Skip to content

Department of Justice: Evaluation of Corporate Compliance Programs Guidance Document

What's New/Significant

The Criminal Division of the Department of Justice released a guidance document for white-collar prosecutors on the evaluation of corporate compliance programs. The Guidance describes specific factors that prosecutors should consider in evaluating the effectiveness of corporate compliance programs. The Guidance is a follow up to a February 2017 Fraud Section guidance, and it broadens and provides greater clarity and specificity with respect to  how the Criminal Division should evaluate a company’s compliance program.

Rationale

The Guidance seeks to harmonize its recommendations with other DOJ guidance and standards while providing additional context to the multifactor analysis of a company’s compliance program.

Scope

The Guidance is built around three questions that the Criminal Division has frequently found relevant in evaluating a corporate compliance program. 

  • Is the program well-designed? 
  • Is the program effectively implemented? 
  • Does the compliance program actually work in practice?

Is the Program Well-Designed?

The Guidance recommends that a prosecutor’s evaluation of whether a company has a well-designed compliance program is to consider whether it includes the following elements:

  • Robust risk assessment and management process, with appropriately allocated resources
  • Policies and procedures that are risk-based, comprehensive, accessible and understandable
  • Training and communications that are tailored to audience size, sophistication and subject matter expertise; that include practical advice and real-life situations and scenarios; and that contain information about misconduct, investigations and related disciplinary actions
  • A confidential reporting structure and robust investigations process, staffed by qualified individuals and documented in an appropriate manner
  • Risk-based due diligence activities focused on ensuring that a company knows its third parties, has a robust business rationale for the third-party engagement and has implemented controls around the management of third-party relationships
  • Due diligence activities for acquisition targets
     

Is the Program Effectively Implemented?

The Guidance further instructs prosecutors to evaluate a company’s culture of compliance, including whether (i) the compliance program is a “paper program” or one implemented in an effective manner; (ii) whether there is sufficient staff to audit, document, analyze and utilize the results of the corporation’s compliance efforts; and (iii) whether employees are adequately informed of the compliance program, by assessing the following:

  • Demonstration of commitment to the compliance program by senior and middle management, including through conduct, messaging, shared commitment and oversight
  • Ability of compliance personnel to act autonomously and with authority to make decisions about how the compliance program is structured, implemented and resourced
  • Qualifications and experience of compliance personnel
  • Adequacy of funding and resources
  • Establishment of incentives and consistent disciplinary measures

Does the Compliance Program Actually Work in Practice?

The most difficult part of a prosecutor’s assessment is to determine whether a company’s compliance program was working at the time of the misconduct. To do that, prosecutors must evaluate a number of factors, including whether:

  • The compliance program had the ability to evolve, improve and change to address evolving risk and business activities
  • The audit plan focused on appropriate risks, control activities were appropriately tested and results were communicated to management and the board
  • The company measured its culture of compliance and took steps in response to such measures
  • Investigations were appropriately staffed and scoped, and remedial actions were taken to analyze root causes, system vulnerabilities and accountability