By Jeff Jensen and Salvador Hernandez
In thinking of the current corporate compliance landscape, I am reminded of the warning found on the side-view mirrors of automobiles: “Objects may be closer than they appear.”
Just as a convex mirror reduces the size of objects even as it expands the scope of our vision, corporate compliance programs often understate risk by being over-inclusive. Sometimes, the risk profile of the business—the mirror—is too broad and contains too much information, such that it is difficult for the eye to settle on the handful of things that are truly relevant. And as most of us realize, to worry about everything is akin to worrying about nothing. There must be an order, a priority, to corporate compliance; otherwise, thoughtful, intentional action descends into mere box-ticking.
Back in June 2020, the DOJ’s Criminal Division issued an updated guide to evaluating corporate compliance programs. The update provides a useful framework for how to avoid being overwhelmed by data and to identify the important things by evaluating programs the way a prosecutor would—from the outside in.
In evaluating compliance efforts, prosecutors begin with why: why is the program structured and designed the way it is? Does it reflect the company’s own risk assessments? And, crucially, does it demonstrate a continuous effort at self-improvement and self-evaluation? In other words, does the program change over time to incorporate best practices and lessons learned?
Prosecutors begin with why because it speaks to intent. Compliance programs that lack seriousness in their design signal to prosecutors that the company may not be addressing compliance in good faith—and that could have significant effects on the course of an investigation or litigation.
Next, prosecutors look at how. Once the risk assessments are carried out and the program takes shape at an abstract level, how has it been implemented? What are its policies and procedures? How have those been disseminated throughout the organization? No matter how well conceived a program may be, if it is not communicated to employees in an effective manner, the brilliance of its design is worthless. Communication is not limited to codes of conduct and mission statements, but is also grounded in practical business-unit guidance that can take the form of training and how executives set the tone from the top of the organization through regular and clear internal communications.
Finally, prosecutors look at the mechanisms in place to detect and report misconduct. There must be a well-known, reliable and confidential system in place for employees to file complaints without fear of retaliation. Equally important, once a complaint is lodged, how is it investigated? Prosecutors will evaluate the investigative arm of compliance programs based on their ability to investigate in a timely manner, to triage complaints that merit serious attention, and to resource investigations in a way that demonstrates a serious commitment to complying with the law.
Indeed, program resources are evaluated throughout the compliance lifecycle by prosecutors. So-called “paper programs”—those that are well-conceived but under-resourced—are often viewed as being no better than ill-designed programs. Resources reflect budgets, and budgets reflect priorities; therefore, prosecutors often view under-resourced programs as lacking seriousness.
Even well-designed, appropriately resourced programs can fail to detect misconduct. That’s why prosecutors who evaluate programs look for patterns. Certainly, programs need to demonstrate a track record of detecting misconduct—a program that does nothing but fail time and again is pointless; however, programs that show adaptability to changing risks profiles garner a lot of respect. In other words, it’s important that programs not fail in the same way repeatedly.
While there are general principles to consider in assessing risk, designing policies, and implementing programs, every business enterprise is different and demands a unique approach. Even within the same industry, businesses can have radically different supply chains, operating geographies, and technology platforms; therefore, the way risk is assessed and dealt with is necessarily enterprise-dependent.
There are also exogenous factors that have to be considered. Compliance is not always about the operation itself, but rather, the regulatory environment at large. Administrations at all levels of government increasingly pursue different—sometimes diametrically opposed—policy goals. Over time this political friction has resulted in two things that frustrate regulatory compliance. First, there is a kind of regulatory whiplash that follows a change in administration, where compliance strategy must change course to meet additional or different sets of demands. Second, because so much of the policy implementation occurs at the agency level, at the local level, and/or via executive action, there is a lack of comprehensiveness in many areas of regulation, such that important areas of law and business are regulated by a piecemeal and sometimes contradictory set of laws and mandates. These things conspire to increase complexity and decrease predictability.
It is important, therefore, to know your regulator. Agencies will differ in how they pursue their regulatory remit; what is important to one may be less so to another. Designing and implementing effective programs is a huge piece of the compliance puzzle, but when those measures fall short, there is no substitute for having a knowledgeable network of professionals who understand the who of compliance as well as the why and how.
Jeff Jensen is a partner with Husch Blackwell LLP and leads the firm’s White Collar, Internal Investigations and Compliance practice. Formerly, Mr. Jensen served as U.S. Attorney for the Eastern District of Missouri and as a Special Agent with the Federal Bureau of Investigation.
Salvador Hernandez is a Senior Compliance and Ethics Advisor with Husch Blackwell. Mr. Hernandez is a 25-year veteran of the Federal Bureau of Investigation where he rose through the ranks to occupy executive-level positions within the Bureau. After departing the FBI, he led the legal and regulatory compliance efforts of one of the travel/transportation industry’s largest companies.