Last week, the Department of Justice (DOJ), without fanfare, released an update to its 2019 Evaluation of Corporate Compliance Programs. For simplicity, I’ll call this new document the DOJ 2020 Update. The DOJ 2020 Update is most welcome news for every Chief Compliance Officer (CCO), compliance professional and corporate compliance program in the US and beyond. The reason is simple: it ends, once and for all, the clarion call for paper compliance programs written by lawyers for lawyers. The DOJ has now articulated what both the business and compliance communities have been learning—that compliance is a business process and as a process, it can be measured, managed and, most importantly, improved. I’ll preview the updates here, and you can get a fully-detailed overview of the updates in my whitepaper.
The concepts around risk assessments are one of the biggest changes found in the DOJ 2020 Update. The question-by-question analysis begins with “Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions?” Do you have access to continuous and real time transactional data at your organization? How about across silos within your organization? Most likely the answer to both is “no”. This means you no longer have a best practices compliance program at this point in time.
How can you garner such information? You can begin by pulling compliance related data from each one of your key data points and update your risk assessment. The next question found in Updates and Revisions subsection ties into the sole question found in the Lessons Learned subsection. They both relate to the single inquiry of how you used the data: Did you incorporate your findings into updating your compliance program?
Continuous Monitoring and Continuous Updating
The final area in the DOJ 2020 Update for consideration is appropriately called Continuous Improvement, Periodic Testing and Review and is found in the subsection monikered Evolving Updates. It reads Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?
Similar to the language under Risk Assessment, this compound question considers the adaptation of a compliance program from your own lessons learned but also from other companies. The distinction now is that phrase includes “other companies facing similar risks.” Think about how this language would apply to any company operating in China, West Africa or any other high-risk region in the globe. I would interpret this to mean every CCO and compliance practitioner needs to stay abreast of international anti-corruption enforcement actions where your company may be doing business.
Mergers and Acquisitions
Under M&A, the DOJ 2020 Update stated: (all changes in italics) “F. Mergers and Acquisitions (M&A) A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls. Pre-M&A due diligence, where possible, enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.”
The clear emphasis of the DOJ is around the pre-acquisition phase in M&A work. Were you prevented from engaging in pre-acquisition due diligence because of some rule or regulation? If so, what did you do about it? Did you take the approach of Halliburton, as it did in the resulting Opinion Release 08-02 and seek DOJ input? Was your post-acquisition integration protocol more robust? If so, how? Also, after closure, did you perform a full audit of the acquired entity? For the sake of your compliance program, I hope you did. Yet the clear emphasis here is on the pre-acquisition phase.
Even in 2020, third parties still represent the highest risk under the FCPA. Here the DOJ noted, “Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials…In sum, a company’s third-party management practices are a factor that prosecutors should assess to determine whether a compliance program is in fact able to “detect the particular types of misconduct most likely to occur in a particular corporation’s line of business.”
It is the new final question in the DOJ 2020 Update, coupled with the new language in the preamble to the section on third parties, which is so significant. It makes clear that management of third parties is a process, and one that must continue on an ongoing basis throughout the lifetime of the relationship with your organization. This also re-emphasizes the importance of managing the relationship after the contract is executed from the compliance perspective. Your role in the compliance function is not simply to review due diligence and add compliance terms and conditions to the contact. Your role is to oversee the relationship which the business sponsor manages on the ground. This is fully operationalizing your compliance regime.
Quality of CCO and Compliance
Under Part II, the changes started with the title of the section which was amended to read “II. Is the Corporation’s Compliance Program Adequately Resourced and Empowered to Function Effectively? This change was then driven home immediately in the introductory paragraph. Even a well-designed compliance program may be unsuccessful in practice if implementation is lax, under-resourced, or otherwise ineffective. The introduction also added language from the US Sentencing Guidelines which reads, “(those with “day-to-day operational responsibility” shall have “adequate resources, appropriate authority and direct access to the governing authority or an appropriate subgroup of the governing authority”).”
In experience and qualification, clearly there must be ongoing professional development for the CCO, the compliance team members and also the other control personnel in the company. This means that as a leader, every CCO should work with their compliance team to set up a clear path for career development and, more importantly, specific compliance subject matter expertise. This includes in the latest developments in compliance and evolving best practices. It also means as a CCO you have to do the same career development.
What about the phrase “other control personnel,” and who is this group? I have long advocated use of non-compliance function gatekeepers in any best practices compliance program. Should personnel include the legal department, compliance function, Supply Chain, Human Resources, payroll or Internal Audit? It is basically any person in your company who makes the decisions regarding compliance issues.
Data, Data, Data
The second area of inquiry is the access to and use of data, data analytics, and transaction monitoring by the compliance function. These queries are not simply phrased in the negative; they require a company to work to make such data available to the CCO and compliance function. This is a much more stringent requirement than the CCO calling up IT to find out what data might be available to monitor on an ongoing basis. These questions require every company to take affirmative steps to make the data available and get to it the compliance in some type of usable format.
Institutional Justice and Fairness
The DOJ 2020 Update posed the following questions “Does the compliance function monitor its investigations and resulting discipline to ensure consistency?” This mandates monitoring to ensure consistency because inconsistency, showing favoritism to those who violate the compliance program, or do not implement it undermines the entire idea of compliance, and those responsible for making it happen. This speaks to institutional justice and institutional fairness. These are not simply the cornerstones of a compliance program—they are the cornerstones of companies. If there is no fairness and justice, what is the point of working for a company? I recognize this is an evolutionary step, but the CCO and compliance function must lead this dialogue in an organization. If the ubiquitous control-overrider and compliance corner-cutter becomes the highest grossing salesperson, receives the biggest bonus and most promotion, this all speaks to lack of fairness and justice in an organization. It is more than just fairness at the point in time. If such situations exist, employees will correctly conclude that there are no consequences to such action or more invidiously, the only way to get ahead in an organization is to lie, cheat and steal. This is even more reinforced if the top management actively or tacitly encourages such behavior.
As compliance moves into the second half of 2020 and into the third decade of this century, the DOJ 2020 Update may well be seen as a key demarcation where the government demonstrated that, properly viewed, compliance is more than a business process, it is a business program.
For a full overview of the DOJ 2020 update, download my whitepaper. I analyze the specific wording of each update and what it means for your compliance program