Your Compliance Program Looks Good on Paper, but What Does it Do?

New DoJ Guidance on Evaluation of Compliance Programs Emphasizes Results

The persistence of sexual harassment and corporate scandals graphically illustrates the limitations of "check the box" ethics and compliance programs. Clearly, even those that may feature all the essential components—training, policies, code of conduct, audit, hotline—can lack traction when it comes to preventing or dealing with misconduct, particularly at the senior levels.

The Criminal Division of DOJ published expanded guidance discussing the factors prosecutors should use to determine whether a company under investigation for misconduct will be regarded as having an effective compliance program.

The April 30 guidance builds on and expands the DOJ’s February 2017 list of questions and criteria for corporate compliance programs, and correlates closely with LRN’s research into the differences between high-impact and low-impact ethics and compliance programs.

The new guidance makes clear “[p]rosecutors are instructed to probe specifically whether a compliance program is a paper program or one implemented, reviewed, and revised, as appropriate, in an effective manner.” The guidance instructs prosecutors to “assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations. “ 

In other words, does the program actually work, and is it operationalized throughout the organization? 

The DoJ guidance starts with three fundamental questions prosecutors should ask about all programs:

1. Is the corporation’s compliance program well designed?

2. Is the program being applied earnestly and in good faith…is the program being implemented effectively?

3. Does the corporation’s compliance program work in practice?

The guidance emphasizes impact as the key criteria determining program effectiveness. For example, with respect to training, it instructs prosecutors to examine whether a program is “disseminated to, and understood by, employees in practice (emphasis added) in order to decide whether the compliance program is truly effective.”   

The guidance gets granular by further instructing prosecutors to assess “whether the company has relayed information in a manner tailored to the audience’s size, sophistication, or subject matter expertise”  when evaluating training.

It makes clear prosecutors must evaluate if a company “has engaged in meaningful efforts to review its compliance program and ensure that it is not stale. Some companies survey employees to gauge the compliance culture and evaluate the strength of controls, and/or conduct periodic audits to ensure that controls are functioning well.“

Specifically, evaluating ethical culture as part of program improvement is no longer optional.  Prosecutors are instructed to ask: “How often and how does the company measure its culture of compliance? Does the company seek input from all levels of employees to determine whether they perceive senior and middle management’s commitment to compliance? What steps has the company taken in response to its measurement of the compliance culture?"

The guidance’s emphasis on results, outputs and operationalizing compliance programs is consistent with our research. LRN has pioneered the evaluation of E&C programs based on how they impact their organizations' operations, and not whether they satisfy a checklist of criteria.  

LRN’s 2019 Program Effectiveness Report identified five key characteristics of E&C programs that produce results and permeate their organizations. High-impact programs:

  • Go beyond meeting regulatory requirements to emphasize ethical behavior. High-impact, values-based programs make it easy for employees to "do the next right thing, rather than the next thing right," and act ethically as well as legally.
  • Directly affect business decisions. Such programs are embedded in business operations, not merely codified in a set of elaborate, hard-to-read rules.
  • Permeate their organizations and stakeholder groups. In these organizations, senior leaders, middle managers, and boards of directors are engaged in the prevention of misconduct. The function is not left primarily to lawyers or E&C staff.
  • Take concrete steps to drive ethical behavior, outscoring other programs by a wide margin. They embrace accountability even when it means holding senior leaders or successful performers accountable.
  • Take a proactive and comprehensive approach to managing risk. Consistent with their emphasis on embedding E&C into the workflows of the organization and decision-making of employees, these programs do a better job of analyzing and mitigating risk to prevent misconduct.

LRN's research demonstrates conclusively that operationalizing ethics and compliance in every phase of business decision-making enables leaders and employees to think and act based on shared values, rather than on short-term expediency or minimum legal requirements. 

Not surprisingly, these programs also reflect the spirit and the letter of the DOJ program evaluation criteria. 

Click here to read LRN’s 2019 Program Effectiveness Report.


About the Author

Susan Divers

Experienced Ethics and Compliance Executive. Senior Advisor at LRN

More Content by Susan Divers
Previous Post
LRN’s David Greenberg and Tom Fox Go Deep on Board Oversight of E&C in a 5 Part Podcast Series
LRN’s David Greenberg and Tom Fox Go Deep on Board Oversight of E&C in a 5 Part Podcast Series

This special podcast series, "Across The Board", explores LRN's latest research report on board oversight a...

Next Tweet

Why do BOD’s have such a reduced understanding of C&E programs? How can a CCO overcome it? Find out in ...