A new administration means a new round of questions about how certain federal agencies will handle compliance and enforcement efforts.

As part of the Department of Justice’s Compliance Initiative, the DOJ Fraud Section recently published “Evaluation of Corporate Compliance Programs,” offering further detail about how DOJ will analyze compliance programs in the context of business investigations.

In the memo, the Fraud Section sets forth the framework for the inquiry it will make whenever there is an investigation into allegations of corporate misconduct. This framework includes over six pages of “Sample Topics and Questions” covering eleven different compliance-related areas. In-house counsel and compliance officers will want to carefully consider all of these topics long before the company is under investigation.

  • Analysis and remediation of underlying misconduct. The DOJ will want companies to identify the root cause of the problem, and what systemic issues were identified in the course of the investigation. Companies should also address whether or not there were prior opportunities to detect the problem and if red flags were missed. Has the company made specific changes to ensure that similar problems won’t occur in the future? The in-house team should ensure appropriate remediation steps are being taken, because the DOJ will ask about them.
  • Senior and middle management. Conduct at the top is critical in the DOJ’s analysis of a company’s compliance programs. Did senior leaders, through both words and actions, actively discourage the type of misconduct in question—and was this communicated throughout the company? Was the behavior of senior leadership adequately monitored? How has the company’s board of directors been involved in oversight and compliance efforts?
  • Autonomy and resources. In addition to the conduct of senior management, the compliance staff’s role and actions must be reviewed. Identify if they were involved in training and decisions relevant to misconduct. Take a look at the professionals in charge of compliance as well. Do they enjoy comparable stature, rank/title and compensation as other decision-makers in the company? Do they have the appropriate qualifications for their jobs? Finally, examine the question of compliance autonomy, and whether or not compliance professionals have a clear, direct line of communication to the board of directors. An appropriately funded and empowered compliance department will serve the company, both in preventing problems and mitigating the damage should issues arise.
  • Policies and procedures. The DOJ promises to examine the nuts and bolts of the company’s compliance program—the policies in place, the protocol for administering those policies, and the training that takes place to ensure compliance. Again, the company will need to provide a clear, precise explanation as to where, why, and how the process broke down.
  • Risk assessment. How has the company gathered and analyzed information about the compliance risks it faces? And how has that information been employed in its compliance program?
  • Training and communication. As the old saying goes, a chain is only as strong as its weakest link. So compliance efforts must take place throughout the organization. The DOJ will ask about employee compliance training, as well as how the company communicated its compliance expectations to rank-and-file employees.
  • Confidential reporting and investigation. With these questions, the DOJ will seek to determine that a company has appropriate mechanisms in place to receive reports of wrongdoing and investigate those claims.
  • Incentives and disciplinary measures. Company officials need to ensure that disciplinary actions are applied consistently across the organization. Any disciplinary action should be carefully tracked and reported. Also, are there workplace incentives in place to reward compliance and ethical behavior?  
  • Continuous improvement, periodic testing, and review. These questions relate to a company’s internal auditing processes. The DOJ will seek to identify what audits were conducted and what they reported. DOJ officials will also want to see that the company’s compliance program has been regularly updated and evaluated.
  • Third party management. If the company employs third party management, be prepared to answer questions about why and how this management was implemented, and whether or not third party managers were appropriately incorporated into the company’s compliance program.
  • Mergers and acquisitions. If the company has taken part in a merger or acquisition, the DOJ will want to know if misconduct was unearthed during the due diligence process. If so, how were those problems remediated?

These areas of emphasis focus on separating the “real” compliance programs from those that exist merely on paper (or only in someone’s mind). The new DOJ guidance recognizes that a “one size fits all” approach is unworkable in this context; the inquiry into these areas will be customized based on factors such as the facts at issue, the particular industry, and the type and size of company.

The publication of this framework after earlier comments made by DOJ Compliance Counsel Expert Hui Chen foreshadows what is likely to be an increasingly data-driven analytics-style approach to the evaluation of corporate compliance programs.

The new guidance not only gives compliance officials information about what the evaluation process of a compliance program will look like and what the likely areas of inquiry will be, but also provides a road map for a company to set up a robust compliance program – one that could more quickly uncover any “root causes” of misconduct and/or more effectively address any allegations of misconduct during an investigation.