How to Apply the DOJ Evaluation Guidance in Your Organization
The February 2017 release of the Evaluation of Corporate Compliance Programs document (also referred to as “Evaluation Guidance”) by the Fraud Section of the U.S. Department of Justice is an attempt by the DOJ to outline its expectations for what it considers to be effective corporate compliance programs. The document serves as a guide for federal prosecutors when reviewing an organization’s compliance program within the context of a criminal investigation. Hence, it is important for every organization to have a solid understanding of the contents of the document – before becoming a target of an investigation.
Understanding that no two organizations are alike regarding their specific compliance risks, the Fraud Section elected to organize the Evaluation Guidance into 11 general topic areas for prosecutors to apply to the organization’s unique risk profile (as opposed to implementing a “cookie-cutter” formula or checklist). The topic areas and their specific objectives include:
- Analysis and Remediation of Underlying Misconduct – Determining the root cause of the misconduct, identifying the early warning signals the organization should have been aware of, and assessing any remediation efforts implemented by management.
- Senior and Middle Management – Focusing on management’s leadership efforts when attempting to remedy the misconduct, as well as seeking examples of collaboration between leadership and stakeholders to facilitate compliance.
- Autonomy and Resources – Assessing the compliance function’s level of funding, experience, qualifications and independence.
- Policies and Procedures – Evaluating the organization’s compliance policies and the degree to which they are integrated into the organization’s operational framework.
- Risk Assessment – Reviewing the organization’s risk management procedures as they pertain to identifying geographic, industry and company-specific risks and how the compliance program addresses them.
- Training and Communications – Assessing the type and effectiveness of compliance training programs for employees, including factors such as whether the organization provides customized training to high-risk staff members and the procedures implemented to determine the training needs of employees in specific work areas.
- Confidential Reporting and Investigation – Determining the availability of mechanisms for reporting misconduct and evaluating the effectiveness of the investigative process, including whether there is adequate staffing and appropriate scope of the investigation.
- Incentives and Disciplinary Measures – Evaluating the fairness and consistency of programs designed to incentivize employees for compliant/ethical behavior and actions, as well as the punishment meted out to those who violate compliance regulations and guidelines.
- Continuous Improvement, Periodic Testing and Review – Gaining an understanding of the type and frequency of the measures the organization uses to monitor results and gauge the overall effectiveness of compliance initiatives such as internal/external audits and testing.
- Third Party Management – Evaluating the quality and level of enforcement of the organization’s policies and procedures for engaging, screening, monitoring and managing third parties with a focus on how well relationship managers have been trained on applicable third-party compliance risks.
- Mergers and Acquisitions – Assessing the policies and procedures for identifying compliance risks during mergers/acquisitions with a focus on due diligence and compliance program integration methods.
Each topic area consists of a series of questions that investigators use to gather information. For instance, under topic 1 (Analysis and Remediation of Underlying Conduct) the subtopic “Root Cause Analysis” includes the following questions: “What is the company’s root cause analysis of the misconduct at issue?”; “What systemic issues were identified?”; “Who in the company was involved in making the analysis?”
Adapting the Evaluation Guidance to Your Organization
The challenge that many organizations face when attempting to implement the Evaluation Guidance document is that the questions were created from the DOJ’s perspective, which can make it difficult to “translate” them into a framework that works for the organization. The fact that the 11 topic areas feature a total of more than 100 questions compounds the issue.
The Compliance & Ethics Blog suggests utilizing a “project planning” approach to reframe the questions and responses to place them in a context that fits your organization’s business processes. Essentially, this entails taking each question and determining three things:
- When to ask each question
- Who is the best person in your organization to answer the question
- How often you need to update the response to each question
It is also helpful to sort the questions into the following categories to ensure a consistent approach regarding the when, who and how often:
-
Governance and Structure – Encompasses questions concerning how your compliance program is organized and managed such as:
- What compliance expertise has been available on the board of directors?
- Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions?
-
Program Operations – Pertains to the steps your organization takes to manage and mitigate day-to-day risk:
- What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts?
- How does the company monitor its senior leadership’s behavior?
- How has senior leadership modeled proper behavior to subordinates?
-
Incident Response – Refers to questions regarding the procedures for analyzing and correcting issues such as:
- How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question?
- What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts?
- What specific actions have senior leaders and other stakeholders (e.g., business and operational managers, Finance, Procurement, Legal, Human Resources) taken to demonstrate their commitment to compliance, including their remediation efforts?
- While the Evaluation Guidance can provide sound direction to organizations when developing, implementing and maintaining compliance programs, it is also a clear indication of the increasing expectations of the Fraud Section to follow the letter of the law. Thus, every organization must continue to ramp up its compliance efforts – or face the consequences.