The DOJ’s recently announced update to its compliance program guidance reflects a growing global trend (see new guidance in Australia) of enforcement authorities focusing on compliance programs. Jacquelyn Pruet, formerly chief regulatory policy writer for the Texas Commission on Law Enforcement, offers a former regulator’s take on what it means to have an effective compliance program.
The DOJ’s recent update of its “Evaluation of Corporate Compliance Programs” guidance, along with Australia’s new guidance foreign bribery prevention, have intensified the focus of global authorities on corporate compliance programs. Increasingly, the effectiveness of a company’s compliance framework is a critical factor in prosecutorial decision-making worldwide.
As regulatory landscapes shift and corporate environments become increasingly complex, it is essential for compliance leaders to ensure their programs are not only robust but also adaptable and genuinely remedial. Evaluating the evolution of a compliance program, its depth of root cause analysis and its responsiveness to findings is key to meeting these new standards.
The evolution of compliance programs
An effective compliance program must be dynamic, evolving in response to emerging risks and lessons learned. A compliance program is not a static entity but should be a living system that adapts as the company’s operations and as the regulatory landscape changes. The update to the DOJ guidance spells out more clearly than ever how compliance leaders should assess whether their organization’s program has been updated to address new or evolving risks, rather than simply existing in its original form. The DOJ says, “prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale.” It advises that organizations should be able to answer the challenge “Is the company’s approach … proactive or reactive?” It is also worth noting in the same guidance, federal prosecutors are also instructed that, “Prosecutors may reward efforts to promote improvement and sustainability.”
For instance, a company that initially developed its compliance program based on industry standards should be assessed on its ability to adapt to new regulations, technological advancements and changes in market conditions. Inability to evolve may reveal deeper issues within the company’s risk management strategy.
One effective way to demonstrate adaptation is by establishing the compliance program as a standalone department with direct access to the CEO and board of directors, akin to what legal, operations and human resources departments typically enjoy. A compliance program that proactively implements updates and adjustments reflects a strong commitment to continuous compliance and ethical practices.
Demonstrating meaningful adaptation involves a standalone department that has implemented a three-pronged approach: investigation, root cause analysis and behavioral modification.
The SEC Is at the Front Desk. Cooperate or Resist?
In recent years, the SEC has planted a lot of carrots, telling companies over and over again that cooperation with commission investigations is one of the best ways to avoid harsh penalties. But corporate leaders are still left to calculate the risk and reward of proactive engagement with enforcement authorities whose proceedings pack a punch.
Read moreRoot cause analysis
While robust investigation departments staffed with properly accredited investigators are crucial, they should not be the sole focus of a healthy compliance program. Relying on investigations alone is like balancing on a pogostick — it might work temporarily, but it is unstable and prone to frequent and recurrent issues.
According to the federal prosecutorial guidelines, a critical aspect of assessing a compliance program is the depth and honesty of its root cause analysis following an incident of misconduct. Root cause analysis should go beyond identifying what went wrong; it must explore why it happened and what systemic changes are needed to prevent recurrence. This involves having a data analysis team, ideally supported by skilled data scientists. Data analysis provides a more stable foundation than a program with only an investigation “leg,” sort of like having stilts for your compliance program. For this area to succeed, it must have direct access to the chief compliance officer or department leader. However, even this approach has limitations and cannot stand indefinitely without further support.
Behavioral modification
Effective root cause analysis demands a thorough examination of the underlying issues that allowed misconduct to occur. This may involve scrutinizing organizational culture, inadequate controls or lapses in oversight. Based on these findings, the compliance program should implement actionable steps, such as enhancing training programs, revising policies or strengthening internal controls. This introduces the third critical element — behavioral modification — which provides a solid foundation for the compliance program, like a stool that a company can confidently rest upon.
Behavioral modification requires specialized expertise in corporate change management. For corporations, this often involves tailored training programs, strategic communications and adaptive policies. However, even the best-designed training, communication and policy plans can fail without meaningful support from the executive team, extending through to frontline workers.
Just as you need qualified professionals to staff your investigation team and data scientists to manage data/root cause analysis, you also need seasoned corporate behavior modification specialists who understand how to implement and manage organizational changes effectively. These corporate change management experts should have a strong background in communication, executive training, policy and if possible also be legal experts.
This role is not ideal for a lawyer but someone who understands how both the law and lawyers operate. Ideally the organization chooses someone who can work with the communications, training and legal departments while also handling executive messaging on the subject. For this role to succeed there must be direct access to the chief compliance officer or leader of the compliance department, as well as access to the executives they will be helping to create the communication strategies for.
A holistic approach
Ultimately, building a robust compliance program necessitates a holistic approach that considers both its evolution and response to past issues. Compliance leaders must look beyond checklists to evaluate how their programs address compliance risks substantively. A program that evolves and tackles root causes effectively demonstrates a genuine commitment to ethical behavior and legal adherence, which can influence regulatory decisions on whether to pursue charges or negotiate resolutions.
The DOJ has indicated that proactive compliance may not just help companies in ongoing investigations but can help them prevent future investigations altogether.
An effective compliance program is defined by its adaptability and its ability to drive meaningful change. This requires all three separate areas of the department to report directly to their Chief compliance officer or compliance leadership. This helps ensure that a program is not merely one-dimensional (investigations only) and taking a reactive stance but that it represents a sincere effort to uphold ethical standards (root cause analysis) and prevent future misconduct, focusing on a proactive approach (behavioral modification).
By taking a proactive approach, companies not only strengthen their corporate accountability but also enhance the integrity of the regulatory framework governing their business practices. None of the three key areas regulators expect to see in a compliance program are ideally staffed by lawyers.
Although a robust legal department is highly beneficial and can serve as a valuable partner to a compliance program, lawyers are not necessarily equipped with the specialized skills required for these areas.
When a company creates an independent compliance department and uses a three-pronged approach staffed by appropriately credentialed individuals, all supported by organization-wide buy-in, and direct access to leadership the company can establish a solid and dependable compliance program, ensuring stability in their compliance efforts and avoidance of regulatory interventions.
