On 30 April 2019, the US Department of Justice (DOJ) released updated guidance on its approach to evaluating corporate compliance programmes. It succeeded guidance released in 2017 and reflects the importance the DOJ places on organisations employing a risk-based, fit-for-purpose approach to compliance programmes. Compared to previous guidance, the updated guidance sharply emphasises the need for companies to test their programmes and for the programmes to evolve as their risk landscape changes, either because of changes to their business or changes in the regulatory landscape.

Whereas previous guidance has been based around 10 ‘hallmarks’ of an effective compliance programme, the new guidance is organised around three principal questions: Is the programme well designed? Is the programme being implemented effectively? Is the programme working in practice?

Programme design

When considering the design of a compliance programme, the DOJ will focus on: (i) how a company approaches risk assessments; (ii) policies and procedures; (iii) training and communication; (iv) investigative procedures; and (v) management of third parties.

The DOJ makes it clear that risk assessments should inform the specific guidance provided within a company’s policies and procedures. Policies and procedures will also be evaluated in terms of how they help the company implement a ‘culture of compliance’. The new guidance shows the DOJ’s increasing maturity with regard to compliance by emphasising that policies and procedures must be operationalised throughout the company and should be aligned with other internal controls within the company. In other words, the DOJ realises that beautifully written policy documents do not mean much if they cannot be effectively utilised by a company. Training, in turn, should reinforce the guidance provided within the policies and procedures.

Jul-Sep 2019 Issue