Civil Justice

Civil Justice Playbook: DOJ’s Missed Guidance:Corporate compliance programs would do well to take a long look

The Civil Justice Playbook sometimes cribs its best material from the Criminal Justice Playbook. What follows is a prime example.
In early February, the fraud section of the U.S. Department of Justice’s Criminal Division posted a seven-page document that nobody seemed to notice. It’s called Evaluation of Corporate Compliance Programs [https://www.justice.gov/criminal-fraud/page/file/937501/download] [or bit.ly/2lEphmk], and it’s no wonder it glided under the radar. DOJ posted 89 press releases on its site in February, but there wasn’t one about this. (Maybe the authors should have asked the president to tweet about it.)
It deserves a better fate. The introduction states modest goals. It even points out that much of the information has already appeared in previous government publications, but don’t be misled. Corporate compliance departments would do well to study it.
It’s couched as an explanation of how DOJ’s fraud investigators evaluate the effectiveness of a compliance program when they’re investigating a company to determine whether to bring charges against it. “We recognize that each company’s risk profile and solutions to reduce its risks warrant particularized evaluation,” the authors write. “Accordingly, we make an individualized determination in each case. There are, however, common questions that we may ask in making an individualized determination.”
That’s what they offer in their guidance. They detail topics and questions they often explore when evaluating compliance programs.
Some of the questions are about a compliance department’s performance before, during and after the company’s misconduct was uncovered. But many are the kinds of broad inquiries that all compliance departments would do well to conduct periodically. For example: What is the stature of the department inside the company? Are the compliance personnel generally qualified, experienced and trained? What is the turnover rate for compliance personnel? Does the department have the autonomy to meet with the board of directors?
There are also specific questions about training and accountability. The authors ask if employees are incentivized to behave ethically. There are even questions about the company’s management of third parties and its due diligence when contemplating M&A deals.
The document is undated, but it was apparently posted Feb. 8. Yet, it was nearly two weeks before the first responses appeared online. Even some of the most plugged-in lawyers in this field were caught unawares. For instance, the widely read FCPA Blog posted a note by an anonymous “guest contributor” Feb. 20 informing the editors of the document’s existence “in case you, like me, had missed it.” They had.
But they made up for it Feb. 28, when they posted an article [http://www.fcpablog.com/blog/2017/2/28/michele-edwards-data-analysis-underlies-new-doj-guidance.html] [or bit.ly/2mprcMv] by Michele Edwards, a managing director with the independent consulting company StoneTurn Group. Edwards makes a compelling case for the pivotal role of data in evaluating these programs. It’s at the heart of the DOJ document, she points out: “Data lies at the core of the recent guidance.”
But not just any old data. As she puts it, “Training program completion rates and code of conduct confirmation statistics are no longer sufficient. Companies need to use meaningful data to assess and remediate corporate compliance programs, as well as to prove program effectiveness.”
She goes on to demonstrate what she means. The questions Edwards uses are her own, though they are similar to many in the DOJ guidance. To demonstrate the effectiveness of a compliance program, Edwards advises, “Look at the number of transactions or deals that were stopped, modified or more closely examined as a result of compliance concerns.” Another tip: “Examine the number of red flags identified as a result of due diligence on third parties.” Or ask this: “How many audits were conducted on acquired business units?”
“The DOJ guidance makes it clear,” she explains, “that companies must collect data and metrics to help detect potential misconduct as part of the information gathering and data analysis stage of risk assessments. In addition, monitoring, internal control testing and auditing should collect and analyze compliance data in order to properly monitor and audit for red flags.”
What makes the argument all the more powerful is that the same tests that can demonstrate the proficiency of a program can also help a company determine that the compliance program itself is inadequate. And if companies take the new DOJ guidance seriously, they may be in a position to remediate their programs before their businesses are caught up in scandal and they are compelled to remediate much, much more.
That seemed to be what the fraud section had in mind. It may even have been worth a press release. It’s certainly worth memorializing in your Civil Justice Playbook.

Published .