Though it’s announced a new focus on corporate criminal enforcement, the DOJ has also, helpfully, given companies a playbook for avoiding running afoul of the law. StoneTurn’s Jonny Frank explores eight actions firms can take to remain in the government’s good graces.
DOJ’s initial and further revisions to corporate criminal enforcement policies epitomize the carrot-and-stick approach. Organizations that embrace the policies can avoid prosecution, almost certainly obtain reduced fines and penalties and escape a government-imposed monitor. Besides legal benefits, the policies and corollary DOJ guidance help companies increase revenue, cut costs, enhance compliance and in-house legal function expertise, safeguard the brand and protect board members’ and management’s professional reputation.
Organizations that ignore or dismiss the policies and guidance face far harsher consequences, especially if they are corporate crime recidivists or fail to remediate timely and effectively. Here are eight relatively inexpensive actions companies and their external advisers can take to reap the benefits.
1. Dress the skeletons in your closet
DOJ’s corporate criminal enforcement policies direct prosecutors to consider past criminal, civil and regulatory violations when determining the resolution of corporate criminal activity. Besides public resolutions, organizations should also be mindful of past misconduct that the government learns about from the company or other means.
Companies cannot undo past misconduct but can mitigate the damage. Remediation is essential, particularly when companies elect not to self-disclose misconduct. Effective remediation will help demonstrate a strong corporate culture and convince prosecutors that its enhanced compliance program will succeed.
2. Create a remediation playbook
The government stresses remediation. Companies that do not complete and test remediation face a likely government-imposed monitor, criminal prosecution and higher fines and penalties. Remediation must commence early in the investigation and include a multi-disciplinary team of risk and controls, forensic audit, data science and industry experts.
Creating a remediation playbook in the middle of a legal crisis is like fixing a leaky roof in the rain; it is far safer and easier to repair when the sun is shining. Some organizations, mainly large banks, have appointed chief remediation officers or established remediation offices to coordinate the process.
At a minimum, large companies would benefit from a playbook for tackling a large remediation project. Remediation playbooks address (1) circumstances requiring remediation; (2) governance; (3) team composition; (4) “root cause analysis,” “read across” and “consequence management” processes; and (5) testing design and auditing operating effectiveness. Addressing these issues upfront saves time, money and resources and helps ensure consistency and effectiveness.
3. Self-assess E&C program against DOJ criteria
The DOJ published criteria prosecutors to consider when assessing the compliance program effectiveness. Because the guidance appears as questions, it is not difficult for companies to self-assess their program against DOJ expectations.
Organizations should use the self-assessment to develop a corrective action plan. Required enhancements typically include overly general compliance risk assessment, untailored processes and controls, inadequate data science and analytics as preventive and detective tools, no remediation process and inadequate testing.
Conducting a self-assessment before misconduct occurs allows the company time to correct deficiencies. Also, the policies instruct prosecutors to assess the corporation’s compliance program at “(1) the time of the offense; and (2) the time of a charging decision.” The self-assessment and corrective action plan will make for a compelling case for a culture of compliance.
September saw the announcement of a significant refinement of Department of Justice (DOJ) enforcement policies around FCPA enforcement and corporate compliance programs. Tom Fox, author, podcaster and compliance expert, shares insights from his conversations with several thought leaders in compliance.Read more
4. Audit the E&C program
The DOJ emphasizes the importance of testing. For example, the further revisions policy promises no criminal prosecution of “cooperating corporations that voluntarily self-disclose misconduct the relevant conduct if, at the time of resolution, it also demonstrates that it has implemented and tested an effective compliance program” (emphasis added).
Testing compliance program effectiveness resembles a Sarbanes-Oxley internal controls audit. SOX pertains to internal controls over financial reporting; compliance program audits involve internal controls over compliance. But, because the process is the same, the company can borrow from its SOX process to test the compliance program.
5. Keep a ‘good deeds’ scrapbook
Organizations tend not to keep a record of standard, day-to-day activities demonstrating compliance program effectiveness. And, as a practical matter, it is difficult, time-consuming and less persuasive to re-create this evidence retroactively.
It is far easier to record good deeds contemporaneously. For example, ask employees to include in year-end evaluations examples of how they lived the company’s values. Or, as another example, keep a record of not entering a business deal of concern because of integrity concerns of the counterparty.
6. Remediate early and effectively
Remediation must be complete, embedded, and tested for companies to realize credit for remediation; incomplete or ineffective remediation risks a government-imposed monitor. Remediation requires substantial time to (1) conduct a root-cause analysis; (2) determine whether the perpetrators engaged in other misconduct; (3) search for similar misconduct elsewhere in the organization; (4) implement corrective measures; (5) discipline primary and secondary wrongdoers; and (6) audit.
Companies often establish separate remediation and fact-finding workstreams. Beyond saving time, separate workstreams help the company and external counsel protect privileged communications. Separate fact-finding and remediation workstreams enable compliance practitioners to avoid the distraction of the investigation. And as a practical matter, employees will spurn speaking about remediation with the same individuals investigating their colleagues and company.
7. Discipline secondary wrongdoers & claw back
The DOJ compliance program criteria and corporate enforcement policies require prosecutors to consider discipline when evaluating compliance program effectiveness and resolving corporate criminal investigations. Companies should take special note of the discipline of secondary wrongdoers (e.g., negligent supervisors).
Compliance program criteria direct prosecutors to consider “failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred.” Similarly, under the corporate enforcement policies, prosecutors must consider secondary wrongdoers when deciding whether to impose a monitor.
The September 2022 further revisions memo brings renewed emphasis on compensation systems, including the direction that prosecutors consider “clawback compensation previously paid to current or former executives whose actions or omissions resulted in, or contributed to, the criminal conduct at issue.”
DOJ believes financial incentives align the C-suite and compliance department’s interests and enhance the compliance culture. And, consistent with its carrot-and-stick approach, plans to release further guidance on how it will reward clawbacks to “reward corporations that develop and apply compensation clawback policies, including how to shift the burden of corporate financial penalties away from shareholders — who in many cases do not have a role in misconduct — onto those more directly responsible.
Companies need to update their compensation policies to take advantage of this policy. Some may even need to consider revising senior executive contracts.
8. Consider voluntary self- or third-party certification
In spring 2022, the DOJ Criminal Division announced that all corporate criminal settlement agreements require CEOs and CCOs to certify the effectiveness of the ethics and compliance program. The DOJ is not alone. The SEC periodically requires certifications to compliance program effectiveness in its enforcement orders. And in Europe, large company boards of directors are beginning to ask management to certify as part of its oversight of the compliance functions.
Companies can take advantage of certification in the absence of corporate criminal settlements. Voluntary certifications are powerful given the weight DOJ gives to them. For example, the company or a third party can certify the effectiveness of the remediation and enhanced compliance program. Or it can certify effectiveness after performing a self-assessment or internal audit of the program.
CCOs have expressed concern over their potential personal liability. As a practical matter, however, liability would not attach unless the CCO intentionally or recklessly issued a certification known to be false.
Further, CCOs can look to SOX for comfort. Under that framework, the CEO and CFO assert that the company’s internal controls over financial reporting are reasonably designed and operating to prevent material misstatements, followed by an independent audit. In this context, the CCO can mitigate any potential risk by arranging for an independent audit before executing a certification.
When it comes to the new DOJ corporate enforcement policies, there are several advantageous factors for companies seeking to enhance their compliance programs and reap the benefits not just of regulatory compliance, but efficiency and overall corporate health. By taking advantage early, companies of all stripes will stay ahead of missteps that may otherwise derail their progress in the long-term.