Closely following the Commodity Futures Trading Commission’s (CFTC) recent update on it’s Enforcement Manual (see here) the Department of Justice (DoJ) revised its memo entitled “Evaluation of Corporate Compliance Programs” earlier this month. Two of the highlights of the update relate to compliance program design and monitoring of the program itself. Careful consideration of these two factors should be given by compliance professionals when designing and implementing their respective compliance programs.
Is the Corporation’s Compliance Program Well Designed? Does the program include:
- Risk assessments,
- Effective policies and procedures,
- Well-designed training and communications,
- A confidential reporting structure and investigation process
- A comprehensive third-party management system (including defining the business purpose of the third party and ongoing monitoring of third parties),
- Comprehensive due diligence of potential acquisitions.
Of interest is that the DoJ guidance now states DoJ staff are to determine if the compliance program includes monitoring access to policies. “Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?” Think meta-data for policies!
Emphasis was also placed on incorporating “lessons learned” into the compliance program. “Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?”
I have found this to be one of the hardest objectives to fulfill for an organization. Really, who likes to air their dirty laundry? However, if correctly done the incorporation of lessons learned into program construction and compliance training can have material, beneficial effects. The benefits include affirming upper management’s commitment to compliance, positively impacting employee behavior, and compliance program improvements.
Closely related to the “lessons learned” is the DoJ’s emphasis on understanding why a compliance program was structured the way it was. Learning from past missteps is a key component in structuring the program in the continuous improvement journey.
The DoJ’s guidance once again re-iterates the need for consistent enforcement and discipline when there is a breach. The new wording, “Does the compliance function monitor its investigations and resulting discipline to ensure consistency?” emphasizes this point. For true compliance professionals this can be a nettlesome subject. The competing pressures of management’s desire for a compliant organization and profitability from star performers with their sometimes-attendant mis-prioritization of profits without due consideration to how those profits are achieved is a balancing act.
With that in mind, the DoJ reminds its prosecutors to ask three key questions when contemplating charging an organization:
1. “Is the corporation’s compliance program well designed?”
2. “Is the program being applied earnestly and in good faith?” In other words, is the program adequately resourced and empowered to function effectively?
3.“Does the corporation’s compliance program work” in practice? The DoJ’s guidance is expanding the lens and the angles with which they are going to review compliance programs. It is much more than what you put on paper.