Thursday, February 25, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Lessons Learned About Lessons Learned

Applying the DOJ’s Evaluation Guidance to Curb Violations

by Jeff Kaplan and Rebecca Walker
August 11, 2020
in Compliance, Featured
open book and illustration of light bulb against blackboard background

The DOJ doesn’t take kindly to recidivism. Jeff Kaplan and Rebecca Walker discuss the importance of a “lessons learned” approach to your organization’s compliance and ethics program.

“Those who do not remember the past are condemned to repeat it,” famously wrote philosopher George Santayana. But what exactly – of the past – should be recalled? The need to explore violations of law and policy in an effort to prevent future, similar violations is an important aspect of a robust compliance and ethics (C&E) program. C&E professionals have long sought to utilize violations to enhance programs. The Department of Justice’s (DOJ) recently revised Evaluation of Corporate Compliance Programs (the Evaluation Guidance) provides some important guidance regarding remedial efforts.

First, the Evaluation Guidance provides, in relevant part: “Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction. Prosecutors should therefore consider, as an indicator of risk-tailoring, ‘revisions to corporate compliance programs in light of lessons learned…’” (quoting the DOJ’s Justice Manual).

This is a potentially powerful “carrot” for those companies that undergo such a lessons-learned analysis. And it is likely to be a powerful “stick” for those that do not. Indeed, the failure to apply a lessons-learned approach to an act of wrongdoing followed by a subsequent similar act may make the original transgression appear to be more purposeful than it otherwise would have appeared.

Second, the Evaluation Guidance instructs prosecutors to ask the following question (among others) in evaluating the risk assessment component of compliance programs: “Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?”

Particularly important in this part of the Evaluation Guidance is the notion of having a true process (as opposed to an informal practice) for gathering, tracking and utilizing lessons-learned information. For many companies, there is room to improve here.

Third, the Evaluation Guidance also provides, in pertinent part, that prosecutors should ask the following about training: “Has the training addressed lessons learned from prior compliance incidents?” The challenge here is that in some companies, this sort of information may be considered bad for employee morale. But the same concern would be applied to many aspects of a compliance program. Moreover, training is perhaps the best way to reach the greatest number of employees with the substance of a lesson learned. Note that this is not easy to do over the long haul, but we can think of at least one company that managed to keep their lessons-learned communications robust for more than 20 years after a significant criminal offense.

Fourth, in the section on Continuous Improvement, Periodic Testing and Review, the Evaluation Guidance further provides that “[i]n evaluating whether a particular compliance program works in practice, prosecutors should consider ‘revisions to corporate compliance programs in light of lessons learned…’” (again citing the Justice Manual.) This section also provides that they should ask: “Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?”

Here, too, the challenge for some companies is less a matter of what they are actually doing in practice and more one of creating and documenting appropriate procedures. This includes incorporating the importance of considering remedial measures into investigations guidelines and training, considering how remedial measures are documented and followed up on and reviewing periodically to ensure that remedial measures are appropriate and have, in fact, been implemented.

Looking beyond the specific expectations set forth in the Evaluation Guidance is the issue of what might be called the “culture of lessons learned.” Whether a company has such a culture depends partly in some instances upon what industry it is in, often for reasons having little or nothing to do with C&E. For instance, it is part of the culture of the civil engineering industry for companies to undergo detailed lesson-learned inquiries in the wake of significant problems in their work.

More importantly, however, the culture of lessons learned is dependent on the particular senior managers at an organization. It is they who must establish an understanding that lessons learned should be seen as valuable company assets that must be nurtured over the long term.

Perhaps most important, the lessons learned from senior management should go beyond the mechanics of the offense in question and explore potential underlying cultural causes. These include behavioral ethics knowledge that “we are not as ethical as we think we are,” the dangers of undue business pressure and the need for sufficient accountability. In particular, focusing on how extreme business pressure has contributed to otherwise ethical employees engaging in wrongdoing can be a particularly effective form of lessons learned.


Tags: DOJ
Previous Post

5 Ways to Champion Compliance Among Remote Teams During COVID

Next Post

Managing Risk with Contact Tracing as Part of a Back-to-Work Strategy

Jeff Kaplan and Rebecca Walker

Jeffrey M. Kaplan is a partner in the Princeton, New Jersey office of Kaplan & Walker LLP. He has specialized since the early 1990s in the practice of compliance- and ethics-related law, including assisting numerous companies in developing, implementing and reviewing C&E programs and conducting C&E risk assessments. He has also reviewed programs for many official bodies in connection with settlements of enforcement actions. He is the co-author of a C&E legal treatise, author of several e-books — including “Compliance & Ethics Risk Assessment” — and book chapters and many articles on C&E, a frequent speaker at C&E conferences, editor of the Conflict of Interest Blog and formerly an Adjunct Professor of Business Ethics at NYU’s Stern School of Business.
Rebecca Walker is a partner in the law firm of Kaplan & Walker LLP, a firm that specializes in corporate compliance and governance located in Santa Monica, California, and Princeton, New Jersey. For over 20 years, Rebecca has specialized in advising clients on the development and implementation of compliance programs. She has also served as a monitor for the Department of the Air Force and as an independent consultant, reviewing programs for the U.S. Securities and Exchange Commission. Rebecca is the author of “Conflicts of Interest in Business and the Professions: Law and Compliance,” published by Thomson West, as well as numerous articles and studies. She chairs the Practising Law Institute’s Compliance and Ethics Essentials Institute in New York and the Advanced Compliance and Ethics Workshop in San Francisco and serves on the Advisory Board of “Compliance and Ethics Professional” magazine. Rebecca received her B.A. from Georgetown University and her J.D. from Harvard Law School.

Related Posts

woman looking at horizon from mountain top

What’s on the Horizon for Anti-Corruption Enforcement?

February 25, 2021
cannabis leaf on $100 bill

The Intersection of EDD and Banking Cannabis

February 24, 2021
gold cup award on red background with stars

Ethisphere Announces the 2021 World’s Most Ethical Companies

February 23, 2021
illustration of hand holding flashlight illuminating hidden stairs

The Corporate Transparency Act: Pulling Back the Veil

February 23, 2021
Next Post
illustration of smartphone health virus tracking location app with people wearing protection face mask to prevent spread of coronavirus

Managing Risk with Contact Tracing as Part of a Back-to-Work Strategy

Access realtime data
Addressing systemic racism in the workplace SAI Global
Dynamic Risk Assessments with Workiva
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights