BOARD OVERSIGHT OF CORPORATION COMPLIANCE PROGRAMS: RECENT DOJ GUIDANCE AND WHAT TO DO NOW
By Holly J. Gregory* and Rebecca Grapsas*

Boards should consider assessing the effectiveness of their compliance programs now in light of the DOJ’s recent guidance on evaluating compliance programs — whether or not the company currently has any compliance issues.

Each company should, at a minimum, have a basic effective compliance program in place. A program that exists “on paper” but is not effective is not sufficient. As well as making good business sense for a range of reasons, having an effective compliance program can influence a federal prosecutor’s decision on whether to charge a company for the bad acts of its employees or officers and the extent to which the company may receive credit for cooperation in a settlement. Having an effective compliance program can also help mitigate penalties if corporate wrongdoing is found

Oversight of a company’s “tone at the top” and its compliance program designed to establish and maintain that tone and detect problems is an important board responsibility.As fiduciaries, directors are required to assess the company’s compliance program in light of the legal and regulatory compliance framework and ensure that the company has appropriate compliance-related reporting and information systems and internal controls in place. It is a business judgment for the board to determine what compliance program best suits the company’s needs and the level of compliance risk it is willing to take.

Each company should, at a minimum, have a basic effective compliance program in place. A program that exists “on paper” but is not effective is not sufficient As well as making good business sense for a range of reasons, having an effective compliance program can influence a federal prosecutor’s decision on whether to charge a company for the bad acts of its employees or of cers and the extent to which the company may receive credit for cooperation in a settlement. Having an effective compliance program can also help mitigate penalties if corporate wrongdoing is found

The standard for effectiveness in compliance program design is set forth in Chapter 8 of the United States Federal Sentencing Guidelines, which provides that a company must:

Establish standards and procedures to prevent and detect criminal conduct

Ensure board oversight of the compliance program

Appoint a high-level individual (such as a chief compliance of cer) who has overall responsibility for the compliance program

Exercise due diligence to exclude unethical individuals from positions of authority

Communicate information about the compliance program to employees and directors

Monitor the compliance program’s effectiveness

Promote and consistently enforce the compliance program

Respond to violations and make necessary modi cations to the compliance program (US Sentencing Commission Guidelines Manual §§ 8B21(b), 8C25(f))

The Principles of Federal Prosecution of Business Organizations in the US Attorneys’ Manual provide that prosecutors should consider specific factors (known as the “Filip Factors”) in conducting corporate investigations, determining whether to bring charges and negotiating plea or other agreements. These factors include “the existence and effectiveness of the corporation’s pre-existing compliance program” and the corporation’s remedial efforts “to implement an effective corporate compliance program or to improve an existing one.” The Department of Justice (DOJ) emphasizes that critical factors in evaluating a compliance program are “whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives” US Attorneys’ Manual § 9-28.300, General Principle; § 9-28.800, Comment (2015)

In February 2017, the Fraud Section of the DOJ issued a resource entitled Evaluation of Corporate Compliance Programs. The document provides more speci c examples of how federal prosecutors will evaluate a company’s compliance program in the process of

The DOJ’s recent guidance for evaluating corporate compliance programs is also discussed in the most recent issue of Sidley’s Anti-Corruption Quarterly.

investigating and resolving an enforcement matter. The document emphasizes that “the Fraud Section does not use any rigid formula to assess the effectiveness of corporate compliance programs.” The document is the latest communication forming part of the Fraud Section’s Compliance Initiative, which began with the Fraud Section’s hiring of Hui Chen as full-time compliance counsel in November 2015.

The document contains probing questions regarding the following eleven “sample” topics:

1. Analysis and remediation of underlying misconduct (including root cause analysis and prior indications)

2. Senior and middle management (including conduct at the top, shared commitment and oversight)

3. Autonomy and resources (including compliance function stature, experience, quali cations, empowerment, funding and outsourcing)

4. Policies and procedures (including design, applicability, gatekeepers, accessibility, operational integration, controls and vendor management)

5. Risk assessment (including methodology, information gathering and analysis, and manifested risks)

6. Training and communications (including form, content and effectiveness, communications about misconduct and availability of guidance)

7. Confidential reporting and investigation (including reporting mechanism effectiveness, investigation scope and response to investigations)

8. Incentives and disciplinary measures (including accountability, process and consistency)

9. Continuous improvement, periodic testing and review (including internal audit, control testing, interviews and evolving updates)

10. Third-party management (including risk-based and integrated processes, controls, relationship management and misconduct consequences)

11. Mergers and acquisitions (including due diligence process, integration in the M&A process and process connecting due diligence to implementation)

The questions are designed to look behind a company’s compliance program “on paper” and evaluate how the program has been implemented, updated and enforced in practice. Although some of the questions focus on the effectiveness of a company’s compliance program in the context of specific misconduct (for example, what caused the misconduct, whether there were prior indications of the misconduct and which controls failed), many of the questions focus on the compliance program more broadly, including, for example, whether compliance personnel report directly to the board, what methodology the company uses to identify, analyze and address the risks it faces, and how the company incentivizes compliance and ethical behavior.

Compliance program assessment is a key element of the board’s oversight of compliance programs. Boards should conduct such assessments periodically to identify areas for improvement in light of the company’s evolving risks and regulatory preferences with respect to compliance structures and practices. Periodic assessment of the compliance program, in a process overseen by the board or a board committee, helps ensure that the program continues to be “ for the purpose” by identifying areas for improvement, while also creating evidence of the company’s commitment to compliance for use in any future regulatory enforcement actions. Assessments should be risk-based to re ect the company’s changing risk environment and to help ensure that limited compliance resources are prioritized to focus on the most signi cant risks.

The assessment criteria should be based on the elements of an effective compliance program as described in DOJ guidance discussed above, including specific guidance from
regulators regarding the company’s industry. The assessment criteria should also reflect trends in settlement agreements, developing notions of recommended practices (both generally and within the company’s specific industry), and the practices of peer companies, to the extent that benchmarking data is available.

In conducting its assessment, the board should evaluate the following and consider how it would answer the specific questions set forth in the DOJ’s recent guidance:

■ The board’s level of oversight including availability of compliance expertise, private sessions with compliance personnel and information

■ Reporting lines and related structures

■ Experience, qualifications and performance of the chief compliance officer and compliance function

■ Compliance function responsibilities, budget and budget allocation (including employees, outside advisors and other resources), staff turnover rate and outsourcing

■ Written corporate policies and procedures regarding ethics and compliance (including legal and regulatory risks), and the process for designing, reviewing and evaluating the effectiveness of policies and procedures

■ Internal controls to reduce the likelihood of improper conduct and compliance violations

■ Ongoing monitoring, control testing and auditing processes to assess the effectiveness of the program and any improper conduct

■ Role of compliance in strategic and operational decisions

■ Key compliance risks, risk assessment processes and risk mitigation

■ Senior management conduct and commitment to compliance, and how the company monitors this

■ Communication efforts by the board, CEO, other senior executives, and middle management regarding expectations and tone

■ Education and training regarding compliance generally and the company’s program, policies and procedures at all levels

■ Understanding of corporate commitment to compliance at all levels

■ Awareness and use of mechanisms to seek guidance and/or to report possible compliance
violations, and fear of retaliation

■ Specific problems that have arisen, why they arose and how they were identified and resolved

■ Investigation protocols and experiences

■ Performance incentives, accountability, disciplinary measures and enforcement

■ Remediation and efforts to apply lessons learned

The DOJ’s recent guidance should help boards determine the assessment process that is appropriate for the company, evaluate whether the company’s program continues to be effective and t for purpose, and consider appropriate modi cations to the program.

Sidley Perspectives | JUNE 2017 • 4

*Holly J. Gregory is a partner in Sidley’s New York of ce and a co-leader of the rm’s global Corporate Governance and Executive Compensation practice. Rebecca Grapsas is counsel in Sidley’s Corporate Governance and Executive Compensation practice who works from both the rm’s New York and Sydney of ces. The views expressed in this article are those of the authors and do not necessarily re ect the views of the rm.