Recently, Assistant Attorney General, Kenneth A. Polite Jr. delivered remarks at Compliance Week detailing how the DOJ evaluates corporate compliance programs. The purpose of clearly stating these expectations in detail is to, “ensure that companies are designing and implementing effective compliance systems and controls, creating a culture of compliance, and promoting ethical values,” says Polite.
In this article, we summarize what compliance professionals need to know to ensure their programs align with DOJ guidance. To begin, Polite outlines three main expectations the DOJ has regarding compliance programs:
- That compliance programs are well designed
- They are adequately resourced and empowered to function effectively
- The compliance programs work in practice
Compliance programs must be well designed
Polite makes very clear points about how compliance programs should be designed and what the DOJ expects from organizations to meet this standard.
“First, when we say that we expect a company’s compliance program to be well designed, we closely examine the company’s process for assessing risk and building a program that is tailored to manage its specific risk profile. We want to see whether the company has implemented policies and procedures that are designed to address the key risk areas identified in its risk assessments, and that those policies and procedures are easily accessible and understandable to the company’s employees and business partners. We want to know how the company is training employees, management, and third-parties on the risk areas and responsibilities applicable to those individuals. Policies, training, and other processes should address relevant high-risk elements of the company’s business model, such as third-party relationships or mergers and acquisitions. We want to see that the company has established a process for reporting violations of law or company policy that encourages employees to speak up without fear of retaliation, and that those reports are taken seriously, appropriately documented, investigated, and—if substantiated—remediated.”
Programs must be adequately resourced
Polite draws on his experience as a compliance officer and discusses some of the common challenges you may also face.
“I know the resource challenges. The challenges you have accessing data. The relationship challenges. The silo-ing of your function. You are called upon to be a resource for information, an enforcer of law and policy, and somehow the primary architect of your company’s ethical culture,” says Polite.
Compliance officers facing resource allocation challenges may want to evoke Polite’s guidance on how the DOJ defines “adequate resources”.
“When we are evaluating whether a compliance program is adequately resourced and empowered to function effectively, we want to know more than dollars, headcount, and reporting lines. We will review the qualifications and expertise of key compliance personnel and other gatekeeper roles. We want to know if compliance officers have adequate access to and engagement with the business, management, and the board of directors. We seek to understand whether and how a company has taken steps to ensure that compliance has adequate stature within the company and is promoted as a resource. A company’s commitment to promoting compliance and ethical values at all levels—from the chief executive on down to middle and lower-level managers—is critical.”
Programs must work in practice
A well-designed compliance program is one that is embedded in company culture, is utilized by employees at all levels, and to reiterate the point above, well-resourced with empowered leaders.
“We want to see evidence that the compliance program is working in practice. We look at whether the company is continuously testing the effectiveness of its compliance program, and improving and updating the program to ensure that it is sustainable and adapting to changing risks. We want to know that a company can identify compliance gaps or violations of policy or law. Equally importantly, we want to see how the company addresses the root causes of these gaps or violations and finds ways to improve its controls and prevent recurrence of issues. We want to see examples of compliance success stories— the discipline of poor behavior, the rewarding of positive behavior, the transactions that were rejected due to compliance risk, positive trends in whistleblower reporting, and the partnerships that have developed between compliance officers and the business. We are also interested in how a company measures and tests its culture—at all levels of seniority and throughout its operations—and how it uses the data from that testing to embed and continuously improve its ethical culture,” says Polite.
Polite also includes “whether and how the company responds to prior misconduct speaks to its commitment to compliance and an ethical culture. Companies that have effectively deployed capabilities to conduct independent monitoring and testing of all elements of their compliance program, not just their financial controls…”.
“We prefer not to hear a ‘check-the-box’ presentation from outside counsel. We like to see the Chief Compliance Officer leading the compliance presentation and demonstrating knowledge and ownership of the compliance program. Not for show, but because we want to empower these teams,” says Polite.
He then continues, “Other senior management should also participate, taking ownership of their role in the compliance program and demonstrating commitment to compliance. Based on what we learn about the company’s compliance program, we determine whether an independent compliance monitor should be imposed.”
“We believe that monitorships are effective tools for strengthening corporate compliance programs in companies where there were compliance weaknesses that resulted in criminal conduct. Monitors can be allies to compliance officers in making recommendations that create lasting, sustainable change in corporate culture,” says Polite.
How the DOJ addresses compliance monitor selection
The DOJ expects to impose independent compliance monitors when appropriate in order to satisfy the prosecutors that programs are adhering to the compliance and disclosure obligations for a non-trial resolution. In these cases, they follow the Criminal Division’s selection procedures to ensure the candidates are well-qualified with “deep compliance experience”, and they demonstrate diversity in experience and background.
Polite also states that even when a compliance monitor is not deemed necessary, there is still work to be done. “When we determine that a monitor is not necessary, that does not mean that the company’s obligations to continue to test, improve, and demonstrate the effectiveness of its compliance program end when the resolution is papered. Companies without a monitor are still required to comply with ongoing obligations and report to the Department regarding the status of compliance obligations.”
Building the case for mature compliance programs
Because compliance programs do not usually deliver an immediate return on investment, decision-makers at some organizations may be reluctant to go all in to invest in and mature the E&C function. This is, unequivocally, a risky business decision. As Polite makes clear, “We are holding companies accountable for failing to comply with their obligations under our corporate resolutions—including obligations to implement an effective compliance program, cooperate, or report allegations of misconduct.”
If struggling to gain traction, this poignant statement may provide clarity to those blocking the path to program funding and maturation:
“Our message is clear – companies that make a serious investment in improving their compliance programs and internal controls will be viewed in a better light by the Department. Support your compliance team now or pay later.”
Polite adds that this statement is, “a new tool in your arsenal to combat those challenges. It is the type of resource that compliance officials, including myself, have wanted for some time, because it makes it clear that you should and must have appropriate stature in corporate decision-making. It is intended to empower our compliance professionals to have the data, access, and voice within the organization to ensure you, and us, that your company has an ethical and compliance focused environment.”
What’s next?
Whether just getting started or seeking to fortify and mature your organization’s compliance program, there is plenty of ammunition demonstrating the importance and value in strong E&C programs. Compliance officers should feel empowered to advocate for the needed resources and autonomy to improve the health and culture of their organizations via the E&C programs they lead.
The full transcript of Polite’s remarks can be found here. NAVEX is also pleased to offer tools and resources to help support your organization’s journey in ethics and compliance.
For more useful information, download these resources:
How to Get Started with Ethics & Compliance
10 Key Steps of a Robust Ethics and Compliance Risk Assessment