Each week OneTrust hosts industry experts to discuss the latest privacy, security, data governance, and compliance updates, trends, and developments in the world via LinkedIn Live. In this session, Scott Bridgen, Offering Manager for OneTrust GRC, was joined by Lisa Sotto, Partner for Hunton Andrews Kurth LLP, to discuss the recent United States DOJ corporate compliance guidance.
Watch the LinkedIn Live now: Common Questions on the DOJ’s Latest Corporate Compliance Program Guidance
Background on the DOJ Corporate Compliance Guidance
Scott kicked off the conversation by breaking down what the DOJ corporate compliance guidance is.
“On June 1, 2020, the DOJ released updated guidance for prosecutors on how to evaluate the design, implementation, and effective operation of corporate compliance programs. This includes determining whether, and to what extent, the DOJ considers a corporation’s compliance program to have been effective at the time of a criminal offense and to be effective at the time of a charging decision or resolution.”
The guidance updates a prior version issued on April 30, 2019. The 2020 guidance makes several notable changes to the language of its predecessor, but the core structure and content of the guidance remains the same.
Considerations of the guidance span from corporate compliance program resourcing, stakeholder enablement, accountability, and shifting to a business outcome-based methodology.
According to Lisa, “the DOJ corporate compliance guidance provides a well-considered framework for how companies should build and maintain their compliance programs. Essentially, it acts as a roadmap for companies and lays out the compliance factors that should be considered when assessing a program.”
She continues with, “the guidance specifically indicates it is not appropriate to use a rigid formula to assess how effective your compliance program is. Instead, every company needs to consider its own risk profile, and needs to look at factors such as the company’s size, industry sector, the various geographies that the company operates out of, as well as the regulatory landscape.”
Questions the DOJ Corporate Compliance Guidance Works to Answer
Lisa adds, “the DOJ corporate compliance guidance still relies on three key questions. These will inform the analysis of the strength and effectiveness of a company’s compliance program.
The first question the guidance asks is whether the “corporation’s compliance program is well designed?”
Lisa believes this question focuses on whether a compliance program is designed to effectively prevent and detect wrongdoing. It also asks whether management is enforcing the program or if they are implicitly letting misconduct slip through.
Scott adds, “this design requirement is extended across policies and procedures, third-party risk management, mergers and acquisitions as well as training and communications.”
The second question the guidance asks is, “the program adequately resourced and empowered to function effectively?”
Scott believes this is an issue across the risk management function because risk ownership is oftentimes not given to the right people in an organization. He asks Lisa what her thoughts are on something as broad as program resourcing and empowerment.
Watch the webinar: Latest DOJ Guidance: 6 Corporate Compliance Best Practices
“The guidance actually notes that one bad apple of an employee does not mean that you don’t have an effective compliance program in place,” said Lisa. “That aside, organizations still need to ensure they have sufficient employee resources and training in place to support compliance.”
In addition, the guidance states the need for compliance incentives and noncompliance disincentives. The key here is that organizations convey how unethical conduct is simply not tolerated and can even lead to adverse consequences regardless of whether the violator is the CEO or the janitor.
The third question the guidance asks is, “does the corporation’s compliance program work in practice?”
As Lisa previously mentioned, the existence of misconduct does not in and of itself mean that the program is not effective. No company can completely rule out the possibility of criminal behavior. Thus, the question is whether misconduct was thoroughly detected and appropriately addressed.
Lisa adds, “it’s critical to not consider your compliance as a one and done exercise. After you’ve written out a great program, you must implement it, ensure adequate staff is in place, then review it regularly to support ongoing compliance changes.”
Implications of the DOJ Corporate Compliance Guidance
We’ve talked about the guidance itself, but what about the implications of the guidance?
Well, the most up-to-date DOJ corporate compliance guidance takes a fresh look at this and adds additional guidance, so experts recommend businesses of all sizes review their programs and make adjustments as needed. In doing so, many businesses come across market challenges.
Follow OneTrust GRC on LinkedIn to receive notifications for upcoming LinkedIn Live events
“I think the biggest challenge at the moment is the pandemic. Resources have been shifted away during this time and companies are just trying to stay in business,” said Lisa. “But I would say, don’t take your eye off the compliance ball. Even though times are difficult, we still need to make sure compliance functions are operating as intended.”
Scott went on to talk about measurement, especially because organizations have so many differing approaches to implementing a compliance program. Some systemize it, some live in a spreadsheet, but what you tend to find is, that if you don’t take a proper risk-based approach, it becomes a check box exercise. So how do people action that and move away from that check box exercise initiative?
Scott states, “Check-the-box, paper exercises are not sufficient. It’s critical to think about a framework that sets the ethical tone of the entire company. The guidance provides an excellent roadmap and gives you precise parameters about how to set up a well-structured program. Companies listening would be well suited to use this document as a guide in setting up or improving an existing compliance program.”
Both Lisa and Scott conclude the discussion around reassessment of a compliance program. Both believe reviewing compliance operations at a detailed level should take place at least every quarter. So, to the extent there is a material change in the organization, that is an opportunity to take another close look at the program.
Scott states, “as with all things privacy, security, data governance and compliance, One Trust can support you.”
OneTrust GRC offers everything from developing and reviewing your policies, monitoring and managing risk in real time, performing gap analysis, and linking it back to your business objectives. To learn more or request a demo, visit OneTrustGRC.com.
- Read the blog: DOJ Corporate Compliance Guidance: Three Simple Tips