Over the course of this podcast series, sponsored by Affiliated Monitors, Inc. (AMI), I am visiting with Eric Feldman, Senior Vice President of AMI. We look at the Department of Justice (DOJ) Evaluation of Corporate Compliance Programs, (the “2019 Guidance”), which was released in April 2019. We are exploring what the 2019 Guidance changes are from the Evaluation of Corporate Compliance Program (2017 Guidance), released in February 2017, the structure and emphasis of the 2019 Guidance and what it means for the compliance practitioner going forward. In Episode 4, we consider the question “Does your compliance program work in practice?”

This final category considers your compliance program in both a retrospective and current review. It considers the effectiveness of your program at the time of the incident(s) in question and then asks if your compliance program has changed based on the lifecycle of risk assessment program, implementation evaluation, and other inputs. Additionally, Feldman noted that for the “first time I have ever seen in any DOJ guidance, it says that the existence of misconduct does not by itself means that a compliance program did not work or was ineffective.”

Feldman interpreted this to mean that if “a compliance program did identify the misconduct, allowing time for remediation and self-reporting to DOJ, a prosecutor should look at it as if it’s an indicator that the program was working. The company took action against the individuals who were involved and they reported it to DOJ. That is kind of the way it’s supposed to work instead of the company then getting hammered for identifying, investigating and reporting an issue, then they get hammered because you reported the issue that’s not the right incentive.”

The DOJ also focuses this prong on improving the program. Feldman stated, “they want to see continuous improvement. They want to know if you followed your compliance program over time to address compliance risks, which change every day based on employees and market and  product line, etc.” This section of the 2019 Guidance also makes clear it is really Part II of the Benczkowski Memo, released in October 2018. The 2019 Guidance refers back to the Benczkowski Memo which relates that when a  “corporation’s compliance program and controls are demonstrated to be effective and appropriately resourced at the time of resolution, a monitor will not likely be necessary.” Feldman characterized this as the “pot of gold at the end of the rainbow for companies to be incentivized to build compliance programs which work.”

Continuous Improvement, Periodic Testing and Review

Feldman noted, “this whole section on continuous improvement is chockfull of very specific, guidance and steps that companies can take to meaningful steps to improve their compliance programs.” He also related, “one of the things that is different from the previous guidance (2017 Guidance) is that it mandates companies take steps to measure the culture of compliance within an organization. This is something that most companies generally don’t do on a regular basis.”  This can be done through surveys or a variety of other tools such as monitoring and auditing. There are also questions around the strengths of internal controls. Is your organization doing  control testing to see if the controls actually work and that your employees are following, not simply over-riding the controls? Finally, Feldman believes you should be “data mining your company to be proactive in identifying instances of fraud or misconduct within the organization.”

Investigations of Misconduct

There is also a focus on investigations. Feldman noted that this has been “a real challenge for some companies that do not have trained investigators on staff internally and they may use anyone to do an investigation. Many companies do not have investigators who are certified fraud examiners. This means the DOJ may well look at not only the quality of your investigative team but also how the investigation itself was scoped and was that scope followed.” Finally, is there appropriate documentation of all of the above?

Analysis and Remediation of Underlying Misconduct

Feldman believes this is an area where the DOJ has been disappointed in many companies responses to misconduct. While there is a tacit understanding that employees may well do the wrong thing, it is the company’s obligation to respond appropriately. This means a company must not only move to remediate structures but also respond appropriately to misconduct. What were the root causes of the incident? This has been a key question since the release of the 2017 Guidance and is even made more critical in the 2019 Guidance.

Finally, what is your response to the information generated in with the investigation or root cause analysis? Did you remediate your compliance program; its policies procedures and controls from a structural perspective based on some kind of documented root cause analysis? What actions did you take against recalcitrant individuals? Feldman concluded, “I think this guidance is going to drive companies to look at the compliance and ethics process in a much more holistic way as a continuous a circle, a that has to take place of improvement mediation and experience with the program over time.”

Join us tomorrow when we conclude our deep dive into the 2019 Guidance by putting it all together with final thoughts and observations.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor at www.affiliatedmonitors.com.