The guidance is framed around three ‘fundamental questions’ compliance officers should answer:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
- Does the corporation’s compliance program work in practice?
- Risk Assessment
- Policies and Procedures
- Training and Communications
- Confidential Reporting Structure and Investigation Process (Whistleblowing)
- Third Party Management
- Mergers and Acquisitions (M&A)
For assessing the effectiveness of the internal whistleblowing system, the DoJ has added:
Does the company have an anonymous reporting mechanism, and, if not, why not? How is the reporting mechanism publicized to the company’s employees? Has it been used?
The emphasis on the possibility to report anonymously will challenge corporations only offering an email address or a phone number for employees to speak up. From an organizational perspective, offering truly anonymous reporting channels is beneficial: studies indicate that corporates who offer specialized channels receive more reports, and 59% of reporters choose to report anonymously when available.
In addition to guidance on reporting mechanisms, greater emphasis is placed on the investigation structure. The prosecutors want to see that corporations have well-resourced case management systems and processes that ensure allegations and suspicions of misconduct are thoroughly investigated and lessons are learnt:
Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weakness.
For the compliance risk assessment, the DoJ now emphasizes the importance of conducting regular reviews – a best practice approach, since risk and the regulatory landscape is constantly changing. The new section in the guidance document:
Is the risk assessment current and subject to periodic review? Have there been any updates to policies and procedures in light of lessons learned? Do these updates account for risks discovered through misconduct or other problems with the compliance program?
Policies and Procedures
The DoJ made several changes to this topic. At the bare minimum, corporations must demonstrate a robust code of conduct for the whole organization. Additional to that, the guidance builds on how they will assess how policies and procedures are imbedded in the organization. For instance, prosecutors should consider if the policy and procedure system is rooted in the respective risks and regulatory landscape:
Comprehensiveness – What efforts has the company made to monitor and implement policies and procedures that reflect and deal with the spectrum of risks it faces, including changes to the legal and regulatory landscape?
Responsibility for Operational Integration – Who has been responsible for integrating policies and procedures? Have they been rolled out in a way that ensures employees’ understanding of the policies? In what specific ways are compliance policies and procedures reinforced through the company’s internal control systems?
With its more comprehensive style, the DoJ provides a clearer guideline for companies about what to expect when under investigation by US authorities. Having an effective compliance program in place by the time of misconduct can have a positive effect on the outcome of the prosecution or resolution, as long as the program matches the key requirements outlined in the guide. Therefore, the updated DoJ guide is essential reading for all compliance professionals – regardless of where their companies’ headquarter are located.
Do you need some help in meeting regulatory requirements? Get to know our digital compliance solutions.