Insights

Published June 4, 2020

Action Needed: New DOJ Updates Affecting Your Corporate Compliance Program

Late Monday afternoon, the U.S. Department of Justice (DOJ) Criminal Division issued updated guidance to its Evaluation of Corporate Compliance Program (Document), originally published in 2017 and last updated in 2019.

What You Need to Know

The purpose of the Document is meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).

With these changes, the DOJ further strengthens its stance that Compliance Programs are not static, check-the-box activities. Instead, Compliance Programs must actively and effectively identify and address risk in real-time for maximum protection.

Summary of Changes

PYA’s summary of updates to the Document follows. This summary is not intended as a substitute for the full DOJ language, and readers are encouraged to reference the Document directly for detailed information.

Introduction

      • The DOJ does not use a “rigid formula” to assess the effectiveness of a compliance program. A company’s risk profile is considered using various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape, and other factors, both internal and external to the company’s operations, that might impact its compliance program.
      • A DOJ prosecutor may ask three “fundamental questions” when investigating a compliance program. The second question has been updated to specifically address whether the compliance program has been “adequately resourced and empowered to function.”
      • The DOJ may evaluate the compliance program at the time of the offense and at the time of the charging decision and resolution. Therefore, it may evaluate remedial actions that have been implemented subsequent to the offense to prevent further wrongdoing.

Risk Assessment

      • A risk assessment is the “starting point” for a prosecutor to determine whether the compliance program is well-designed. A company must demonstrate, via a documented risk assessment and evidenced follow-up, why the compliance program is structured the way it is and how it has evolved over time.
      • The periodic review of a risk assessment should not be limited to a “snapshot,” but rather should be based upon continuous access to operational data and information across functions. The periodic review should lead to updates in policies, procedures, and controls.
      • The company should have a process for tracking and incorporating “lessons learned” into its periodic risk assessment.

Policies and Procedures

      • The company should have a process in place for updating existing policies and procedures.
      • Policies and procedures should be available to all employees in a searchable format. The company should track access to various policies and procedures to understand what policies are attracting more attention from relevant employees.

Training and Communications

      • The company should appropriately tailor training and communications, including providing more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, and other risk management functions.
      • The company should provide a platform, online or in-person, by which employees can ask questions arising out of the trainings.
      • The company should have a process in place to address employees who are noncompliant with testing thresholds.
      • The company should evaluate the extent to which the training has an impact on employee behavior or operations.

Confidential Reporting Structure and Investigation Process

      • An anonymous reporting mechanism should be available to employees and other third parties.
      • The company should take measures to test the effectiveness of the hotline and whether employees are aware of the hotline and feel comfortable using it.

Third-Party Management

      • The extent and need of third-party due diligence may vary based on the size of the company; however, the company must know the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputation and relationships, if any, with foreign officials.
      • The company should engage in risk management of third parties throughout the lifespan of the relationship, not only during the onboarding process.

Mergers and Acquisitions (M&A)

      • A process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls should be included for all M&A.
      • As part of the due diligence process, a company should successfully complete pre-acquisition due diligence, and reasons for failure to do so should be documented.
      • Post-acquisition audits to assess the implementation of compliance policies and procedures should be performed at newly acquired entities.

Compliance Resources

      • The compliance program should be adequately resourced and empowered to function effectively. A well-designed compliance program may be unsuccessful in practice if implementation is lax, under-resourced, or otherwise ineffective.
      • Commitment by senior and middle management fosters a culture of ethics and compliance with the law at all levels of the company.

Compliance Structure

      • The company should be able to provide the reasons for the compliance function’s current reporting structure (e.g., to the Board, Chief Executive Officer, General Counsel, etc.).
      • The company should demonstrate how it invests in further training and development of the compliance and other control personnel.
      • Compliance and control personnel should have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions. If impediments exist that limit access to relevant sources of data, what is the company doing to address the impediments?

Incentive and Disciplinary Measures

      • The compliance function should monitor its investigations and resulting discipline to ensure consistency.

What You Need to Do

  1. Review the Document in its entirety here and evaluate your current compliance work plan to determine necessary changes.
  2. Immediately incorporate changes to your compliance plan to address areas that are deemed to be high-risk for your facility based on your organization’s risk tolerance.
  3. Incorporate the changes outlined in the Document into your risk assessment.
  4. Engage with a Virtual Compliance Assistance Partner if you need help assessing or implementing changes to your compliance program.

How PYA Can Help

PYA compliance consultants combine regulatory expertise with practical experience in healthcare organizations to assist clients with evaluating the effectiveness of their compliance programs. We are able to provide a customized approach to assist you and your organization with addressing changes triggered by the DOJ’s updated guidance.

If you would like more information about any matter involving compliance, valuation, or strategy and integration, contact one of our PYA executives below at (800) 270-9629.

Executive Contacts

Interested in Learning More?

Sign Up for Our Latest Thought Leadership!



    Select Your Subscriptions