When the U.S. Department of Justice updated its Evaluation of Corporate Compliance Programs guidance in 2020, it was not just tweaking some best practices or clarifying key points, it was fundamentally changing the corporate compliance game. While mechanics are still important, the new guidance focuses more on expectations. DOJ regulators expect governance, risk and compliance teams to build programs that not only solve any problems that arise, but that also proactively work to avoid or minimize those problems by strengthening compliance via training and prevention strategies.
Perhaps more remarkably, the DOJ is acknowledging that compliance crises do happen and will not necessarily get your organization in more trouble after a misconduct incident. Under the new guidance, regulators want to see that your program and processes are capable of identifying issues, learning from mistakes, and empowering employees to make smart, compliant decisions.
Three Key Compliance Questions
The new DOJ guidance asks three questions when assessing a corporate compliance program:
1. Is the corporation’s compliance program well designed? A term you will see all over the DOJ guidance is “effectiveness.” Regulators are not as concerned about the specific elements of your program as much as how they work together to maximize effectiveness. In other words, do the individual compliance elements talk to each other and play nice? And when red flags arise, are changes made across the program?
A useful comparison for this need for interconnectivity is a bucket of Legos: By itself, it is just a bucket of plastic bricks—it does not begin to take a meaningful shape until the pieces are interlocked. Only then can you see how the bricks work together and adjust as needed. To the DOJ, an effective compliance program works in much the same way.
2. Is the program adequately resourced and empowered to function effectively? Regulators are looking at how well compliance departments are implementing their programs and whether compliance teams have the personnel, experience and support needed to perform their duties. A well-designed program can fall short if implementation lacks impact or growth. It can also be hamstrung without access to “relevant sources of data” to assess and monitor people, processes and controls. The DOJ guidance addresses whether a compliance program is truly resonating with employees or if it is just a “paper program,” accomplishing only the minimum. This is a big shift for the DOJ, which in the past kept its emphasis on activities and efforts.
The company’s leaders and middle management must truly commit to ethics and compliance. It is not enough to say you have a training program or that your CEO sometimes mentions ethics when communicating with employees. That commitment should also extend to incentives and disciplinary measures that must be applied consistently and fairly, regardless of role or tenure. Regulators are looking at your own internal oversight and how much autonomy ethics and compliance teams really hold. Deep conflicts of interest in your structure will be major red flags.
The new guidance also emphasizes continuous improvement. Regulators want proof that the organization is learning from compliance crises—not just how something happened, but also what lessons you applied to increase your program’s effectiveness going forward.
3. Does the company’s compliance program work in practice? Again, the DOJ is not counting on organizations to be perfect in all their compliance decisions, or saying that organizations must build their programs exactly the same way. Incidents and criminal activity can occur within even the most diligent companies. What regulators want to know is:
- What was the status of your program at the time of the incident?
- How equipped were you to detect and subsequently mitigate the incident?
- How equipped are you now to prevent such an incident from occurring again?
In other words, how proactive were you before the problem, or were you forced to be reactive after the problem turned into a catastrophe? Regulators like examples of how well your program worked. If you can provide these examples—ideally in the most quantitative and data-driven fashion possible—that will improve the odds that your program will be evaluated favorably.
A Blueprint for Change
The 2020 guidance demonstrates that the DOJ’s Criminal Division is looking for a focus on strategy, intention and results. The following five strategies can help you evolve your company’s program in keeping with the new guidelines:
1. Focus on the “why” and “how” in design and implementation. The elements of an effective compliance program detailed in the DOJ guidance include a range of components like function-specific training, a code of conduct and board oversight. Organizations may have followed the checklist but then ignored the “why” and “how” of their compliance, figuring it was enough to just check the boxes. However, all of a compliance program’s components can be “best of breed,” but that does not necessarily translate into smart design. If your program is not implemented and designed well, per the 2020 guidance, it will fall short of the DOJ’s expectations. Therefore, think about how solutions and strategies will be applied and benefit employees and the organization.
2. Rely on a risk-based approach. The new DOJ guidance does not say you should have a fixed structure with risk assessments, acknowledging that your approach will depend on the size, goals and fit for your organization. Avoid the one-size-fits-all or spray-and-pray strategies because regulators are looking for true progress. Risk assessments should measure likelihood and impact while aligning closely with your compliance roadmap to reveal areas of high risk. This allows for more precise planning, better resource allocation and a better understanding of the efforts needed to catalyze change and ensure alignment.
3. Emphasize quality over quantity with training. When it comes to compliance training, a completion percentage means nothing if employees do not apply important concepts to their everyday roles. Among other things, the DOJ will now inquire about the effectiveness of your training and how it impacts employee behavior and operations. As you develop and modify training according to the new guidelines, the following questions can help you assess efficacy and demonstrate that you are taking training seriously:
- Do you have role-based training, including different and/or supplemental training for managers and gatekeepers?
- Do you have the ability to measure effectiveness and training?
- Do you develop training in a way that ensures compliance readiness? What measures do you take if an employee does not display readiness?
- How does training affect operations and employee behavior?
- What educational and communication resources are available outside of training?
Ultimately, your compliance training program should not be linear—true results require a unique and always-evolving process.
4. Be proactive in identifying trends. The proactive nature of the DOJ guidance places the greatest emphasis on detection, then prevention, then mitigation. Trends cannot be viewed in a vacuum, one event at a time. Constantly compare the data, including: behavioral performance; internal and external benchmarks; number of cases founded versus unfounded; percentage of hotline incidents based on tiers (e.g., country or state data, areas of business, level of persons reporting); and anything else that looks at the bigger picture and demonstrates that you are focusing on the “why” and “how.”
5. Focus on operational data to understand culture. Transactional metrics are great for deducing if a culture of compliance is thriving, struggling or something in between. Unfortunately, outside of a compliance hotline, gathering this data is not always easy. Simply having policies and resources in place for employees to reference is insufficient for a well-designed, well-implemented program. Since the DOJ looks for more than a “paper” program, go beyond by collecting data on how employees interacted with resources. The trends these metrics reveal can help you update policies and how you distribute them, which fulfills the spirit, if not the letter, of the 2020 guidance.