Insight into How the DOJ Evaluates Compliance Programs
The Department of Justice (” DOJ”) recently published a report on its public website called “Evaluation of Corporate Compliance Programs.” The intention of the guidance is to provide transparency about the factors that the DOJ will consider in reviewing information from organizations involved in DOJ investigations.
Organizations involved in self-disclosures may be asked for evidence of compliance programs and activities but are typically given the benefit of the doubt on the effectiveness of their programs. In contrast, organizations under investigation face a more stringent review of compliance programs as described in this new guidance.
The “Principles of Federal Prosecution of Business Organizations” in the U.S. Attorney’s Manual sets out the so-called “Filip Factors” for use in deciding whether or not to bring charges or in negotiating plea or other types of agreements. (This differs from, and is in addition to the OIG’s review of compliance programs to determine whether or not a corporate integrity agreement or certificate of compliance should be imposed.)
In publishing the guidance, the DOJ emphasizes that there is no single approach to how the factors are applied—each organization is considered individually. However, the Filip Factors are consistently reviewed to the extent that they are relevant to a particular case.
Eleven broad categories are examined. The sub-points indicate more detailed analysis within the category:
- Analysis and Remediation of Underlying Misconduct. Includes root cause analysis, prior indications of misconduct; remediation pursued by the organization.
- Senior and Middle Management. Includes an analysis of the conduct by senior leaders, indications of commitment to compliance and communication of the commitment, quality of oversight by the governing body.
- Autonomy and Resources. What was the role of compliance in decision-making, control and training functions related to the misconduct, what is the stature of the compliance role compared to other functions in the organization, are compliance personnel qualified and experienced, does the compliance officer have sufficient autonomy to carry out necessary functions; is funding of the compliance function adequate.
- Policies and Procedures. Includes analysis of the process for designing and reviewing compliance policies, are policies adequate and fully implemented and enforced, is there effective training on policies, are policies well-communicated, are policies extended to vendors.
- Risk Assessment What processes are used to identify risk areas, what information or metrics are used to detect misconduct.
- Training and Communications. What training is provided and to whom, is the training effective, has it been measured, how does the organization communicate remediation of misconduct, what resources are available to provide guidance to employees about compliance.
- Confidential Reporting and Investigation. Inquiry into the processes, analyses and follow-up steps when compliance issues are reported, are investigations properly conducted by trained personnel, how does the organization respond to the results of investigations.
- Incentives and Disciplinary Measures. What disciplinary actions were taken as a result of investigations of misconduct, who participated in the disciplinary process, are disciplinary actions fairly and consistently applied across the organization and at all levels of the organization, how has the organization incentivized compliance and ethical behavior.
- Continuous Improvement, Periodic Testing and Review. How and what does the organization audit in terms of compliance issues, how are audits reported and addressed, is the audit program itself reviewed and evaluated, do audit results inform policy and procedure updates.
- Third Party Management. Are there third-party managers involved in the organization, are there appropriate controls over third party managers.
- Mergers and Acquisitions (M&A. Does the due diligence process identify possible misconduct, how has the compliance function been integrated into the merger, acquisition, and integration process.
The full document details each of these 11 categories of review. The guidance provides useful information to all organizations as a basis for evaluating its compliance program as it addresses not only the seven elements of effective compliance programs set out in the Federal Sentencing Guidelines (as carried through in the various versions of the OIG’s voluntary compliance guidance), but goes a step further with additional categories and areas of analysis such as risk assessment and the autonomy and resources available to the compliance function.