There can be no doubt about the value that the Department of Justice (DOJ) places on the development, implementation, and communication of compliance-related policies. In their latest Compliance Program (CP) Guidance, the DOJ devoted more than two dozen questions to compliance policies. They summed up their position by saying, “Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address. . . risks identified by the company. . .” The DOJ makes it clear that any well-designed CP includes policies and procedures that address, and aim to reduce, identified risks. The CP Guidance urges prosecutors to examine the company’s code of conduct for commitment to full compliance with federal laws. Also, it suggests that prosecutors should assess whether the company has established policies and procedures that incorporate compliance into day-to-day operations.
The following summarizes many questions the DOJ poses about compliance-related policies:
- What is the process for designing, implementing and updating policies?
- Who has been involved in their design?
- Who has been responsible for integrating the policies into the organization?
- What steps have been taken to ensure that they are integrated into business processes?
- Do updates to the policies account for risks discovered through misconduct identified by the CP?
- How have the policies been communicated to employees and relevant third parties?
- Have the policies been rolled out in a way that ensures employees understand them?
- Is guidance on the policies provided during training?
- What resources have been available to provide guidance?
- What evidence is there that the policies have improved the culture of compliance in day-to-day operations?
- What evidence is there that the policies are fully understood by employees?
- Do employees have easy access to and understanding of the policies?
- Are the policies in searchable format for easy reference?
- What efforts have been made to monitor and implement policies addressing compliance risks?
- How have changes to the legal and regulatory landscape been monitored for updates?
- Have the policies been published in a searchable format for easy reference?
- Is access to the policies tracked to understand which ones are attracting more attention?
- In what specific ways are they reinforced through the internal control systems?
- What has been the process for implementing the policies with newly acquired entities?
- Do the policies set forth disciplinary measures for engaging in criminal conduct?
- Do they address employees failing to take steps to prevent or detect criminal conduct?
- How often have the policies been updated?
- Has there been a gap analysis to identify risk areas not sufficiently addressed by the policies?
- Have periodic reviews led to updates?
- Were steps taken to determine that the policies make sense for business segments/subsidiaries?
The following are some suggestions for evidencing effective compliance policies:
- Standardize the form and format of all compliance-related policies to make them more understandable and user friendly.
- Include sections in policies for other related policies and citations of authority.
- Consider having a user group validate whether the policies are easy to understand when developing new policies.
- Ensure that compliance training addresses key compliance policies.
- Evidence employee knowledge and understanding by employing an independently administered Compliance Knowledge Survey.
- Maintain a record management system that evidences tracking of all policy development, review, updates, revisions, and rescissions.
- Ensure that compliance risk assessments address the adequacy of policies to address weaknesses.
- Consider employing a validated Compliance Culture Survey to answer culture questions.
For more information on this topic, contact Richard Kusserow (firstname.lastname@example.org).Subscribe to blog