This week, in a podcast series sponsored by Affiliated Monitors, Inc. (AMI), I am visiting with Eric Feldman, Senior Vice President of AMI. We look at the Department of Justice (DOJ) Evaluation of Corporate Compliance Programs, (the “2019 Guidance”), which was released in April 2019. Over the next five podcasts we will explore what the 2019 Guidance changes are from the Evaluation of Corporate Compliance Program (2017 Guidance), released in February 2017, the structure and emphasis of the 2019 Guidance and what it means for the compliance practitioner going forward. In Episode 2, we consider the question “Is your program well designed?”

Risk Assessment

One of the most important items in this section was the emphasis on risk assessment. The 2019 Guidance notes that it is the starting point for a prosecutor’s evaluation of whether a program is well designed and that you have to understand the company’s business from the commercial perspective and not simply from ethics perspective. The 2019 Guidance poses such questions as: How the company has identified its risks? Has it devoted appropriate resources to each risk that an individual company faces? In other words, they’re asking the question, if you don’t know your company’s risks, how can you design an effective program? The bottom line is that the DOJ is much more focused on asking the compliance practitioner to think about the commercial aspects of your company and then wrap your policy around those aspects of your organization starting with your risk assessment.

Policies and Procedures

Under this prong, Feldman noted the 2019 Guidance begins to reinforce the DOJ’s focus on corporate culture. Feldman said, the “very first thing is that prosecutors should assess whether the company has established policies and procedures that incorporates a culture of compliance into day to day operations and that linkage between core values and what we might call a culture of compliance and how I conduct my business every day.” He went on to state, “this is where a lot of programs fail and so the linkage between the written policies and procedures and culture must be strong.” Feldman concluded, “culture really is emphasized a lot more here than in previous versions.”

Training and Communications

Here there were a couple of items that, if not new were perhaps more focused for a compliance practitioner’s thoughts on these subjects. One was effective training and measurement of effective training, but even more than effective training was the continuous improvement concept from risk assessments. This needs to be a part of your training regime; to take that information you obtain in and through your training and then loop it back into your compliance program. For ongoing communications, Feldman said it is about “translating that cultural message into day to day decision making throughout the organization.”

Confidential Reporting Structure and Investigative Process

In addition to having a robust speak up culture, the 2019 Guidance mandates that companies provide specific training to middle managers who it turns out most employees want to report to. Additionally, for the first time there is an emphasis on follow-up with the complainant. Feldman added, “whatever issue was raised, post investigation, the question of who determines whether to conduct an investigation, how they do it and whether or not those processes are documented.” The days of doing an ad hoc review every time a company receives a complaint should be long gone. Finally, are there procedures and processes put into place and to track the results, of both the investigations and remediations?

3rdParty Management

Here the emphasis appears to be much more risk based. If you are doing business in a variety of countries and you hire third party agents to represent your business, this presents a very high risk of violation of the Foreign Corrupt Practices Act (FCPA). Do you know what an individual doing for your organization? You need to have controls in place which can detect when/where misconduct is most likely to occur is critical before you bring that person on.

Feldman noted it was interesting, “and some might view as an intrusion of business that the DOJ is now going to be looking at the business rationale for needing a third party.” He specified that you need to ask yourself, “based on the services described, what is the third party doing? Is the compensation appropriate? Is there ongoing monitoring of what the third party is doing? Unless a company does those things and can document that they do these things, there is a vulnerability if that third-party agent of violates the code or the law.” He concluded, “I think it’s a good thing that they list these questions here as it should get companies thinking about various ways, they can be their third-party management and make it a lot more proactive.”

Mergers and Acquisitions

In this arena, Feldman believes that the DOJ split the inquiry into pre- and post-acquisition. He said, “you need to evaluate to a certain extent pre-acquisition as to whether a target company is going to be predisposed to implementing your controls and your ethics and compliance program.” From there it moves to post-acquisition and the integration of the compliance function. Feldman related that while this is “not new, the focus is more on having a documented integration plan for the new company and integration into the corporate culture. This guidance talks about tracking and remediating any risks that you identified during the initial due diligence and creating new compliance policies and procedures that the new entity. So, this is a pretty crisp section here and it’s pretty clear what the prosecutors are going to be looking for going forward.”

Join us tomorrow when begin a deep dive into the 2019 Guidance in considering the second question, “Is your program being implemented effectively?”

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor at