The Department of Justice’s Gift That Keeps on Giving – Part 3
Two prior blogs have addressed the recently updated 2019 Department of Justice Evaluation of Corporate Compliance Program criteria. Department prosecutors use these criteria to assess an organization’s commitment to implementing and operating a compliance program when an organization comes before the Department, principally facing prosecution.
Among the chief factors that these criteria focus on is an organization’s compliance training and communications. Since 1991, when the US Sentencing Commission established its own evaluation criteria, training and communications has been considered as an integral part of a successful compliance effort. The Department’s 2017 criteria continue this focus, and the 2019 updated Department criteria strengthens it. While these updates do not substantially change those important considerations regarding training and communication, they do enhance these considerations in some profound ways.
First, let’s return to the 2017 criteria. It focused on four principal components:
- Risk-based training
- Form, content and effectiveness of the training
- Communications about misconduct
- Availability of guidance
According to the DOJ, it’s important that training relate to employees’ jobs; to this end, an organization should take steps to determine which training should be delivered to which employees, rather than simply deliver general compliance training to all employees. More specifically, an organization should determine for employees that engage in high-risk activities or handle certain control functions which training they should receive and that is tailored specifically to their job functions. This provides a means to focus limited training resources to better prevent or detect compliance problems. The 2019 guidance adds to this the importance of supervisory training—specifically whether supervisors receive different or supplementary training specific to their oversight roles. This supports the 2019 criteria’s broader focus on the role of managers, their duties to both prevent and detect compliance problems and the greater risk they can present if they engage in misconduct.
Training Form, Content and Effectiveness
The 2017 criteria asked about whether training is provided in a form and language appropriate to its audience, and whether the organization measures the training’s effectiveness. This second criterion is even more important in the 2019 guidance due to its increased focus on whether a compliance program works in practice. The 2019 criteria adds four more factors:
- What’s an organization’s rationale for its decision to use online, in-person on both formats of training? In other words, has the organization actively considered whether the training approach it chooses will demonstrate effectiveness?
- Does the training address the organization’s lessons learned from prior compliance incidents? This, of course, assumes that an organization periodically assesses its risks due to past problems in order to fold it into training.
- Does the organization test learners on what they learn to determine whether the training is effective?
- What steps does the organization take when employees fail part or all of this testing? (Surprisingly, it appears some organizations fail to follow up on testing failures!)
With these updates to 2019 criteria, the DOJ signals that it expects organizations to give real consideration to the training that it implements—not just assume any training configuration suffices. It also indicates specific steps the organization can take to holistically demonstrate that the training will matter to what employees learn and what they do.
Communication About Misconduct
Outside (or perhaps as part of) training, the DOJ wants to see that leadership communicates about its attitude regarding misconduct—in other words, that leadership will take steps to discipline transgressors. To this point, an important factor is how the organization communicates when an employee is terminated, or otherwise disciplined (added to the 2019 criteria), for failing to comply with the organization’s standards. For those organizations concerned about a lawsuit for communicating about an employee’s termination, these criteria suggest that such communications be anonymized so the lesson can still be conveyed while the organization avoid running afoul of privacy concerns.
Availability of Guidance
Finally, the fourth criteria remains the same in the 2019 update: What resources does the organization provide to employees to support compliance policies, and how does the organization assess whether employees know when to seek advice and whether they’re willing to do so? The DOJ still wants organizations to actively and purposefully provide their employees with guidance regarding compliance risks and demonstrate they know whether employees are comfortable using this guidance.
The 2019 criteria emphasize that an organization’s training include its directors, officers, and where relevant, agents and business partners, in addition to its employees. They also reinforce the importance that training be tailored to this audience’s size, sophistication and subject matter expertise, such as through training on case studies or real-life scenarios and providing guidance on ways learners can obtain ethics advice regarding specific situations they face.
These expectations raise the bar on the level of training that organizations should anticipate providing. An organization can benefit from responding to these criteria in many ways:
- It will likely fare better if it should run into a legal action the DOJ oversees
- We anticipate other regulators will adopt similar guidelines in evaluating organizations that violate their related regulations
- These criteria, or similar ones, are likely to make their way into case law and the criteria judges use to decide verdicts and sentence organizations
- This raises the bar on good business practices as more and more organizations respond to these criteria in beefing up their own programs
As shown, many reasons exist for an organization to carefully consider how to implement strong, effective compliance training. Still, many businesses will focus on the effort involved in delivering such training versus the chance of running into regulatory or legal problems. In taking such a short-sighted approach, these businesses miss the many benefits to their operations by avoiding compliance problems in the first place.