DOJ Revisions to Corporate Compliance Guidance: Training, Third-Party Risk Management, Mergers/Acquisitions and Data (Part II of II)
DOJ is catching up to compliance officers and evolving best practices. Say what you want, DOJ is behind the curve of the compliance industry. But you have to give DOJ credit – they are moving quickly to update its Guidance.
Compliance is a fast-moving profession – innovation and technology continue to define the industry. Compliance officers are willing to embrace change and the industry is quickly distinguishing itself from other professions – lawyers and accounts – which are steadfast in adherence to so-called professional principles and ethics and slow to embrace professional change and innovation.
DOJ’s recent update of its Compliance Guidance reflects additional issues that are evolving. Reviewing DOJ’s Guidance provides an important insight into DOJ’s perspective and learning on compliance issues.
Training: DOJ’s Guidance recognizes that many companies are developing training programs that are largely based on shorter bursts of information and instruction. DOJ’s revisions to the Guidance acknowledges these developments. In these circumstances, DOJ’s Guidance asks if participants have the ability to ask questions and raise concerns during these shorter and targeted training programs.
More importantly, DOJ’s revised Guidance includes new questions focusing on whether the company has evaluated if these new, shorter training programs are effective and whether these programs have had a direct impact on employee behavior or operations.
Employee Reporting & Hotlines: DOJ’s Guidance also drills down on the issue of employee reporting. Interestingly, assuming that the company has expanded its employee reporting functions to third parties, the Guidance asks companies if its employee reporting extends to third-party reporting. Aside from the third-party issue, the Guidance also focuses on whether the company measures if employees are comfortable with using the reporting system. Finally, DOJ asks if the company periodically tests the effectiveness of the hotline by, for example, tracking a test report “from start to finish.”
Third-Party Risk: DOJ’s Guidance adopts changes that reflect a fundamental change in the focus of DOJ evaluation of a company’s third-party risk management program. Significantly, DOJ’s Guidance adopts language that suggests that a company’s third-party risk management program will not be evaluated in a static way – specifically, DOJ asks “does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?” DOJ’s question underscores a new and important trend – third party risk management is a continuous process that requires ongoing monitoring of activity and conduct.
Mergers & Acquisitions: DOJ’s Guidance emphasizes the importance of managing merger & acquisition risks by focusing on post-closing, integration risks. For many years, DOJ has revised its focus on mergers and acquisitions from pre-acquisition due diligence to post-acquisition integration. DOJ’s Guidance has finally incorporated this policy and enforcement perspective. The revisions to the Guidance reflects the importance of pre-acquisition due diligence but recognizes the importance of integration.
Data Analytics: As a final issue, DOJ’s revised Guidance recognizes that companies have access to relevant data and should incorporate data analytics as part of an effective compliance program. DOJ’s revisions focus on whether compliance and control personnel “have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions?” Talk about a loaded question with significant implications. DOJ is emphasizing the importance of collection and analysis of compliance program data and linking such data to real-time monitoring and compliance program performance.