DOJ’s New Corporate Compliance Guidance: Risk Assessments and Policies and Procedures (Part II of V)
The Volkov Law Group has scheduled a free webinar on DOJ’s New Compliance Program Guidance for May 9, 2019, at 12 noon EST. Sign up HERE.
The Justice Department’s new Corporate Compliance Guidance is keyed to three topics:
- Design of a Corporate Compliance Program
- Effective Implementation
- Does the Compliance Program “Work in Practice”?
Part 1 of the Corporate Compliance Guidance addresses the following elements of a well-designed compliance program: risk assessment, policies and procedures, training and communications, confidential reporting structure and investigation process, third-party management and mergers and acquisitions.
Part II details effective implementation of a compliance program, including commitment by senior and middle management, autonomy and resources, and incentives and disciplinary measures.
Part III discusses measurement and review of a compliance program to confirm that it is operating properly, including continuous improvement, periodic testing and review, investigation of misconduct, and analysis an remediation of misconduct.
There is some overlap between Areas 1 and 3 relating to reporting and investigating misconduct. In general, however, the outline makes sense, especially in relation to the Hallmarks of an Effective Compliance and Ethics Program included in the FCPA Guidance issued on November 13, 2012, and the earlier version of the Evaluation of Corporate Compliance Programs issued on February 8, 2017.
At the outset, it is important to note that this new Corporate Compliance Guidance has broad application beyond FCPA enforcement and extends to all DOJ (and US Attorneys’) criminal prosecutions of corporations and other types of entities.
The Corporate Compliance Guidance brings a new and fresh perspective on risk assessment and overall program design and specifically focuses on whether the company’s compliance program is designed for “maximum effectiveness” to prevent and detect wrongdoing.
The “starting point” for the evaluation is whether the company has “identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.” Guidance at 3. In defining its risks, the corporation should consider the location of its operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel, and entertainment expenses, and charitable and political donations.
DOJ asks whether the company’s risk assessment process is effective, and whether the company’s compliance program is tailored to the risk assessment, and further, whether the risk criteria are “periodically updated.” In this respect, DOJ is making clear that it expects companies to tailor its risk profile
“based on lessons learned.”
In outlining this important foundation for a compliance program, the Justice Department clearly expects companies to allocate resources (e.g. staff, technology and time) to high-risk activities versus lower risk activities. In addition, DOJ has increased its expectation for companies to regularly update its risk assessment so that it adequately captures emerging or changing risks depending on company strategies and activities.
Policies and Procedures
DOJ characterizes a company’s policies and procedures as giving content and effect to “ethical norms that address and aim to reduce risks” identified in the risk assessment process. In doing so, DOJ expects companies to establish “policies and procedures that incorporate the culture of compliance into its day-to-day operations.” Guidance at 5.
DOJ addresses specific policy and procedure categories, including design, comprehensiveness, accessibility, responsibility for operational integration and gatekeepers. Based on these categories, DOJ expects companies to:
- establish a management procedure for the design and implementation of new policies, and participation and consultation of key stakeholders, including the business units:
- design the policies and procedures to address risks identified in the risk assessment and update such policies in response to regulatory and/or legal changes;
- communicate its policies and procedures to employees and relevant third parties, including foreign employees and third parties;
- identify responsible persons for integrating policies and procedures, promote employee understanding and reinforce the policies and procedures through the company’s internal controls; and
- provide guidance and training to key gatekeeps in the control process (e.g. approval authority or certification responsibilities) to ensure that they know how to identify potential misconduct and when to escalate concerns.