Now Is the Time for A Compliance Program Tune-up

COVID-19 and now, the Delta variant, have seemingly impacted every phase of modern work life. Compliance and ethics programs are certainly no exception. Remote work and related operational disruptions have caused companies to rethink their compliance operations to meet the needs of employees and the organization. These new considerations also coincide with last year’s updated compliance program guidance interpretations issued by the U.S. Department of Justice. Together, these influences present an opportunity to enhance the effectiveness of your organization’s compliance and ethics program.

Report Demonstrates Compliance Issues

In a recent global survey by LRN Corp. of over 640 ethics and compliance professionals working at organizations with a minimum of 1,000 employees, 80% of the respondents “reported that ethics and compliance considerations played an important role in shaping their organization’s response to COVID-19 challenges.” Also, 85% of those surveyed “answered that leaders responded to the challenges in a way that is consistent with the company’s purpose and values.”

However, only about half of the respondents noted that they customized training and communication to address risks specific to COVID-19, such as remote work cybersecurity threats. In addition, 67% expect COVID-19 to increase the difficulty of conducting investigations.

New Challenges Call for a New Approach

Responding to changing risk profiles and new operational challenges must now be incorporated into compliance programs for them to be deemed “effective” according to the DOJ’s updated guidelines for evaluating corporate compliance programs.

Most companies have had compliance and ethics programs for decades. These programs serve a number of useful purposes, not the least of which is helping a company maintain and enhance an ethical business culture that prioritizes legal compliance. Effective compliance and ethics programs can have the added benefit of reducing criminal sentences should the organization be in the crosshairs of criminal charges.

In June 2020, the DOJ released its updated guidance to its prosecutors instructing them on how to evaluate compliance and ethics programs when making charging and sentencing decisions. In light of this latest guidance document and new risks caused by COVID-19, the same old compliance approach in place for years may not be enough to be deemed effective by today’s prosecutors.

Guidelines Present Helpful Framework

Companies should use these guidelines as a framework for reviewing and updating their programs, before a prosecutor asks the tough questions in connection with a criminal matter.

For 30 years, corporations convicted of federal crimes such as fraud, environmental violations and antitrust offenses have been sentenced pursuant to guidelines promulgated by the U.S. Sentencing Commission. The commission is a bipartisan, independent agency with the directive to reduce sentencing disparities, and to promote transparency and proportionality in criminal sentencing. In 1991, the commission published its guidelines and policies that apply when a convicted defendant is an organization rather than an individual. The guidelines create a framework by which a criminal defendant organization is assessed a culpability score based on numerous factors. The culpability score is then used to determine the fine and other penalties.

For example, in fiscal year 2020, the average organizational fine was over $6.5 million, and the average restitution amount was over $7.7 million, with over 85% of the criminal defendant organizations sentenced to pay fines, restitution or both. The good news is that having an effective compliance and ethics program can result in credits that lower the culpability score, resulting in a reduced sentence. The credit is only available if the program is deemed “effective.” But what constitutes an effective program?

The guidelines establish two fundamental expectations for all organizations wishing to gain credit for their compliance and ethics program:

an organization shall—

(1) exercise due diligence to prevent and detect criminal conduct; and

(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

The goal is to have a program that is reasonably designed, implemented, and enforced, so that it is generally effective in preventing and detecting criminal conduct. In addition, the guidelines specifically note that the mere fact that there was a failure to detect or prevent an offense does not necessarily mean that the program is ineffective. It is worth noting that none of the organizations sentenced in fiscal year 2020 were deemed to have an effective program.

Specific Criteria

There are seven criteria an organization must meet to establish the due diligence and commitment needed to prevent and detect criminal conduct.

1. The organization must have policies and procedures designed to prevent and detect criminal conduct;
2. The company’s board or top authority shall be “knowledgeable” about the compliance program and exercise reasonable oversight over the compliance and ethics program;
3. The company should ensure that those in leadership positions within the organization are qualified and do not have a history of inappropriate conduct;
4. The organization shall have an effective training program that educates all levels of the organization, from board members to front-line employees, and also the organization’s agents;
5. The organization should:
   
   • monitor and audit activities to detect criminal conduct and use the results to enhance the program; and
   • have several means, including anonymous reporting options, for employees and agents to report concerns and seek guidance without fear of retaliation;
6. The organization should have consistent enforcement that encourages compliance and appropriately addresses noncompliance; and
7. After criminal conduct is detected, the organization takes appropriate steps to prevent similar conduct in the future.

Three Basic Questions

Over the years, the DOJ’s Criminal Division has provided guidance to prosecutors to assist them in evaluating the effectiveness of compliance and ethics programs as they consider potential monetary and probationary penalties. While the guidance is intended for use by prosecutors, it serves as a useful road map for self-assessments on the effectiveness of compliance and ethics programs. The guidance instructs prosecutors to ask three basic questions about the compliance and ethics program when considering potential penalties:

• First, is the program well designed?
• Second, is the program adequately resourced and empowered to function effectively?
• Finally, does the program work well in practice?

These three questions are particularly germane as companies adjust to new threats and challenges presented by COVID-19. While each organization’s situation is different, the following considerations and action steps could be considered to help convince a prosecutor that your company’s compliance and ethics program is effective.

Is the Program Well Designed?

Evaluate your company’s typical business operations to understand the most likely criminal risks and related polices to address those risks. Also ask how COVID-19 may have altered these risks. For example, is there less actual managerial oversight of employees working remotely? Are fewer individuals involved in transactions, reducing segregation of duties? Have pandemic-related shortages created incentives to adjust relationships with vendors and suppliers? Are there new business challenges creating incentives for employees to cut corners?

After surveying the potential risk and relevant policies, your organization should then confirm that it is periodically training all employees on the company’s compliance expectations and policy requirements. You should ask questions like: Have training programs been updated to address new threats and policy considerations associated with COVID-19 operational adjustments?

You should also confirm that the company has well publicized its reporting options, which should include in-person, phone and web reporting options. The company should clearly and repeatedly emphasize that reports can be made anonymously, and that retaliation for reporting good faith concerns is strictly prohibited. These communications tools should be adjusted to address employees working in remote or hybrid work settings.

A well-designed program also ensures that employees conducting investigations are trained on the importance of prompt, thorough investigations. Have investigators been trained on conducting investigations via video meetings and conference calls rather than face-to-face interviews? Additionally, effective programs have proper oversight of third-party relationships to ensure that business partners and others acting on the company’s behalf understand and comply with the company’s compliance and ethical expectations.

You should confirm that there is a record of communicating the expectations as part of the bid process and ongoing communications with third-party agents. Any actual knowledge of potential issues should be promptly addressed.

If the organization engages in acquisitions of other companies, then it should have an established due diligence process to identify potential compliance concerns and unique risks associated with the targeted company.

Is the Compliance and Ethics Program Adequately Resourced and Empowered to Function Effectively?

Is your top leadership — i.e., the board or other governing entity — engaged and supportive of the program? Those responsible for managing the compliance and ethics operations should periodically report on their activities to the top leadership. This often includes reports on the types of issues raised, the overall results of investigations and important trends that should be addressed.

It may also be beneficial to have top leadership address the importance of compliance and ethical behavior during the disruptions caused by the pandemic.

The compliance and ethics function should have adequate staff and funding to serve as a resource for all employees regarding compliance expectations and the necessary staff to investigate issues promptly and thoroughly. COVID-19 has stretched resources thin at many companies. Companies should confirm that the compliance functions are working as efficiently as feasible with the resources available.

Moreover, the compliance and ethics function should be managed by an employee with sufficient authority and rank in the organization to raise issues with the top leadership and the board directly, as warranted. The company should maintain a database of issues investigated and outcomes to establish that the company takes prompt remedial action as needed to prevent repeat offenses.

Does the Program Work in Practice?

Companies should maintain records on the program activities, including training records, awareness campaigns and policy updates. Company records should also demonstrate that all concerns raised were tracked and promptly investigated, and that all outcomes were reviewed to ensure consistency in remedial action.

Your organization should consider utilizing data analytics to pinpoint possible concern areas, as well as to ensure ongoing compliance status. Compliance with meals and entertainment policies, as well as vendor management and billing, are ideally suited for advanced analytic tools that monitor continuous compliance.

The compliance and ethics program should be reviewed on a periodic basis with an emphasis on continuous improvement, especially as risks evolve, and new compliance risks stemming from COVID-19 and the delta variant develop.

Your company might want to consider surveying employees to determine their understanding of the compliance and ethics program. This takes on greater importance as remote employees have fewer chances to learn from other, more experienced employees about the company’s ethical standards and expectations.

The company may want to engage its internal audit group to conduct risk-based audits to confirm compliance and effectiveness of the internal controls.

Conclusion

Compliance and ethics programs can support company culture and promote overall sustainability, particularly as businesses evolve to succeed during a pandemic. While there is no one-size-fits-all program, there are many steps an organization can take to put itself in the best position possible. Establishing clear objectives and solid fundamental management systems will also provide evidence that the program is effective should the organization come under prosecutorial scrutiny.

We will monitor these developments and provide updates as warranted. Make sure you are subscribed to Fisher Phillips’ Insight system to get the most up-to-date information. If you have questions, contact your Fisher Phillips attorney, the author of this Insight, or any attorney in our Corporate Compliance and Governance Practice Group.

This article was originally published by Law360 on September 20, 2021.