Is Your Compliance Program Up to Date? DOJ Expects Companies to Learn from Others’ Mistakes
By:
For years, companies evaluated their compliance programs primarily by examining internal misconduct, prior investigations, and audit findings. Increasingly, however, the Department of Justice (“DOJ”) expects companies to go further to ensure compliance. Under the DOJ’s Evaluation of Corporate Compliance Programs (“ECCP”), prosecutors are directed to assess whether a company incorporates lessons learned not only from its own misconduct, but also from misconduct occurring within its industry, geographic region, and among similarly situated organizations. The message is simple: compliance programs should not be static and companies that fail to adapt to known risks may face difficult questions if those same risks ultimately result in an investigation.
The Evolution of Compliance Expectations
DOJ has repeatedly emphasized that effective compliance programs are “living” systems that evolve as risks change. Increasingly, prosecutors are evaluating whether organizations regularly update their controls, training, policies, and monitoring efforts in response to emerging enforcement trends and public enforcement actions. In practical terms, regulators may ask the following key questions:
- Did the company identify enforcement trends affecting its industry and update policies accordingly?
- Did management communicate emerging risks to employees through training and other types of communications?
- Were lessons from peer-company misconduct incorporated into compliance training?
- Were controls tested against newly identified risk?
Companies that cannot adequately answer these questions may find it difficult to demonstrate their compliance programs were reasonably designed to prevent misconduct.
Why This Matters
Many high-profile enforcement actions involve risks that are well known throughout an industry long before regulators intervene. Examples include third-party corruption risks, export control violations, sanctions compliance failures, supply-chain fraud, trade and customs violations, cybersecurity-related disclosure failures, and inadequate anti-money laundering controls. When enforcement actions become public, regulators often expect industry participants to review such actions and evaluate whether similar vulnerabilities exist within their own organizations. In other words, once a risk becomes widely known, companies may have a more difficult time arguing that the risk was unknown or could not have been foreseen.
What Prosecutors May Ask Following an Investigation
When a company becomes the subject of a government investigation involving a risk that has already resulted in multiple public enforcement actions against competitors, regulators or prosecutors are likely to ask the following questions:
- Was management aware of prior enforcement actions and did the company assess whether similar conduct could occur internally?
- Were controls appropriately enhanced following those enforcement actions?
- Did compliance personnel brief senior leadership and/or the board of directors?
- Was employee training updated in accordance with the newly understood risk(s)?
The answers to these questions may influence how regulators or prosecutors assess the effectiveness of the company’s compliance program.
Compliance Programs Should Include “External Lessons Learned”
Many organizations maintain robust processes for reviewing internal audit findings and internal investigations. Fewer, however, maintain a structured process for understanding and learning from external compliance developments. In this regard, companies should consider implementing a formal process that includes the following elements:
- Tracks regulatory enforcement actions affecting the organization’s industry.
- Monitors significant federal and state enforcement-action settlements relevant to the organization’s operations.
- Incorporates recent enforcement examples into periodic compliance training rather than relying exclusively on generic hypothetical scenarios.
- Provide regular briefings to the board of directors that include summaries of significant enforcement developments affecting the company’s risk profile.
Understanding enforcement trends, especially as they affect peer companies, can be a very effective way to stay ahead of potential compliance problems.
A Board-Level Issue
The expectation that companies remain informed about external compliance developments increasingly intersects with board oversight responsibilities. Directors do not need to review every enforcement action. However, boards should receive sufficient information to understand significant regulatory developments affecting the business and evaluate management’s response. Organizations that regularly discuss external enforcement developments at compliance committee, audit committee, or board meetings may be better positioned to demonstrate active oversight if regulators later examine the effectiveness of their compliance programs.
Key Takeaway
DOJ’s compliance guidance reflects a growing expectation that companies actively learn from the mistakes of others. An effective compliance program is not merely one that responds to internal misconduct—it is one that anticipates known risks and adapts before those risks materialize. Companies that systematically monitor industry enforcement trends and adjust their compliance programs accordingly will be better positioned to prevent misconduct and demonstrate compliance effectiveness if regulators come calling.
Author
-
Gregory A. Brower is Co-Chair of Brownstein Hyatt’s Government Investigations White Collar Defense practice group. Prior to returning to the firm, Greg served as Chief Global Compliance Officer for Wynn Resorts. His career in public service includes positions as Nevada’s top federal prosecutor, an FBI senior executive, Inspector General for the U.S. Government Publishing Office, and chairman of the Judiciary Committee of the Nevada State Senate. He is a member of WLF’s Legal Policy Advisory Board.
- Learn More