incorporates a culture of compliance into day to day operations and that linkage between core values and what we might call a culture of compliance and how I conduct my business every day.” He went on to state, “this is where a lot of programs fail and so the linkage between the written policies and procedures and culture must be strong.” Feldman concluded, “culture really is emphasized a lot more here than in previous versions.”
Training and Communications
Here there were a couple of items that, if not new were perhaps more focused for a compliance practitioner’s thoughts on these subjects. One was effective training and measurement of effective training, but even more than effective training was the continuous improvement concept from risk assessments. This needs to be a part of your training regime; to take that information you obtain in and through your training and then loop it back into your compliance program. For ongoing communications, Feldman said it is about “translating that cultural message into day to day decision making throughout the organization.”
Confidential Reporting Structure and Investigative Process
In addition to having a robust speak up culture, the 2019 Guidance mandates that companies provide specific training to middle managers who it turns out most employees want to report to. Additionally, for the first time there is an emphasis on follow-up with the complainant. Feldman added, “whatever issue was raised, post investigation, the question of who determines whether to conduct an investigation, how they do it and whether or not those processes are documented.” The days of doing an ad hoc review every time a company receives a complaint should be long gone. Finally, are there procedures and processes put into place and to track the results, of both the investigations and remediations?
Here the emphasis appears to be much more risk based. If you are doing business in a variety of countries and you hire third party agents to represent your business, this presents a very high risk of violation of the Foreign Corrupt Practices Act (FCPA). Do you know what an individual doing for your organization? You need to have controls in place which can detect when/where misconduct is most likely to occur is critical before you bring that person on.
Feldman noted it was interesting, “and some might view as an intrusion of business that the DOJ is now going to be looking at the business rationale for needing a third party.” He specified that you need to ask yourself, “based on the services described, what is the third party doing? Is the compensation appropriate? Is there ongoing monitoring of what the third party is doing? Unless a company does those things and can document that they do these things, there is a vulnerability if that third-party agent of violates the code or the law.” He concluded, “I think it’s a good thing that they list these questions here as it should get companies thinking about various ways, they can be their third-party management and make it a lot more proactive.”
Mergers and Acquisitions
In this arena, Feldman believes that the DOJ split the inquiry into pre- and post-acquisition. He said, “you need to evaluate to a certain extent pre-acquisition as to whether a target company is going to be predisposed to implementing your controls and your ethics and compliance program.” From there it moves to post-acquisition and the integration of the compliance function. Feldman related that while this is “not new, the focus is more on having a documented integration plan for the new company and integration into the corporate culture. This guidance talks about tracking and remediating any risks that you identified during the initial due diligence and creating new compliance policies and procedures that the new entity. So, this is a pretty crisp section here and it’s pretty clear what the prosecutors are going to be looking for going forward.”
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2019