Top Ten Lessons for Compliance Officers from the Update to the DOJ’s Compliance Program Evaluation Guidance

In April of 2019, the Department of Justice issued its game-changing Evaluation of Corporate Compliance Programs guidance. The guidance was a feast for the compliance profession. The format of the guidance came in questions a prosecutor would ask in an investigation, which in turn signaled the answers a company would be expected to give.

On June 1, 2020, the DOJ updated its guidance document to reflect, as Assistant Attorney General Brian Benczkowki said, “additions based on our own experience and important feedback from the business and compliance communities.[i]

The new language in the guidance is fascinating because it sets out the updated expectations of prosecutors. Companies are once again on notice that the line in the sand has shifted, and they need to respond now to meet those new expectations. Following are the top ten lessons compliance officers can learn from the new guidance, and what to do now to update your program based on this new information.

Lesson One: Today’s Best Practices are Becoming Expectations Already

At Spark Compliance Consulting, when we do compliance program reviews we include recommendations for immediate changes, as well as more aspirational best practices that we’ve seen in more advanced programs. The new DOJ guidance includes references to many of these best practices, meaning that they are likely to become expectations in the very near future. These best practices include:

  • Ensuring that online training programs have “a process by which employees can ask questions arising out of the training.”

  • Conducting post-acquisition auditing at newly acquired entities.

  • Ensuring that the “company engage(s) in risk management of third-parties throughout the lifespan of the relationship.”

  • Making micro-training available. The guidance notes that companies have “invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management function.”

  • Evaluating “the extent to which the training has an impact on employee behavior.”

There are challenges here. Most online training programs do not have the capacity to pass questions along automatically to the compliance department, and many training companies do not yet have micro-learning available. In addition, tracking how training affects employee behavior is a big undertaking.

WHAT TO DO NOW: Review the list above and determine whether you can implement any of these practices. If you can, do so. If you cannot, begin planning to implement them in the future. Contact the technology providers with which you have relationships and ask them when their technology will be updated to accommodate these expectations.

Lesson Two: You Need Access to Data…

NEW COURSE: Risk Assessments Made Easy – Filming NOW!

In April, we did a survey asking what areas of a compliance program you wanted to learn about most. Overwhelmingly, the top answer was an in-depth class on how to perform risk assessments. Good news! We listened and are currently filming the online course, “Risk Assessments Made Easy.” In this course, you’ll learn:

  • How to properly scope your risk assessment to set you up for success

  • Tips and tricks for document gathering so you don’t miss important information – or get swamped with an impossible number to review

  • How to choose the best interviewees, and how to ask questions effectively to suss out risk

  • A robust methodology that you can apply immediately to produce a strong and defensible assessment

  • Information on creating mitigating strategies and a roadmap for implementation of your recommendations for program improvement

Most importantly, you’ll receive templates to help you every step of the way through your risk assessment. You can use the course to perform single-risk assessments or to review multiple risks facing your program. The course will be out by the end of June. Stay tuned!