The DOJ’s April 2019 guidance for prosecutors on compliance programs reflects a belief that even as risk taking drives business behavior, so too should legal (particularly criminal) risk drive and inform a business’s compliance program. Simply stated, the more significant the risk-taking environment, the greater the chances for criminal behavior.
The guidance recognizes that “each company’s risk profile and solutions to reduce its risks warrant particularized evaluation” and then offers questions grouped into topical sections for prosecutors (and corporate compliance stakeholders) to consider.
Risk receives prominent initial treatment in the first of the three primary questions covered in the guidance — Is the Corporation’s Program Well-Designed? The first subsection, entitled “Risk Assessments,” begins with:
The starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assesses, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.
Importantly, the risk assessment treatment specifically covers the fact that companies’ risks change over time (a theme revisited in the third primary question involving whether the program actually works), and the importance of receiving and acting upon timely risk data:
Updates and Revisions — Is the risk assessment current and subject to periodic review? Have there been updates to policies and procedures in light of lessons learned? Do these updates account for risks discovered through misconduct or other problems with the compliance program?
In the second guidance question — Is the Corporation’s Compliance Program Being Implemented Effectively? — risk is essentially used as a gauge, and is applied to key compliance behavioral indicia:
In the Commitment by Senior and Middle Management subsection, the questions illustrative of Conduct at the Top include: Have managers tolerated greater compliance risks in pursuit of new business or greater revenues?
In the Autonomy and Resources subsection, the discussion of various evaluation factors includes: The sufficiency of each factor, however, will depend on the size, structure and risk profile of the particular company. And in the adequacy of compliance personnel discussion, the guidance offers (borrowing from the Justice Manual) that prosecutors should also evaluate the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk.
The final guidance question — Does the Corporation’s Compliance Program Work in Practice? — focuses on operational areas. Two of the three subsections feature risk.
In Continuous Improvement, Periodic Testing, and Review, the questions include: How often does internal audit conduct assessments in high-risk areas? How often has the company updated its risk assessments and reviewed its compliance policies, procedures and practices? Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training?
In Analysis and Remediation of Any Underlying Misconduct, the questions include: What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future?
Quantitatively, and as an indication of how governmental thinking on compliance programs has evolved, the word “risk” appears five times in the original 2004 US Sentencing Guidelines’ Sec. 8B2.1 “Effective Compliance Program” treatment, three of which are in the Application Notes. In the newly released DOJ guidance, “risk” appears almost 40 times.
Qualitatively, even though the new guidance is ostensibly directed towards prosecutors, compliance practitioners should: (a) take note of the DOJ Criminal Division’s increased appetite for analyzing corporations’ appreciation for, and response to, their respective risk environments; and (b) remain current on the frameworks and approaches being used to design and operate enterprise risk programs.
Worth MacMurray, pictured above right, is a Senior Advisor to Guidehouse LLC and a Principal at Governance & Compliance Initiatives. He was formerly general counsel of several DC-area public IT companies and government contractors, a leader within PwC’s DC anti-corruption office, and a member of the US Technical Advisory Group that worked with other countries over a three-year period to create ISO 37001. He can be contacted here.
Dennis Chesley , above left, is a Partner at Guidehouse LLC and a retired Principal from PwC. He was the lead author on the 2017 COSO ERM update and is a frequent speaker on risk and risk-related topics. For over 8 years, Dennis led the risk and regulatory consulting group globally at PwC and served as a primary architect of the TARP programs on behalf of the U.S. Treasury. He can be contacted here.
The authors thank Guidehouse’s COO Charles Beard for his contributions to this post.