We are in an exploration of the recently released Evaluation of Corporate Compliance Programs – Guidance Document (2019 Guidance), which was announced (ECI speech) by Assistant Attorney General Brian Benczkowski at the Ethics and Compliance Initiative (ECI) Impact 2019 Conference. It is an update to the 2017 Evaluation of Corporate Compliance Programs, released in February 2017. This new document is available for download at no charge. It should be mandatory reading for every Chief Compliance Officer (CCO), compliance practitioner and professional or any other person interested in the latest thinking of the Department of Justice (DOJ) on what constitutes a best practices compliance program. Today, I consider the first substantive section of the 2019 Guidance, what should go into a well-designed compliance program or as it states, “Is the corporation’s compliance program well designed?”

Quoting from the Justice Manual (formerly the US Attorneys Manual), the 2019 Guidance begins with the proposition, “The “critical factors in evaluating any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct.”” This leads directly to the starting point for all compliance programs – a risk assessment. It is also, “The starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.”

But it does not stop with the performance of a one-time risk assessment. It should be viewed as an iterative, ongoing process. On this point, the 2019 Guidance stated, “Prosecutors should also consider “[t]he effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment” and whether its criteria are “periodically updated.” …Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area. Prosecutors should therefore consider, as an indicator of risk-tailoring, “revisions to corporate compliance programs in light of lessons learned.””

To accomplish all of this, the document sets out three broad standards:

Risk Management ProcessWhat methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program? 

The use of the phrase “risk management process” emphasizes it is not a one-off exercise but truly a process. Moreover, the DOJ has specifically focused on the metrics component of every risk assessment. Finally, you must be able to substantiate and justify the methodology of your risk assessment.

Risk-Tailored Resource AllocationDoes the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than more modest and routine hospitality and entertainment? 

This section focuses more intently on the true risks that each company faces and how you allocate your risk management resources to those risks. It mandates you to not only focus on your risks but more importantly not to waste time and resources on low risk areas. You should focus on the high risk to your company. If you use third parties in the sales cycle, that may well be your highest risk. Conversely if your sales strategy is based on employees, then that may be your highest risk. The document also points out the explicit risks in specific transactions and with specific customers “large-dollar contract with a government agency in a high-risk country”.  This came from several enforcement actions where the customer itself was not only in on the bribery scheme but facilitated the illegal transactions.

Updates and RevisionsIs the risk assessment current and subject to periodic review? Have there been any updates to policies and procedures in light of lessons learned? Do these updates account for risks discovered through misconduct or other problems with the compliance program? 

This section mandates the nature of not only risk assessments but the continuous feedback loop of information both to and from your compliance program. Did you incorporate the information learned in the field into your next risk assessment? Did you then update your policies, procedures and controls around the information garnered from your updated risk assessment? The OODA loop in action. [Observe, Orient, Decide, Act]

All of this greater specificity in the entire risk management process is welcome information for every compliance practitioner. It also demonstrates what was cutting edge just a few years ago is now standard practice.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2019