Take 1: Amy Much

In our colleague Kirsten’s latest blog post, she noted Hui Chen’s take on the DOJ’s updated guidance on its Evaluation of Corporate Compliance Programs. While I always respect Ms. Chen’s opinion and bird’s eye view, I would offer a different, ground-level perspective.

Obsessing over best practices and compliance and ethics news and trends is what compliance and ethics professionals do. When the DOJ deigns to take the time to issue a written mandate, we sit up and take notice. And yes, we obsess, because if we don’t, who will?

On April 30, 2019, the DOJ released new guidance for the evaluation of corporate compliance programs. It is not a best practices guide, to be sure. We can all agree that it is not a set of standards that results in getting high marks on your compliance program. Nevertheless, the new guidance gives us more insight into the expectations of the DOJ and is an upgrade from the 2017 version, a list of “questions to consider” that stopped short of, and refused to call itself, “guidance.”

I also think we have to consider this: The DOJ put this out for a reason, and it’s not (only) for those facing criminal prosecution. Perhaps it is meant to encourage self disclosure by companies who are in a position where they should report wrongdoing to the DOJ — and it gives them a way to prepare to defend their compliance programs. Or, perhaps it is to offer companies a concrete way to show effective compliance.

Just as the U.S. Federal Sentencing Guidelines for Organizations act as the core component structure to every compliance program, regardless of industry, this guidance can help shape a new compliance program. Just look at the job postings on any given day: There are many, many companies who are just now starting an internal compliance program, or hiring a compliance professional dedicated solely to building and running compliance. Every compliance officer will strive for a best-in-class program, but it would be a rare case that, in the absence of a corporate monitor, a company would come out of the gate with a showering of resources to start a new compliance program. Very often, the task falls to one person to get it off the ground.

The harsh reality is that many compliance officers have to fight for resources – whether budget, headcount, or executive-level attention. No one wants to do the bare minimum, but having this guidance as a baseline to show leadership at least offers a starting point – especially if you are dealing with a situation where you are not getting the resources you need to run an effective compliance program.

Another way the guidance could be useful is to reprioritize where you are focusing your energies in your compliance program. I think, when the DOJ gives you a literal starting point, as a compliance officer, those are the bricks of your foundation. Examine your program by answering their three fundamental questions:

  1. “Is the corporation’s compliance program well designed?”
  2. “Is the program being applied earnestly and in good faith?” In other words, is the program being implemented effectively?
  3. “Does the corporation’s compliance program work” in practice?

Take 2: Andrea Falcione

In her article, Ms. Chen also criticized many companies’ policy efforts, specifically policy certifications. While certification cannot be the sole basis for answering any of the DOJ’s three fundamental questions in the affirmative, it can – and, from personal experience does — shape employee behavior. Of course, no policy certification will ever stop rogue employees from behaving poorly. There are bad people in the world — and in most companies — and bad people will do bad things, regardless of their companies’ efforts to stop them.

But the vast majority of employees are good people trying to do the right thing. And, sometimes, they make mistakes – myself included. A robust policy certification causes those employees to sit up and take notice — to pay attention to policy requirements when they may not always be top of mind. And, in my case, to recognize a personal failure, self report to my then-compliance department, and ultimately rectify a potentially catastrophic policy violation. It was a mistake I could have lost my job over. It was a mistake I never made again — and one I would not have even identified in the absence of that policy certification. So, despite Ms. Chen’s statement to the contrary, yes, certification does, in fact, change behavior. I’m living proof.