Compliance officers, it is time to rejoice, reflect and re-educate. We should rejoice because the U.S. Department of Justice just issued a guidance document that unequivocally supports our role, especially in places where we’ve had trouble making a case with specificity (e.g., resources). We should reflect on our programs because there are seriously high expectations for risk assessments, program evaluations, planning and tracking metrics, and integration with other functions. And we should re-educate our leaders about the criticality of the independence of our function, requirements to fund it correctly, and to provide access to the Board and/or Audit Committee.
The Evaluation of Corporate Compliance Programs Guidance Document (“Guidance”) is structured into questions that a prosecutor will ask to evaluate the effectiveness of the company’s compliance program – both before an incident occurs and after an incident is known. These questions give answers – they show what the DOJ thinks is important in an effective compliance program. Here are 10 critical musts that compliance officers need to know from the new DOJ’s Guidance.
1. Compliance MUST be Properly Resourced
There can be no doubt that a major factor in the evaluation of a compliance program is this: Is the compliance department properly resourced? The word “resource” appears 21 times in the 18-page document. The compliance program must be properly resourced with staff and budget. Twice the Guidance states that the compliance function must have the resources to be able to “audit, document, analyze and act.” Importantly, one of the questions prosecutors are to ask is, “Have there been times when requests for resources by compliance and control functions have been denied, and, if so, on what grounds?” It is critical that you explain the DOJ’s approach to resourcing the compliance department to your board of directors and C-Suite. They need to know how thoroughly that resourcing will be analyzed if there were a prosecution. Speaking of the Board…
2. Compliance MUST have Independent Access to the Board of Directors or Audit Committee
The Guidance leaves no wiggle room for this: Compliance MUST have independent access to the board of directors or audit committee. ..