The US Department of Justice (DOJ) has announced plans to accelerate enforcement activity, while reaffirming its commitment to providing significant credit to companies that maintain effective corporate compliance programs. In this case, the assessment of effectiveness – conducted as part of corporate investigations and after corporate resolutions – closely follows the DOJ’s Evaluation of Corporate Compliance Programs1 (updated June 2020), which places the burden of proof on the company to establish that: 1) the program is well designed, 2) the program is adequately resourced and empowered, and 3) the program is effective as designed.
8 action items for your compliance program
Based on our experience helping companies optimize the design and enhance the efficacy of their compliance programs, we have summarized the following practical recommendations:
- Refresh your organization’s risk assessment methodology and risk profile. The sufficiency of an organization’s risk profile depends on the effectiveness of the methodology to identify, assess, and define risks, and should be continuously updated based on evolving risk factors.
- Evaluate the completeness and efficacy of compliance policies and procedures. Compliance policies should address the risks identified in the risk assessment and be easily understood and accessible to employees and relevant third parties.
- Provide effective training and communications. Compliance policies should be integrated into the organization through periodic, risk-based training for employees and relevant third parties.
- Assess your organization’s whistleblower mechanisms and speak-up culture. Employees of highly ethical organizations feel empowered to raise allegations of misconduct and seek guidance regarding compliance questions. Ethical organizations typically have an anonymous reporting mechanism for employees to report concerns.
- Empower the compliance program. Compliance personnel should have sufficient access to executive-level management and the board of directors and be viewed as a resource to the business.
- Provide adequate resources that are appropriately allocated to high-risk areas. Compliance programs should be appropriately funded and staffed with professionals who have relevant qualifications and expertise based on the organization’s risk profile.
- Assess the efficiency and effectiveness of investigations. Timely and appropriately scoped investigations should be conducted by qualified personnel. A thorough root cause analysis should be timely performed, and substantiated allegations should be appropriately remediated.
- Improve the compliance program over time. Compliance programs that work well in practice continuously improve by conducting root-cause analyses of substantiated misconduct, remediating identified gaps, and updating the program based on changing risks. Organizations should periodically test the efficacy of the compliance program, as designed, to be able to demonstrate that reliance upon it was reasonable.
Strengthen your compliance program
Organizations must actively assess their compliance programs and make impactful enhancements to build an ethical culture, prevent and detect potential misconduct, and meet regulatory expectations. CRA has deep experience evaluating compliance program frameworks and advising on the design and implementation of compliance program elements. We invite you to contact us or other members of our team to continue the conversation.
1Department of Justice – Criminal Division | Evaluation of Corporate Compliance Programs