How DOJ Compliance Update Impacts Boards
DOJ Compliance Update: What does it mean for Boards?
In June 2020, the US Department of Justice (“DOJ”) issued updated corporate compliance guidance1.
What Stays the Same? DOJ continues to urge companies to:
- Adopt a risk-based compliance program, based on results of a rigorous assessment of the company’s risks,
- Embed preventative and detective controls tailored to those particular risks, and
- Be data driven in monitoring the effectiveness of those controls.
What Changes? The update suggests that the DOJ will be looking more closely at whether a company’s compliance program:
- Is adequately resourced,
- Has formalized processes to evaluate its effectiveness on an ongoing basis,
- Incorporates the use of data analytics, and
- Addresses relevant cross-border implications.
Why is This Update Important? More than ever, company reputation impacts shareholder value. A well-run compliance program is important to company reputation. It can give investors, employees (current and prospective), suppliers, customers, and communities a real sense of the company and its commitment to integrity. Compliance is also a key element in risk management.
What Does This Mean for Your Board’s Oversight of Risk and Compliance programs? To get a better understanding of what the DOJ update means for your company and board, here are several questions that your directors might want to ask the company’s Chief Compliance Officer (“CCO”) when the CCO next reports to your board or board committee. If a CCO report is not on an upcoming agenda, it would be good to add it!
Are We Resourcing Our Program Appropriately? In the past, the DOJ’s asked whether your compliance program was “being implemented effectively.” Going forward, the DOJ is likely to also ask whether your program is “adequately resourced and empowered to function effectively.” As COVID is prompting companies to cut budgets where they can, it would be good to talk with your CCO about whether the company is providing appropriate budget and authority to run the compliance program. It might not be a “yes/no” question and it is a good one to ask regularly as your company’s business evolves.
Data is a resource too. Asking your CCO about IT support being provided to the compliance function is important because the DOJ is looking for companies to provide compliance personnel with the data they need for “timely and effective monitoring and/or testing of policies, controls, and transactions.”
How Are We Using Ongoing, Data-Driven Processes to Ensure Our Program’s Effectiveness? The DOJ is still looking at whether your compliance program is effective but it also wants to see that your company has formalized processes to evaluate your program, those processes are generating useful data, and your company is updating its program based on those evaluations and data. No more will you receive credit for updates made “in light of lessons learned.” It would be good to talk with your CCO about how your company would demonstrate that:
- Review of your compliance program is “based upon continuous access to operational data and information across functions,” and
- Your program includes a formalized tracking process to track your company’s and compliance developments in your industry.
Are We Making It Easy for Employees to be Compliant? The DOJ also wants companies to make compliance easy for employees. Consider talking with your CCO about whether your company’s policies and procedures are readily available and searchable so employees can find pertinent provisions. And it would be good to ask how your CCO tracks the most accessed policies and what that tells the CCO.
Is Our Training Effective? The DOJ will ask, so consider asking your CCO:
- How is our company evaluating our training’s effectiveness?
- How do our employees get answers to questions or issues prompted by our training?
Do Our Acquisition Plans Include a Post-Acquisition Compliance Audit?
In What Ways are We Multi-National? Few companies are purely domestic. Supply chains, IT/data and sales can easily take a “domestic” company outside the US. It’s not easy to structure a multi-national compliance program given variations in laws and circumstances in each of the countries where a company does business. Talk with the CCO about the how the company’s compliance program takes into account the multi-national aspects of your business and what rationale your company uses in support of compliance decisions made in a multi-national context, including how those decisions “maintain the integrity and effectiveness” of your compliance program.
Hopefully, these suggestions can form the basis for an ongoing, dynamic interchange between the board (or the audit or risk committee) and your CCO. And that interchange can help the CCO and company in efforts to improve compliance and mitigate risk in line with DOJ guidance.
1 U.S. Dep’t of Justice, Criminal Division, “Evaluation of Corporate Compliance Programs” (June 1, 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download.
© 2018-2021 Corporate Governance Partners, Inc.