“And the Hits Just Keep on Coming”
The US Department of Justice’s Updated Evaluation of Corporate Compliance Programs (June 2020)
- Regulator Seriousness. Given this is the second update within three years, the evaluation criteria clearly matter to the DOJ in how it handles corporate misconduct and most likely to other federal and state regulators that investigate and charge businesses with compliance failures. What’s more, the bar continues to rise regarding what regulators expect to see in compliance management.
- Relevance to Peers. Businesses and other organizations increasingly look to this DOJ evaluation criteria as the de facto framework for compliance management. The DOJ’s criteria is quickly eclipsing the US Federal Sentencing Guidelines’ compliance framework in terms of specificity and application, so businesses are paying more attention to what the feds expect to see in good compliance management. So, it’s likely a business’s peers/competitors are paying attention to the criteria.
- Evolution of Risk Management. The updated DOJ evaluation criteria demonstrate the continued evolution of compliance risk management as an increasingly important part of business strategy. Businesses that better manage their risks improve control over performance and increase the likelihood of their success.
Whether you take this blog’s title as a cultural reference to radio deejays continuing to spin the most popular tunes, or as a sarcastic complaint about a rolling tide of challenges one faces—it’s an apt expression for the US Department of Justice’s release on June 1 of its (again) updated Evaluation of Corporate Compliance Programs publication. These updates both serve as continuing the foundations of compliance management while challenging businesses (and other organizations) to keep upgrading their compliance programs.
Why This Update Matters
This is the third version of the DOJ’s evaluation criteria to be published; the first version came out in 2017 and a revision was introduced last April (2019). Why is this update – and the overall evaluation criteria – important?
- The DOJ takes this issue seriously. Even though the Department’s compliance expert Hui Chen departed three years ago, the DOJ continues to both use and refine the evaluation criteria. That indicates that the Department is actively using the framework.
- The DOJ is gaining experience with the evaluation criteria and refining it. This means the regulators will more actively use and precisely apply the criteria to companies under investigation or being charged.
- Other regulators are likely to pay attention to both the DOJ criteria and its updates. This includes federal agencies, like Health & Human Services, Federal Trade Commission and others, as well as state regulators. Just as many regulators keyed their compliance enforcement off of the US Federal Sentencing Guidelines’ compliance criteria (that originated in 1992), the DOJ criteria quickly is becoming the de facto framework for compliance management. We are seeing these evaluation criteria make their way into other regulators’ compliance guidance and enforcement efforts.
- It’s likely a business’s peers/competitors are paying attention to the criteria. Through countless news stories and case studies, businesses are learning that managing compliance risks leads to several good outcomes:
- Reduced regulatory fines and attorneys’ fees due to compliance failures
- Reduced internal costs due to compliance failures
- An improved business reputation
- Ability to build loyalty with current customers and attract new customers
- Ability to work with and strengthen relationships with preferred suppliers and other business partners
- Ability to attract the best employees
- Improved reputation with local communities, NGOs and other stakeholder advocacy groups
So, if an organization’s peers are paying attention (and the best-performing ones most likely are), failing to do so risks a business falling behind others in managing risk and reputation.
- The DOJ evaluation criteria signal another step toward improved business risk management. The enterprise risk management and ethics and compliance fields that have grown since their early beginnings in the late 1980s/early 1990s and continue to pick up steam in demonstrating more effective ways to mitigate and manage risk as part of a well-designed business strategy. Businesses that demonstrate an increasing ability to manage risk as part of an overall strategy are likely to win out against competitors—whether due to stronger reputation, ability to attract the best employees and customers, weather difficult economic periods, or other factors.
Overall, little of the evaluation criteria have changed. And so it’s interesting that the DOJ has released a second update just fourteen months after the last update. This shows the DOJ is paying attention to, actively applying, and continuing to learn from its experience with the evaluation criteria. Further, by publishing this second update so soon after last year’s update, the DOJ shows that it actively wants the business community to pay attention to these criteria, both to reduce the risk they will come before the DOJ and, presumably, so that they improve at compliance management.
Again, the update is nuanced and does not include significant changes. Here’s a general review of the changes:
- Whether a business designs its compliance program based on its specific characteristics, including size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to operations, that might impact its compliance program
- The DOJ will apply the criteria both when investigating a business and when charging it or otherwise resolving the matter.
- Whether a compliance risk assessment is designed as a continuous process and whether this process includes lessons learned from past incidents by the company or its industry or geographic peers
- Whether a business’s policies are easily identifiable based on need and actually used by staff (and whether it knows which ones staff more actively uses)
- The DOJ points out that shorter, more targeted training can help employees to identify and raise concerns regarding compliance issues.
- Whether training includes a way for staff to ask questions about the instruction
- Whether a business evaluates if training impacts employees conduct
- Whether the business tests employees awareness of any hotline and their comfort in using it, and whether it tests the hotline’s effectiveness
- Whether a business evaluates the need for a third-party relationship and related risks posed by the relationship, and whether any third-party risk management efforts extend through the term of the relationship
- In mergers and acquisitions, whether: pre-project due diligence was completed, post-acquisition audits were performed, post-merger/acquisition efforts include compliance program integration
- Whether compliance efforts are under resourced
- Whether a culture of compliance is fostered at all levels of a business, not just at the top
- Whether the business invests in training and development of compliance and other control staff
- Whether compliance staff have access to data and other resources to adequately monitor for compliance
- Whether compliance staff monitor investigations and related disciplinary actions to ensure consistency
- Whether the business adapts its compliance efforts based on its own and peers’ instances of misconduct
What a Business Should Do
Given how the DOJ has signaled businesses with the publication of this second update, here are some considerations:
- Take the DOJ evaluation criteria seriously as the emerging de facto framework for compliance management. Expect to see additional updates as the DOJ learn more about compliance management from the cases that come before.
- Consider compliance management as an integral part of an overall enterprise risk management program—which, in itself, should be a key leg of a broader business strategy framework. It’s pretty simple, the better a business controls its risks, the more it can focus on innovating its products and services and growing the business.
- Look at what the best competitors are doing. They’re the best in the field partly because they manage risk better than others. This includes compliance risk. There’s a good chance that they take the DOJ evaluation criteria, and its updates, seriously.
- Use the DOJ evaluation criteria updates as benchmarking for ways to evolve a compliance program. Remember that the DOJ only prosecutes the worst of the violators; if these regulators are baking new criteria into how they evaluate the most egregious business transgressions, there’s a good chance that many other businesses already have adopted these steps.
As mentioned last year in our blog series on the 2019 DOJ evaluation criteria update, this is a gift from the regulators that keeps on giving—businesses keep benefitting from the DOJ’s investigation and prosecution experiences of malfeasant companies without having to experience the pain themselves. This latest update provides an additional gift and, at the same time, raises the bar on expected compliance practices. As many businesses that run afoul of a regulator or other stakeholder that initiates a legal proceeding against it can attest, it’s a painful and disabling process to deal with the many costs of regulatory or other scrutiny into a business’s questionable practices—and then make compliance changes it could have made earlier at a mere fraction of the cost and effort.
Ignore this guidance at your business’s peril.
Please find our previous blog series “The Department of Justice’s Gift That Keeps on Giving” here: