The urgency for companies to maintain effective compliance programs has never been greater. Civil liability exists for boards of directors that fail to exercise appropriate oversight of compliance, while substantial benefits are afforded to companies that implement compliance programs deemed "effective."

In its April 2019 Guidance Document entitled "Evaluation of Corporate Compliance Programs," the Department of Justice (DOJ) submits that its evaluation of compliance programs is premised on three questions: (1) Is the program well designed?; (2) Is the program implemented effectively?; and (3) Does the program work in practice? Positive answers to these questions could prompt DOJ to refrain from charging a company for unlawful conduct or to propose a settlement with penalties substantially reduced from what would be offered absent the existence of an effective program. Needless to say, any program deemed effective is a leading indicator that an appropriate "tone at the top" exists at the company.

Is the Program Well-Designed?

In determining whether a compliance program is well-designed, a threshold question is whether the program was crafted in conjunction with a risk assessment. Assuming it was, succeeding questions are: (1) whether the company's policies and procedures were tailored to those risks identified, and (2) whether appropriate training and communication about the program occurs within the company, and where relevant, with agents and business partners. Since businesses and markets change, a company should also be positioned to demonstrate that its program is not static but evolving as circumstances warrant, where for example, a company enters new markets or where corrupt schemes that circumvent existing controls are identified.

In conducting assessments, compliance departments will ideally conduct a comprehensive analysis of the company's risks. This typically entails scrutiny of the company at all levels with consideration given to historical mishaps (e.g., regulatory matters and adverse civil judgements) and the experiences of competitor companies. The entire process is painstaking and deliberative, and the final product may be a lengthy document listing specific risks along with a ranking of their likelihood of occurrence.

While DOJ's emphasis on compliance is often discussed in the FCPA context, the 2019 Guidance applies to matters beyond the FCPA. Thus, a program focused extensively on bribery will not protect a company that has violated the False Claims Act, or environmental laws. Similarly, as bribery laws have evolved globally, a program focused on preventing the corruption of government officials will miss the mark if its employees engage in commercial bribery, which is also prosecuted by the DOJ.

A company's ability to preserve business communications is a component of a well-designed program. Given the prolific use of messaging applications worldwide, this is an ongoing challenge. While many companies require employees to utilize authorized systems for workplace communications, the use of developing technology to capture and surveil such communications might be important.

Finally, a critical component of a well-designed program is the existence of a confidential reporting structure to report allegations of wrongdoing. Another expected component of an effective compliance program for a company of scale is data analytics, though determining what to analyze can be daunting. For example, a program regulating charitable contributions might compare the number of approved contributions to the amounts actually contributed. Similarly, a robust process for vetting and monitoring third party agents and business partners would look for excessively high commissions or discounts.

It may be challenging for a company to commit the resources required to implement an effective program. A review of the amount of penalties and forfeitures imposed for unlawful conduct might be advisable, as will the monies companies save when experienced investigators halt complicated schemes involving corrupt employees defrauding their employers.

Is the Program Implemented Effectively?

The focus here is whether the company's compliance program is merely a "paper program" stored on a shelf or one that is robust and evolving. In making this assessment, an analysis of whether sufficient resources are deployed, as well as the types of training programs utilized should be considered. For example, the following questions might be posed: Is there a sufficient budget allotted to compliance? To whom do compliance personnel report? Is senior management involved and if so, how? Are personnel experienced and qualified for the positions they fill?

DOJ's views here have also evolved. When compliance programs were in their infancy, the DOJ was fairly accepting of Chief Compliance Officers having little formal compliance experience. Now, DOJ's expectations are that those filling important compliance roles have the education and experience commensurate with the duties required.

In reviewing management's involvement, DOJ might seek to determine what concrete actions management has taken to support the company's compliance and remediation efforts. Senior management's involvement often underscores the seriousness of the undertaking and presents a positive "tone from the top." Relatedly, the government will assess whether the company incentivizes employees to act in conformity with its policies and procedures and whether discipline is consistently imposed across the organization when violations occur. Whether compliance performance is a metric for compensation decisions is also a potential inquiry. For boards of directors, a pertinent inquiry is whether they have held executive sessions with those in Compliance and whether they have reviewed pertinent materials in performing their oversight role.

Does the Program Work in Practice?

The fact that misconduct occurs does not require a program to be assessed as ineffective. However, the manner in which a company detects and remediates misconduct warrants close attention. If misconduct was identified by the program and appropriately remediated, indications may be that the compliance program is working as planned. Whether a "root cause" exercise was undertaken and whether the resulting remediation included steps to minimize the likelihood that the misconduct would occur in the future will be reviewed. In terms of detection, how the misconduct was investigated (and by whom), how and to whom the results were reported along with any disciplinary measures imposed may be important. Similarly, whether the program has remained static or has been improved and tested over time is an important factor in determining whether the program is actually working.

Conclusion

The absence of a regulatory investigation does not obviate the need for a robust compliance program. An effective program has substantial collateral benefits, including the development of a culture of compliance and the reduction of overall risk. While no single feature of a compliance program is absolutely necessary to be deemed effective, those in board rooms and C-suites should be focused on implementing features of a compliance program that are best suited for the companies they lead.

Christopher Favo is the Director of Investigations and Risk Mitigation, Ethics and Compliance at Arconic Inc. in Pittsburgh, PA. Previously, he served as a Supervisory Special Agent and Attorney in the Office of Integrity and Compliance at the Federal Bureau of Investigation. Mike Considine is a former supervisory federal prosecutor in the U.S. Attorney's Office for the Eastern District of New York, the co-head of litigation at Seward and Kissel and has been retained as a federal monitor for companies resolving regulatory matters in different industries, including healthcare and financial services.