On April 30th 2019 the United States Department of Justice has issued a press release (see here) announcing the publication of an updated version (the latest one being of Feb. 2017) of the Criminal Division guidelines for prosecutors on “Evaluation of Corporate Compliance Programs”.
Although its main purpose (as the 2017 document was) is ensuring that public prosecutors “evaluate the effectiveness of compliance in a rigorous and transparent manner”, there is no doubt that this new updated version will also be reviewed and used by companies, especially by those doing business with the US or with US companies (suppliers, third party vendors, etc.).
According to the US D.O.J. this document and the topics addressed, should not be seen as checklist or a formula, but rather, attention should be paid to the relevant facts of every case.
From Legal Compliance, we would strongly recommend our clients, and their Compliance Officers, a thorough analysis of the updated document and the principles that these new guidelines laid down. You can download here the document.
We also believe it could prove extremely helpful for those companies based in Spain that are seeking to have their Criminal Compliance Management System certified under the UNE-ISO 19601 or ISO 37001 standards.
In a glimpse, this new reinforced 2019 Guidance on Corporate Compliance Evaluation addresses as always three relevant main issues connected with effectiveness:
1.- Is the corporation’s compliance program well designed?
2.- Is the program being applied earnestly and in good faith?
3.- Does, in practice, the compliance program work?
The 18 pages document, poses different questions addressed to understand when a compliance program is just a “paper compliance” or it is truly being implemented effectively.
We would just put our focus on some of the questions that we believe -and so we have been advocating for a long time- are those where companies should concentrate their efforts if they really wish to move forward the Compliance needle.
Ten tips based on the questions raised by the Criminal Division of the US D.O.J.:
- Risk assessment:
- What methodology has the company used to identify, analyze and address its particular risks, taking into account industry sector, location, market, business partners and third-party relationships?
- Are the risks being reviewed periodically and some resources are dedicated to monitor risky areas?
- Compliance policies and procedures:
- Was the management and the business units involved in the creation of policies or they are, rather, a copy-paste of common industry materials?
- What effort is the company doing on monitoring the implementation of the policies if any?
- What is doing the company to communicate and ensure policies and procedures are available to employees and there are not linguistic barriers? Do really employees understand what policies and procedures are about?
- Training and communication:
- Is it the training effective and is tailored on its forms and contents to different audiences, and has been designed based on risk and relevant control areas or is rather a cheap on-line repository of corporate rules?
- Is the training based on practical real-life examples of the industry that can be easily understood by all employees or its just legal jargon on crimes no matter if they apply to the company or not?
- Is it training impact being measured? How? What are the resources spent on training and communication?
- Reporting and Investigation:
- Is there a complaint process which can be truly trusted by all employees without fear of retaliation? Are whistleblowers safe and is the reporting channel really confidential or is a mobile number of the Compliance Officer or an email of a personal assistant of a Director?
- How the company ensures that employees and third parties know about the reporting channel?
- Is there an investigation process in place and investigation results are adequately reported to the highest level for accountability?
- Is investigation and reporting adequately funded with resources that ensure information is collected and analyzed for effective review of weaknesses of the Compliance System?
- Third party management:
- Are adequate controls in place to ensure that third parties also comply or just a check list that none ever reviews?
- Is the third-party risk analysis really integrated in the purchasing-procurement system or is just legal wording ensuring that audits can be carried out, but they are never ever…?
- Does the company track red flags and make sure that companies that do not pass the due diligence test are not hired or re-hired at a later date?
- Leadership and commitment:
- What specific actions do senior leaders have taken to demonstrate leadership in the company’s compliance? Have at any time managers encouraged or tolerated compliance risks for better business results?
- What compliance expertise is available on the BoD? Is outside independent expertise on compliance available to the top management or the BoD?
- Does the senior management and BoD review the compliance program from time to time and gather evidence of its effective implementation?
- Where is housed the compliance function and to whom report? Does it work with sufficient autonomy? Does it report directly to the BoD?
- How does the Compliance Function compares in terms of seniority, compensation level, reporting lines, structure and resources to other strategic functions?
- What is the role played by the compliance function on strategic and operational decisions?
- Does compliance staff have adequate experience and qualifications for their roles and responsibilities?
- Is there sufficient staff for compliance efforts to be sustained over the time?
- Is the company outsourcing some of the compliance functions to external experts?
- Incentives and disincentives for compliance:
- Are there any bonuses/rewards for improving the compliance system?
- Are disciplinary measures being applied in a consistent manner or sometimes misconduct is treated as if nothing happens?
- Continuous improvement and culture of compliance:
- Likewise under ISO19600 standards, continuous improvement is a landmark for the D.O.J.: How frequently internal or external independent audit is performed upon the compliance management system? Are audit reports reviewed by BoD? Does the company perform any testing of its compliance controls?
- Are risk assessment and policies reviewed from time to time?
- How does the company measures its “compliance culture”, is it input sought from middle management and employees?
- Remedial actions:
- Is independent and expert investigation available when there is a need to identify system vulnerabilities or causes of misconduct?
- Are the investigations based on independent analysis of facts and findings?
- Does the company analyze the causes of misconduct and improves processes to avoid them to repeat it in the future?
What changes and disciplinary actions have the company undertaken after misconduct? What actions have been taken with Vendors if they were involved in the misconduct?
Legal Compliance have a longstanding expertise on reviewing, assessing and evaluating compliance programs and helping our clients to ensure they are effective.