Blog Post

New DOJ Guidelines on Corporate Compliance Programs

The Department of Justice’s (DOJ) Fraud Section recently issued guidance for Compliance Officers on how prosecutors evaluate the adequacy of organizations’ Compliance Programs. The DOJ published a list of important topics and sample questions which prosecutors can use throughout the evaluation process. This 119-question resource offers great insight for Compliance Officers who are working to build and enhance their Compliance Programs. These guidelines developed from the DOJ’s hiring of Compliance Counsel Expert, Hui Chen, in November 2015. Notably, the DOJ guidelines relate to all industry sectors and are consistent with the U.S. Sentencing Guidelines.

The “Filip Factors”

DOJ guidance: gavel with scales of justiceThe Principles of Federal Prosecution of Business Organizations in the United States Attorneys’ Manual describes specific factors that prosecutors should consider in conducting an investigation of a corporate entity, determining whether to bring charges, and negotiating plea or other agreement. These factors, commonly known as the Filip Factors, include “the existence and effectiveness of the corporation’s pre-existing compliance program” and the corporation’s remedial efforts “to implement an effective corporate compliance program or to improve an existing one.” The guidance was formulated to evaluate compliance programs after a violation had been discovered, and to examine the existing misconduct as the benchmark against which the compliance program would be evaluated. It also provides guidelines for testing existing compliance programs, and outlines steps that should be taken when problems are discovered in order to demonstrate a pre-existing commitment to compliance. The Guidance also informs the public about federal prosecutors’ review of compliance programs under the Filip Factors.

The eleven highlighted topics covered in the guidance, as well as potential DOJ follow-up questions, are listed below:

  1. Analysis and Remediation of Underlying Misconduct. The Department of Health and Human Services (HHS) Office of Inspector General’s (OIG) guidance stresses identifying and addressing weaknesses and preventing misconduct in the future.
  • Has the company analyzed and identified a systematic failure in compliance?
  • Did the company miss prior opportunities to detect the misconduct?
  • Has the company evaluated why those opportunities were missed?
  • What remediation was undertaken once a problem was discovered?
  • What specific changes has the company made to reduce the risk of a reoccurrence?
  1. Senior and Middle Management. The OIG calls for “top-down” compliance programs beginning at the Board and executive levels and cascading down through all levels of management.
  • Did senior managers, through their words and actions, encourage or discourage the misconduct in question?
  • Has senior leadership taken concrete steps to demonstrate commitment?
  • Does the Board have access to the right expertise to help perform its oversight function?
  1. Autonomy and Resources. Prosecutors look for signs of “autonomy,” such as whether compliance personnel have “direct reporting lines to anyone on the board of directors” and whether “relevant control personnel in the field have reporting lines to headquarters.” The OIG has been calling for this type of independence for Compliance Officers for decades, permitting unfiltered information flow between the Compliance Officer, CEO, and Board. The DOJ also looks for signs of “empowerment,” such as instances where “specific transactions or deals . . . were stopped, modified, or more closely examined as a result of compliance concerns.”  With the relatively recent hiring of full time compliance counsel at the Fraud Section, this has been a particular point of focus.
  • Does the compliance function have the right resources and stature within the company to perform effectively?
  • Was compliance involved in the training and decisions relevant to any misconduct?
  • Does compliance have appropriate independence?

Connect With A Compliance Expert.

Contact Us Today
  1. Policies and Procedures. Policies and procedures are a foundational component of any corporate compliance program. The Compliance Program Guidance devotes considerable attention to this topic, as does the OIG in their guidance documents. As a threshold matter, prosecutors consider the “design and accessibility” of policies and procedures, including whether they have been: (1) tailored to a company’s risk profile; (2) effectively implemented and communicated; and (3) evaluated to ensure usefulness. Prosecutors also consider the “operational integration” of a company’s compliance policies and procedures, including the adequacy of payment systems and effectiveness of controls to detect or prevent misconduct.
  • Did the company have policies and procedures in place that prohibited the misconduct?
  • Has the company assessed whether its policies and procedures were effectively implemented?
  • Are key gatekeepers adequately trained?
  • Was the program properly integrated and were adequate controls put in place to detect misconduct?
  1. Risk Assessment.  This factor relates to the OIG guidance about ongoing monitoring and auditing of high risk areas.
  • What methodology has been used to identify, analyze, and address the risks the company faced?
  • Does the company collect information and metrics to adequately assess risks?
  1. Training and Communications. There is an expectation that all covered persons will undergo compliance training concerning high risk areas, governing laws and regulations, and procedures for alleged misconduct.
  • What training was in place and is it properly tailored for high-risk or control employees?
  • Is the training offered in the right form and language for the target employees?
  • How does the company communicate to employees about any misconduct that has occurred?
  1. Confidential Reporting and Investigation. The new guidelines focus on how employees and others may report potential wrongdoing, as well as how the organization will act on this information.
  • Does the company have an effective way of collecting and analyzing allegations of misconduct?
  • Does the company ensure investigations have been properly scoped, conducted, and documented?
  • Did the investigation look to root causes of the misconduct?
  • Did the investigation go high up enough in the company?
  1. Incentives and Disciplinary Measures. The OIG stresses consistent implementation of disciplinary action for wrongdoers, without regard to their status within the organization.
  • Is there proper accountability as demonstrated by discipline for managers under whose watch misconduct occurred?
  • Is the application of discipline consistent?
  • Is there an incentive program for good compliance and ethical behavior?
  • Can the company point to specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations?
  1. Continuous Improvement, Periodic Testing, and Review. The OIG calls for Compliance Officers to ensure that there is an audit work plan focusing on high-risk areas. Many of these high-risk areas are identified in the OIG’s compliance guidance documents, advisory opinions, and annual work plans.
  • What types of audits would have identified the misconduct at issue and were they conducted?
  • Did management and the board follow up on audit findings and failures? Does the company test its controls?
  • Does the company routinely update its compliance program and make sure it adequately addresses current risks?
  1. Third Party Management. The OIG places considerable attention on arrangements with individuals who could potentially influence the flow of business. The OIG calls for an Arrangements Database that includes processes, policies, and monitoring of such agreements.
  • Does the company’s third party management process adequately analyze risk?
  • Are there appropriate controls with regard to third parties?
  • Does the company adequately respond to third party red-flags?
  • Has the company suspended, terminated, or audited a third party as a result of compliance issues?
  1. Mergers and Acquisitions (M&A).
  • In the event that misconduct is discovered after a merger, was proper due diligence conducted during the M&A process?
  • How has the compliance function been integrated into the M&A process?

Visit Strategic Management At The 2017 HCCA Conference

Strategic Management and Compliance Resource Center are excited to participate in the 2017 HCCA compliance institute. We invite you to visit Booth 422 to learn how our comprehensive compliance services and solutions can meet your needs!

Subscribe to blog