Earlier this month, the U.S. Department of Justice published an update to its “Evaluation of Corporate Compliance Programs”. Danish companies with ties to the United States should review their corporate compliance programs and consider conducting a gap analysis of their compliance programs to assess whether they follow the recommendations in the 2020 DOJ update. This newsletter provides practical guidance for companies wishing to conduct such a gap analysis.
The U.S. Department of Justice (“DOJ”) first published its “Evaluation of Corporate Compliance Programs” (“DOJ Framework”) in 2017. The DOJ Framework was updated in April 2019 and again in June 2020. The current DOJ Framework can be found here. The DOJ Framework provides guidance to prosecutors on how to assess the effectiveness of compliance programs. This assessment may impact a prosecutor’s decision on whether to bring charges and may also affect sentencing.
The 2020 update to the DOJ Framework emphasizes the importance of ongoing monitoring and continuous updates and improvements of the company’s compliance program based on the company’s risk profile and lessons learned. Other key elements are ensuring that the employees live and understand the compliance program and having this supported by both middle and top management. Compliance and control personnel must be educated and have access to necessary data and resources in order to keep the compliance program up to date.
Besides providing guidance to prosecutors, the DOJ Framework can also be used by companies to assess whether their corporate compliance programs meet the criteria set out by the DOJ.
The three main considerations
The DOJ Framework sets out three main considerations when assessing the effectiveness of a company’s corporate compliance program in relation to specific misconduct:
- Is the company’s compliance program well designed?
- Is the company’s compliance program adequately resourced and empowered to function effectively?
- Does the company’s compliance program work in practice?
The DOJ must make a reasonable, individualized determination in each case that considers various factors, including the company’s size, industry, geographical footprint, regulatory landscape, as well as other factors, both internal and external to the company’s operations, that may impact the company’s compliance program.
Assessing the three main considerations
The DOJ Framework sets out a number of questions which are relevant for any Danish company wishing to conduct a gap analysis of its compliance programs to assess whether these programs meet the DOJ’s expectations.
Question (i): Is the corporation’s compliance program well designed?
When assessing whether the company’s compliance program is well designed, the following should be considered:
Compliance program and risk assessment
- Why the company has chosen to set up the compliance program the way it has, and why and how the compliance program has evolved over time;
- Whether the risk assessment is current and subject to periodic review, whether such periodic review is limited to a “snapshot” in time or based upon continuous access to operational data across functions, and whether the periodic review has led to updates in policies, procedures and controls; and
- Whether the company has a process for tracking and incorporating into its periodic risk assessment lessons learned.
Policies and procedures
- What the company’s process for updating existing policies and procedures is; and
- Whether the company’s policies and procedures have been published in a searchable way for easy reference and whether the company tracks access to various policies and procedures.
- Whether the company’s employees are able to ask questions during either online or in-person compliance training; and
- Whether the company has evaluated whether the training has an impact on employee behaviour or operations in general.
- How the reporting mechanism is publicized to not only the company’s employees but also to other third parties;
- Whether the company tests if employees are aware of the hotline and feel comfortable using it; and
- Whether the company periodically tests the effectiveness of the hotline.
Third party management
- Whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials; and
- Whether the company engages in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process.
Mergers and acquisitions
- Whether the company has a process for a timely and orderly integration of the acquired entity into existing compliance program structures and internal controls;
- Whether the company was able to conduct pre-acquisition due diligence in order to detect any misconduct, and if not, why not; and
- What the company’s process has been for implementing compliance policies and procedures and conducting post acquisition audits at newly acquired entities.
Question (ii): Is the corporation’s compliance program adequately resourced and empowered to function effectively?
When assessing whether the company’s compliance program functions effectively, the following should be considered:
- Whether at all levels of the company, there is a culture of ethics and compliance;
- Whether there is commitment from both top and middle management to implement a culture of compliance in the company;
- What the reasons are for the structural choices the company has made;
- How (and if) the company invests in training and development of the compliance and other control personnel;
- Whether the compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions;
- Whether any impediment exists that limits access to relevant sources of data and, if so, what the company is doing to address the impediments; and
- Whether the compliance function monitors its investigations and resulting discipline in case of misconduct to ensure consistency.
Question (iii): Does the corporation’s compliance program work in practice?
When assessing whether the company’s compliance program works in practice, the following should be considered:
- Whether the company reviews and adapts its compliance program based on lessons learned from its own misconduct and/or that of other companies facing similar risks?
While the items to consider under each question cover a broad range of compliance initiatives, a number of the items focuses specifically on whistleblower initiatives. As new whistleblower rules are on their way within the European Union, companies may wish to consider conducting a thorough review of their whistleblower initiatives, both in light of the 2020 update to the DOJ Framework and the new whistleblower rules.