The DOJ has issued revisions to its Guidance on evaluating corporate compliance programs while corporations are responding to unprecedented disruption in their businesses. Reed Smith’s Jennifer Jordan and Thomas Suddath, Jr. discuss what companies can reasonably do now to forestall critical review in future investigations.
Corporations large and small are trying to turn on a dime to react to new workplace and business realities. Many had crisis response teams in place to anticipate turmoil in national events and business threats. When the time comes, looking back on the events of 2020 will provide many businesses with the opportunity to reflect on how well they responded and lessons for the future. But amidst the chaos, what can compliance professionals do now to ensure that their reasonable responses will be favorably scrutinized should the government investigate? With $2 trillion in government spending in response to the pandemic, there are certain to be future federal regulatory, congressional and prosecutorial scrutiny into compliance, as well as a rash of new whistleblower allegations.
On June 1, 2020, the DOJ issued revised Guidance for prosecutors to consider when evaluating a corporate compliance program as a factor informing their prosecutorial discretion and decision-making. There were no seismic shifts in how prosecutors should evaluate compliance programs, but it does offer a window into how companies can prepare now for later scrutiny.
Below are five ways you can use the new Guidance to ameliorate any downstream reviews of your compliance programs during the current environment of precariousness and corporate anxiety.
1. Be Yourself
Like the prior version, the updated Guidance emphasizes the individualized inquiry that all prosecutors should undertake in any investigation. These are not one-size-fits-all undertakings, providing both prosecutors and corporations with needed flexibility to consider and argue not only the circumstances of the conduct, but also the real-world considerations that go into any compliance program.
In its preamble, the revised Guidance notes:
“[w]e make a reasonable, individualized determination in each case that considers various factors including, but not limited to, the company’s size, industry, geographic footprint, regulatory landscape and other factors, both internal and external to the company’s operations, that might impact its compliance program.”
Nevertheless, industry norms do matter. Comparing and evaluating a compliance program against competitors in the industry is an important way of benchmarking an effective program. That might be more difficult right now, as competitors are all facing a mixed bag of issues in the current environment. A company’s physical location, product/service categories and nationwide/international reach will have had a real impact on its business response to the pandemic. Some corporations changed their manufacturing to provide emergency medical supplies and equipment, while others were located in places like New York that were most impacted by the virus. Other international corporations had to react sooner because the pandemic was hitting their operations in Asia or Europe. That said, expect your peers to be re-evaluating their systems and controls to respond to these new challenges, and it helps to pay attention to how the changes in your industry are trending. While it is important to be yourself, the government will have a sense of industry “best practices,” and if your company is under investigation, it does not behoove you to fall below expectations.
2. Document Your Decision-Making and Unique Issues
If there comes a time in the future when you are called upon to defend the compliance decisions or adjustments that were required in the moment, real-time documentation of specifics of how the pandemic was impacting your business will be more meaningful than after-the-fact justifications. Keep your language clear that the decisions being made are directly responsive to the situation.
When making any changes to your compliance program, a question certain to arise is why the change was made and how the company believed that the change would improve the program. Documenting these decisions gives the company solid evidence of its good-faith efforts based on the information and circumstances at the time.
3. Don’t Make Compliance Resource Reductions Permanent
The revisions to the Guidance direct prosecutors to consider the resources devoted to compliance, as well as its effectiveness. So many administrative functions across corporations are shrinking as economic pressures increase; it may be that compliance resources are among those subject to reduction. In highly regulated industries, such as banking and health care, the manner in which the reductions are made should be commensurate with short-term administrative reductions. These business realities may not be avoidable, but corporations do not want to be accused of devaluing the compliance function.
Take, for example, a company that has an extensive outside sales force whose work may be eliminated or curtailed. The compliance function that monitors that sales force may therefore be reduced as result. On the optimistic view that this sales force will be back when safe and effective to return, the compliance function resources dedicated to that segment of the business should likewise return to pre-pandemic levels. Prosecutors will no doubt be looking out for companies taking advantage of emergency responses to take on more risk to improve the bottom line. Having a justifiable reduction in compliance resources now will not be considered a valid excuse for later misconduct that goes undetected. Prioritizing compliance to the same level cannot change, even if compliance resources are proportionally reduced.
4. Follow the Business Today
“Prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.” Prosecutors are to look to how the company continually updates its risk assessment. “Is the periodic review limited to a ‘snapshot’ in time, or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?”
When your business emphasis shifts, so should your compliance priorities. Companies rely on their robust compliance programs to avoid or lessen the impact of any investigated misconduct. But building those compliance programs required the company to tailor the programs to the substance and scope of their business, as well as their risk assessments. When those core businesses change to react to the pandemic and any new risks, compliance adjustments may not be prioritized.
Having compliance leaders actively and meaningfully involved in business shifts and pivots will assure companies that the compliance function is informed and able to respond appropriately. Businesses that relied upon employees to be physically present may have shifted to online work arrangements. Likewise, what had been live, in-person compliance training will now have to become virtual. Having compliance involved in those decisions will give the compliance function an opportunity to adjust accordingly without there being an unexplained or unjustified lapse in training.
5. Keep Track of What Is Keeping Employees Up at Night
One of the revisions to the Guidance with respect to policies and procedures is whether a company is tracking the policies employees are turning to. “Have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?”
In times of uncertainty, as employees are being asked to stretch their comfort levels with new ways of doing business, an effective compliance program will be easily accessible to employees so they can get the guidance they need to make business decisions in the new environment. If a company can track which policies are getting the most attention, that could raise a flag to business leaders and compliance officers to either revisit those policies or push out emphasized guidance in those areas. When employees may not want to rock the boat by raising their hands to supervisors about an issue, this is one way to ferret out a business risk and head it off before it leads to any misconduct.
As corporations around the world are working to right the ship and pivot in the face of worldwide disruption, the Guidance provides opportunities for prosecutors to consider these circumstances when evaluating a company’s compliance program later in time. Taking affirmative steps now to keep compliance programs current and flexible may provide powerful evidence to counter future scrutiny in the face of alleged misconduct.
Jennifer Jordan is a member of the Global Regulatory Enforcement group at 
Thomas H. Suddath, Jr. is a former federal prosecutor and a partner in the firm’s Global Regulatory Enforcement group in Philadelphia. He has extensive experience counseling clients in the design, implementation and enhancements of corporate compliance programs in the health care sector and other industries. Tom has defended companies in criminal and civil litigation and investigations, including matters involving the False Claims Act, the Foreign Corrupt Practices Act, the Anti-Kickback Statute and the Sherman Act. He also handles national and international internal investigations on behalf of life science companies and energy and natural resource industries.
