And the Beat Goes On – Part 2

New DOJ Antitrust Guidelines on Corporate Compliance Programs

On homage to Sonny & Cher’s anthem to continuing change, let’s look at some new and some updated expectations in the new DOJ Antitrust Division’s July release of its Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations.

The Antitrust compliance guidelines reinforce the DOJ’s updated guidelines in its Criminal Division’s recently-updated (April) Evaluation of Corporate Compliance Programs. The Antitrust guidelines mirror the Criminal Division’s focus on three key questions:

1) Does the company’s compliance program address and prohibit criminal antitrust violations? 

2) Did the antitrust compliance program detect and facilitate prompt reporting of the violation? 

3) To what extent was a company’s senior management involved in the violation? 

The following Antitrust guidelines outline does not exactly mirror but largely tracks the Criminal Division’s guidelines:

  • Design and comprehensiveness
  • Culture of compliance
  • Responsibility for the compliance program
  • Risk assessment
  • Training and communication
  • Periodic review, monitoring and auditing
  • Reporting
  • Incentives and discipline
  • Remediation and role of the compliance program in the discovery of the violation

Generally, the Antitrust guidelines follow the Criminal Division’s guidelines but tailored specifically to antitrust compliance. For instance, the Antitrust guidelines want to know whether policies and procedures, training and communication and other program elements exist specific to antitrust rules.

What’s specific about the Antitrust guidelines are how they focus a business’s attention to antitrust-related issues, such as the following:

  • Cooperation with competitors in cartels
  • Communication with competitors at trade shows and trade associations, or whether as part of legitimate collaborative arrangements
  • Retention and destruction of documents that may indicate antitrust violations
  • Toleration of antitrust violations in pursing new business, greater revenues, customer retention
  • Staff that oversees recruitment and hiring (as an example, in hiring from competitors or others who may share a competitor’s trade secrets).
  • Contract bids for possible bid rigging and market allocation
  • Pricing authority for making pricing changes for possible price fixing
  • Involvement of leadership, “high-level personnel”, or “substantial authority personnel” or others with authority to negotiate or set prices or approve significant contracts (This is particularly important to antitrust compliance because violations typically are due to the types of decisions that more senior individuals can make, such as agreements, contracts, and pricing decisions.)

The Antitrust guidelines reinforce that cooperating organizations can benefit from the Antitrust Division’s Corporate Leniency Program:

“Corporations and individuals who report their cartel activity and cooperate in the Division's investigation of the cartel reported can avoid criminal conviction, fines, and prison sentences if they meet the requirements of the program.”

This is a specific issue in antitrust compliance regarding a business that works with competitors to limit or reduce competition through various activities: bid rigging, price fixing, and market allocation, for example. Generally, the first business to come forward to authorities receives the greatest leniency since regulators may not have been able to discover the criminal activity on their own.

All businesses should evaluate their risks specifically to antitrust violations. Certain industries, through their structure and history, are more susceptible to these problems, and their companies should be particularly vigilant regarding antitrust risks.

In the end, whether a business’s principal risks are antitrust, bribery, data privacy, harassment, or other compliance topics, the basic expectations for effective compliance management are largely the same, just with greater attention to and controls around the higher risk areas. 

As shown through the DOJ’s April and July releases, the US Government continues to push for strong compliance management practices through updated guidance…

…and the beat goes on.

 

Find the first part of this series And the Beat Goes On - Part 1 here http://www.syntrio.com/blog-new-doj-antitrust-guidelines/

And the Beat Goes On – Part 1

New DOJ Antitrust Guidelines on Corporate Compliance Programs

For many, “And the Beat Goes On” awakens memories of Sonny & Cher’s anthem to changing times.

Perhaps not surprisingly, the words are just as applicable to business ethics—change keeps on coming.

This month, the US Department of Justice continued its push for change with release of its Antitrust Division’s Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations.

This probably sounds familiar: didn’t the DOJ just release something like this? Yes, in April the Department’s Criminal Division released Evaluation of Corporate Compliance Programs, the broader guidance about how the DOJ will investigate compliance efforts of organizations that come to its attention.  These new Antitrust guidelines serve as companion guidance specifically to antitrust (or fair competition) cases—what the Antitrust Division will specifically examine.

While these new antitrust guidelines may be viewed as just one additional, small step in the DOJ’s larger efforts, here’s another perspective: The US Government through its various departments and agencies continues its march to define compliance management at a specific level. Organizations that run afoul of specific laws will find it difficult to argue that a generalized compliance effort is sufficient.

Consider these past government efforts to promote strong compliance management practices:

  • US Equal Employment Opportunity Commission (EEOC) regarding workplace harassment and discrimination
  • US Department of Justice (DOJ) and Securities and Exchange Commission (SEC) Foreign Corrupt Practices Act (FCPA) Resource Guide
  • US Health and Human Services (HHS) Model Compliance Program (for hospitals, nursing facilities, pharmaceutical manufacturers, ambulance suppliers, physician practices, Medicare choice facilities, clinical laboratories, etc.)
  • US Federal Acquisition Regulations (FAR) and associated government contracting standards for compliance management
  • US Sarbanes-Oxley Act (SOX) compliance management requirements for publicly-traded compliance
  • US Occupational Health & Safety Administration (OSHA) Recommended Practices for Safety and Health Programs
  • US Environmental Protection Agency (EPA) Incentives for Self-Policing: Discovery, Disclosure, Correction and Prevention of Violations
  • US Federal Energy Regulatory Commission (FERC) Policy Statement on Compliance
  • US Securities and Exchange Commission (SEC) Compliance Programs for Investment Companies and Investment Advisers
  • US Federal Deposit Insurance Corporation (FDIC) Compliance Management System requirement

In short, the US Government doesn’t simply want to see businesses try to comply with laws and regulations—it wants to see active compliance management efforts that seek to avoid violations and, when they occur, quickly identify, mitigate and report them.

This approach by the US Government serves two objectives:

  • It pushes businesses to identify their greatest legal and regulatory risks to focus compliance efforts there.
  • It encourages businesses to look broadly at compliance to find more efficient ways to promote it instead of managing several standalone topic-specific compliance efforts.

Keep in mind that the DOJ’s April release updated 2017 guidance from its Fraud Section, and the update is designed to broaden the guidance’s applicability to all criminal conduct. Any business that thinks it doesn’t need to address compliance holistically – but only through focus on specific areas – is likely to find that is efforts won’t meet regulators’ tests, and it certainly is not an efficient means to build a culture of compliance.

Part 2 of this blog will look specifically at expectations in the DOJ Antitrust Division’s Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations. 

Click here to read Part 2 http://www.syntrio.com/blog-antitrust-guidelines-on-corporate-compliance-programs/

The Department of Justice’s Gift That Keeps on Giving – Part 3

Two prior blogs have addressed the recently updated 2019 Department of Justice Evaluation of Corporate Compliance Program criteria. Department prosecutors use these criteria to assess an organization’s commitment to implementing and operating a compliance program when an organization comes before the Department, principally facing prosecution.

 

Among the chief factors that these criteria focus on is an organization’s compliance training and communications. Since 1991, when the US Sentencing Commission established its own evaluation criteria, training and communications has been considered as an integral part of a successful compliance effort. The Department’s 2017 criteria continue this focus, and the 2019 updated Department criteria strengthens it. While these updates do not substantially change those important considerations regarding training and communication, they do enhance these considerations in some profound ways.

 

First, let’s return to the 2017 criteria. It focused on four principal components:

  1. Risk-based training
  2. Form, content and effectiveness of the training
  3. Communications about misconduct
  4. Availability of guidance

 

Risk-Based Training

According to the DOJ, it’s important that training relate to employees’ jobs; to this end, an organization should take steps to determine which training should be delivered to which employees, rather than simply deliver general compliance training to all employees. More specifically, an organization should determine for employees that engage in high-risk activities or handle certain control functions which training they should receive and that is tailored specifically to their job functions. This provides a means to focus limited training resources to better prevent or detect compliance problems. The 2019 guidance adds to this the importance of supervisory training—specifically whether supervisors receive different or supplementary training specific to their oversight roles. This supports the 2019 criteria’s broader focus on the role of managers, their duties to both prevent and detect compliance problems and the greater risk they can present if they engage in misconduct.

 

Training Form, Content and Effectiveness

The 2017 criteria asked about whether training is provided in a form and language appropriate to its audience, and whether the organization measures the training’s effectiveness. This second criterion is even more important in the 2019 guidance due to its increased focus on whether a compliance program works in practice. The 2019 criteria adds four more factors:

  • What’s an organization’s rationale for its decision to use online, in-person on both formats of training? In other words, has the organization actively considered whether the training approach it chooses will demonstrate effectiveness?
  • Does the training address the organization’s lessons learned from prior compliance incidents? This, of course, assumes that an organization periodically assesses its risks due to past problems in order to fold it into training.
  • Does the organization test learners on what they learn to determine whether the training is effective?
  • What steps does the organization take when employees fail part or all of this testing? (Surprisingly, it appears some organizations fail to follow up on testing failures!)

 

With these updates to 2019 criteria, the DOJ signals that it expects organizations to give real consideration to the training that it implements—not just assume any training configuration suffices. It also indicates specific steps the organization can take to holistically demonstrate that the training will matter to what employees learn and what they do.

 

Communication About Misconduct

Outside (or perhaps as part of) training, the DOJ wants to see that leadership communicates about its attitude regarding misconduct—in other words, that leadership will take steps to discipline transgressors. To this point, an important factor is how the organization communicates when an employee is terminated, or otherwise disciplined (added to the 2019 criteria), for failing to comply with the organization’s standards. For those organizations concerned about a lawsuit for communicating about an employee’s termination, these criteria suggest that such communications be anonymized so the lesson can still be conveyed while the organization avoid running afoul of privacy concerns.

 

Availability of Guidance

Finally, the fourth criteria remains the same in the 2019 update: What resources does the organization provide to employees to support compliance policies, and how does the organization assess whether employees know when to seek advice and whether they’re willing to do so? The DOJ still wants organizations to actively and purposefully provide their employees with guidance regarding compliance risks and demonstrate they know whether employees are comfortable using this guidance.

 

Additional Expectations

The 2019 criteria emphasize that an organization’s training include its directors, officers, and where relevant, agents and business partners, in addition to its employees. They also reinforce the importance that training be tailored to this audience’s size, sophistication and subject matter expertise, such as through training on case studies or real-life scenarios and providing guidance on ways learners can obtain ethics advice regarding specific situations they face.

 

In Conclusion

These expectations raise the bar on the level of training that organizations should anticipate providing. An organization can benefit from responding to these criteria in many ways:

  • It will likely fare better if it should run into a legal action the DOJ oversees
  • We anticipate other regulators will adopt similar guidelines in evaluating organizations that violate their related regulations
  • These criteria, or similar ones, are likely to make their way into case law and the criteria judges use to decide verdicts and sentence organizations
  • This raises the bar on good business practices as more and more organizations respond to these criteria in beefing up their own programs

 

As shown, many reasons exist for an organization to carefully consider how to implement strong, effective compliance training. Still, many businesses will focus on the effort involved in delivering such training versus the chance of running into regulatory or legal problems. In taking such a short-sighted approach, these businesses miss the many benefits to their operations by avoiding compliance problems in the first place.

When an Active Shooter Event Hits Home

The recent active shooter event on May 31 in Virginia Beach hit home for me. That’s my hometown. Two of the twelve victims attended the same high school as me at the same time—I had been friends with one.

We regularly now hear about active shooters—in schools, in churches, at shopping malls, in the workplace.  Hopefully, as the frequency of these events seems to increase, we won’t become numb to their significance or begin to view them as commonplace.  But to the hundreds of individuals who experience them—or the many other family and friends affected - they will surely not be numb to the pain these events cause.

As news stories continue to mount of active-shooter events and bystander deaths, such an event will soon hit home for practically everyone—whether it relates to someone’s relative, friend, former coworkers, child, or their own workplace. Given this trend, we’ll need to get accustomed to either remaining unguarded and unprepared or, instead, building the skills and confidence that, if needed, we can do something to protect ourselves and others.

In the US in 2017, 729 people were killed in active-shooter events. These events accounted for only about 5% of homicides by gun violence.1 Conversely, each year, US fire departments respond to roughly 3,400 office fires, which lead to lead to an average of four deaths and 44 injuries per year.2 Yet every workplace has a fire emergency program, including fire drills and fire extinguisher testing. While the situations are not quite equivalent, we might ask how many more fire deaths would occur if employees were not trained on reporting and evacuation procedures.

Like fire and other emergencies, we can become prepared for active shooter events. This is a lesson from two recent incidents where, separately, two students rushed school shooters, either disabling the shooter or taking him down long enough for others to escape—apparently saving the lives of many classmates. Unfortunately, each student lost his life in the process.3 But how many lives did each save? How much worse could it have been had the student not rushed the shooter?

In the Virginia Beach incident, one of the unharmed employees indicated that the City’s active shooter training led one coworker to direct others to barricade themselves in an office, which she indicated saved their lives.

You can read the full article here: https://www.cbsnews.com/news/virginia-beach-shooting-survivors-say-active-shooter-training-helped-save-lives/

If preparation is key to surviving the continuing onslaught of active shooters, then what should training look like? The US Department of Homeland Security, along with the US Federal Emergency Management Agency and FBI, advocate a popular framework: Run, Hide, Fight.

Further, strong preparation can involve the following:

  •         Provide training that gives the learner confidence in their ability to respond to an event
  •         Encourage coworkers and departments to coordinate a shared plan
  •         Provide managers with guidance about how they can help to lead during an event
  •         Reinforce the training message so that the skills (and confidence in these skills) do not wane
  •         Provide an employee with a way to self-refresh/reinforce the training when needed

Finally, because active-shooter events have so crowded the news cycle, we continue to hear about the stress and anxiety that individuals experience due to the news and “heavy-handed” training. Employers should consider training that minimizes the stress and anxiety while building confidence in the learner that they can be prepared and take rational actions in a chaotic situation.

Syntrio’s new Workplace Intruder: Smart Preparation for Personal Safety training program helps workplaces and their employees best prepare for the possibility of an active shooter. This training uses an approach that de-emphasizes attention on shooters and guns to lessen learner stress and anxiety while building their capability and confidence in their ability to respond during such an event.

Sources
1 “The terrible numbers that grow with each mass shooting,” Washington Post, October 1, 2017, (and ongoing updates).
2 “U.S. Structure Fires in Office Properties,” National Fire Protection Association, August 2013.
3 “List of mass shootings in the United States in 2019,” University of North Carolina at Charlotte, April 30, 2019; STEM School Highlands Ranch, Colorado, May 7, 2019; Wikipedia.

The Department of Justice’s Gift That Keeps on Giving – Part 2

The newly updated 2019 DOJ Evaluation of Corporate Compliance Programs criteria offer some valuable advances to how prosecutors should look at an organization’s compliance efforts.

 

First, it warrants noting that these updated criteria were issued by the DOJ’s Criminal Division; the 2017 criteria were issued by the Fraud Division, which is just one part of the Criminal Division.  So, the updated criteria apply to a larger pool of prosecutors and broader range of criminal offenses.

 

Second, the new criteria introduce three leading questions, in which all criteria are placed:

  1. Is the corporation’s compliance program well designed?
  2. Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
  3. Does the corporation’s compliance program work in practice?

 

This structure reinforces the point that “paper programs” with no substance and follow-through supporting them will not pass the test. DOJ wants to see programs with “teeth,” those that not only are well designed but also are well applied with tangible results.

 

Third, prosecutors will evaluate a compliance program as to its effectiveness when the relevant offense occurred and at the time of charging or other resolution. This assessment will weigh on the decision to prosecute or otherwise resolve the offense, any financial penalty, and any further compliance requirements. So, while a business should take proactive steps to build an effective compliance program, it still has some opportunity to build or reinforce these efforts after prosecutors begin to investigate. Though, why a company would bother to wait until this late in the game remains a mystery given all the benefits that come from avoiding an investigation, or an offense in the first place.

 

Fourth, the updated criteria are just over twice as long as the 2017 criteria (18 pages versus 8 pages), so they cover more criteria and in greater depth, providing prosecutors with more precise guidance and businesses with greater insight into how the DOJ views effective compliance.

 

Instead of listing each criteria separately as it did in 2017, the updated guidance places each criteria under a major heading. This emphasizes the importance of the design, implementation and follow-through of a compliance program. Here is the new structure of these criteria:

 

  1. Is the corporation’s compliance program well designed?
    1. Risk assessment
    2. Policies and procedures
    3. Training and communications
    4. Confidential reporting structure and investigation process
    5. Third party management
    6. Mergers and acquisitions

 

  1. Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
    1. Commitment by senior and middle management
    2. Autonomy and resources
    3. Incentives and disciplinary measures

 

  1. Does the corporation’s compliance program work in practice?
    1. Continuous improvement, periodic testing, and review
    2. Investigation of misconduct
    3. Analysis and remediation of any underlying misconduct

 

Immediately, we can see the similarity with the criteria for an effective compliance and ethics program under the US Sentencing Guidelines.

 

Without running through a line-by-line analysis of the differences between the 2017 and 2019 criteria (which anyone can perform using a MS Word document comparison function), suffice it to say that

  • The substance of the 2017 criteria are preserved.
  • Certain additional items are added to the 2019 criteria that expand on each topic.
  • Greater commentary is provided regarding each topic to help organizations understand the DOJ’s purpose for the topic and which helps to clarify its intent.

 

In the end, these updated criteria offer organizations a compelling roadmap for designing, instituting and maintaining an ethics and compliance program. Leadership need not stew over what the DOJ wants to see—they’re telling it more explicitly than before. So, if an organization wants to place itself in the best possible position should it be investigated, charged with an offense, have its executives charged, or be prosecuted, this is the gift.

 

While certain executives will believe they never have to worry about these risks, it’s worth pointing out that, as these criteria become more fully adopted by businesses and other organizations, it raises the bar for effective ethics and compliance management.

 

Part 3 will address the new Criteria’s implications for organizations’ compliance training and communications efforts.