Recent days have convincingly demonstrated the importance of the board’s risk oversight obligations, as the impacts of the COVID-19 pandemic spread and cascaded globally. Under the In re Caremark International line of cases, the board should be aware of the types and magnitudes of the principal risks facing the company, especially in the regulatory sphere, and should assess the company’s risk management policies and procedures that are designed to mitigate those risks. The directors also should satisfy themselves that these policies and procedures have been designed and are being implemented effectively and in keeping with the company’s strategy.
As an integral part of their risk assessment oversight, directors should consider whether the company’s programs and compliance systems would be considered effective if the government were to arrive in the lobby, alleging that the corporation has engaged in wrongdoing. Under federal sentencing guidelines, the existence of an effective compliance program can significantly reduce the punishment imposed on a corporation if its employees were found to have broken the law.
The Department of Justice (DOJ) recently updated its guidance on evaluating corporate compliance programs, and boards should consider this updated guidance in evaluating their own compliance programs. In earlier versions of the guidance, the DOJ posed three “fundamental” questions to ask when evaluating a corporate compliance program: Was it well-designed, was it being implemented, and did it work? The updated guidance refocuses the second question, asking whether the program was “adequately resourced and empowered to function effectively.” In particular, the guidance encourages investing in “further training and development of compliance and control personnel” and providing them with more timely and direct access to company data.
The DOJ has long criticized “paper programs” as well as those that grow stale over time. Prosecutors have expressed concern that companies adopt compliance programs and then ignore them until serious misconduct takes place. The updated guidance makes this point, reminding companies that prosecutors evaluate programs “both at the time of the offense and at the time of the charging decision and resolution.” The DOJ has a special unit, the Strategy, Policy & Training Unit (SPT), that assists prosecutors who are considering sanctions against the corporation by evaluating the adequacy of the corporate compliance programs. Companies seeking to resolve allegations of misconduct will often meet with the SPT and describe the significant improvements made after discovery of the misconduct. In response, the SPT repeatedly emphasizes that it evaluates the strength of a compliance program at the time of the misconduct. While improvements after the fact are viewed positively, the SPT is focused on why a company’s compliance program did not function effectively in the first place. The experiences of this unit are most likely an impetus behind this and other key updates to the guidance.
The updated guidance also adds a number of questions for prosecutors to ask when evaluating the effectiveness of a company’s compliance program. Although framed as questions, the clear message is that companies and their boards should be focused on addressing the specific issues that are at the heart of the questions. Their questions focus on several key areas:
More Frequent Risk Assessments: Prosecutors should evaluate whether a company has limited its risk assessments to a “snapshot” in time or has implemented a continuous review that utilizes current operational data and information gathered from across all of the company’s functions. Additionally, the guidance notes that compliance personnel should incorporate lessons learned from “other companies operating in the same industry and/or geographical region.”
Integration of Acquisitions: Past versions of the guidance discussed the importance of comprehensive pre-acquisition due diligence. The revised guidance emphasizes post-acquisition diligence and integration, recommending “a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.”
Enhanced Employee Access to Policies: DOJ recommends that employees be able to access policies and procedures in a searchable format. The guidance also encourages a company to track what provisions are most often searched so that it may identify areas that might require more attention or training.
Training Improvements: The updated guidance suggests that employees be able to raise questions that may come up during training, whether performed in person or online. The revisions also direct prosecutors to consider how a company evaluates the effectiveness of its training program, including how it addresses employees who fail any portion of a test conducted at the end of a training session.
Confidential Reporting Mechanism: In addition to making sure its employees are aware of and comfortable using its anonymous reporting mechanism, the revised guidance encourages a company to publicize the mechanism to third parties. The revised guidance also asks how frequently a company tests its anonymous reporting mechanism, including by tracking a report from its start through its resolution.
Third-Party Management: The new guidance also notes that a company should engage in risk management of its third parties “throughout the lifespan of the relationship,” not just during the onboarding process. Also, the new guidance recommends documenting the business rationale for a third-party relationship, not just the company’s investigation into that third party’s reputation and past dealings.
As boards consider their risk oversight obligations in the current environment, the guidance from the DOJ is an important resource to which the directors should look. While the board’s risk oversight is intended to prevent violations of company policies and applicable laws, if a violation does occur, the existence of a compliance program that follows the federal guidelines can significantly mitigate the potential harm to the corporation. As such, directors should understand and adopt, where practicable, the DOJ guidelines.