On June 1, the U.S. Department of Justice (DOJ) released an updated version of its guidance document, Evaluation of Corporate Compliance Programs, replacing the previous guidance from April 2019. Differences between the 2019 and 2020 documents are primarily in the form of new considerations that have been added to the 2020 version, all of which are solid additions.
The primary area in which the 2020 version changes the wording in a section from the 2019 document is in connection with the three “fundamental questions” on which the remainder of the guidance is based. The second fundamental question has been changed from one focused on whether the compliance program is being “effectively implemented” to one addressing whether the program is ”adequately resourced and empowered to function effectively.”
This represents an important and welcome change. To be effective, a compliance program must not only include qualified personnel, but it must receive adequate resources of all types – personnel, financial, etc. It must also be empowered to take the actions needed to make a program effective. This change addresses one of the common problems we see with compliance programs – the head of the compliance function is a qualified individual, but is not supported with sufficient resources and is not sufficiently empowered to effect necessary change.
Other 2020 changes include several important additional considerations:
- Whether risk assessments are continuous in nature or merely “snapshots” from periodic assessments, suggesting ongoing consideration of new data
- Whether past issues of the company or of other similar companies are considered in performing the risk assessment as well as in making improvements to the program
- Whether policies and procedures are made available in a searchable manner and whether common searches are identified, indicating employee interest in specific areas
- Whether training programs include (a) shorter and targeted training for certain audiences, (b) processes for employees asking questions, and (c) evaluations of whether training impacted employee behavior or operations
- Whether the company tests employee awareness of and comfort with using the reporting system and whether the reporting system is tested for effectiveness by tracking a report from start to finish
- Whether the reporting system is publicized to third parties
- Whether risk management of third parties continues throughout the lifespan of the relationship, rather than only during the onboarding process
- Whether post-acquisition audits are performed in connection with newly acquired entities, rather than merely during the due diligence process
- Whether a culture of ethics and compliance includes a commitment at all levels of the company, including the middle of the company, not only the top.
- Whether the company invests in training and development of compliance and control personnel
- Whether compliance and control personnel have access to data to enable them to perform timely and effective monitoring and testing
- Whether the compliance function monitors investigations and resulting discipline to ensure consistency
Every one of these changes is sound and consistent with what we teach in our training programs on compliance and ethics programs at SCCE and HCCA. It is god to see these important factors have been added to the DOJ guidance.