By Audrey Harris and Juliet Gunev

Law360 (June 30, 2020, 5:39 PM EDT) --

Audrey Harris

Juliet Gunev

Whenever enforcement agencies speak, they are sending a message — including a message about what they are seeing in their investigations — about risks, benchmarks and expectations.

The U.S. Department of Justice's edits in the June 1 update of the Evaluation of Corporate Compliance Programs[1] certainly do not scream big changes. They do, however, whisper a few key points that, rather than getting lost in a COVID-19 storm, may be even more relevant specifically because of the evolving COVID-19 risk environment.

This article provides a concise analysis of what these key changes are, why they are important now, and how companies can practically incorporate these updates into their programs to obtain additional value.

Effective Now Means Resourced and Empowered

In the first edit in the evaluation guidance, "implement effectively" is replaced with "adequately resourced and empowered to function effectively."

The second of three core criteria that the DOJ will consider now reads: "Is the Corporation's Compliance Program Adequately Resourced and Empowered to Function Effectively?" The relatively modest updates to the guidance that follow dedicate a significant portion of redlines to the message that resources and empowerment will be core metrics for evaluating program effectiveness.[2]

In describing subpar implementation, the guidance now adds "underresourced" as a characteristic to join "lax" and "ineffective." The section addressing compliance personnel's experience and qualifications has also been updated to include the question: "How does the company invest in further training and development of the compliance and other control personnel?" 

In addition, the new Data Resources and Access section asks: "Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring ... Do any impediments exist?" Compliance professionals would likely agree that this addition is also a resourcing point, as the systems and staffing needed to obtain meaningful data can often require additional budget lines.

After the initial COVID-19 impact, including furloughs and layoffs, many companies are now adjusting to new business models, future ways of working, and altered risk profiles. For a large number of companies, these adjustments may also mean business reorganization, functional optimization and cost cutting. A recent Wall Street Journal headline summed it up: "Compliance Layoffs, Budget Cuts Raise Prospect of Looser Internal Oversight."[3]

In these modest updates, the DOJ has handed company boards and senior management something to think about when approaching such functional optimization and cost cutting, and has provided chief compliance officers with advocacy data points, and a reminder that resourcing is another area for metric tracking and documenting their program's risk-based rationale.

While in this environment of changing risk and increasing corruption touch points, the case for maintaining or growing compliance resourcing may be clear, the reality for most companies will be that no function or area will be completely immune from the tightening of the budget belt.

In this environment, creative thinking and practical approaches become increasingly valuable in helping programs realize maximum resource impact. These approaches include identifying and utilizing:

• Cross-functional points of leverage and coordination;

• A broad compliance constituency;

• Trends in increasing nonfinancial risks that make the value and commercial case for compliance; and

• Strategies to build from a company's existing strengths.

Cross-Functional Points of Leverage and Coordination

Creativity and coordination are key in maximizing resource impact. Many company functions want to know, communicate or monitor many of the same things, whether in a company's supply chain, operations, or sales and marketing channels. The supply, health and safety, human resources, ethics and compliance, legal, group governance, communications, finance, risk, and audit functions have tremendous alignment. Identifying the common objectives and substantive touch points and systems may reveal significant opportunities to share data, information and resources.

Identify and Align a Broad Compliance Constituency

Looking and working cross-functionally can also assist in identifying alignment among a broader set of supporters within both the functions and business lines of a company. An internal support network can be quickly expanded and strengthened by proposing value-add opportunities via natural points of connection or alignment.

Increasing Nonfinancial Risks Make the Commercial Case for Compliance

The pre-pandemic rise of the stakeholder, corporate responsibility and reputational value have created a trend pulling nonfinancial risks squarely into the corporate consciousness. COVID-19 has put a spotlight on this trend, with the terminology of community impact and supply chain becoming common vernacular in pandemic reporting across the globe.

While some predicted that COVID-19 would result in consumers and regulators focusing less on how business is done, we have instead seen regulators, enforcers and other stakeholders continuing to expand and raise nonfinancial risk expectations. For example, in May, the European Union proposed the Mandatory Environmental & Human Rights Due Diligence law,[4] that joins its previous directive on whistleblower protections and aligns with the increasing environmental, social and governance expectations of investors, financiers and commercial banks.[5]

As a Harvard Business Review headline declared, "coronavirus is a wake-up call for supply chain management," and The Wall Street Journal observed that the "coronavirus pandemic could elevate ESG factors."[6] Civil society groups have also began tracking companies' COVID-19 responses, focusing on employee and community stakeholder impacts.[7]

In addition, COVID-19 created pressure on companies expediting logistics and delivery across jurisdictions, as well as increasing government spending and programs. These circumstances increase touch points for corruption, fraud and self-dealing. Enforcement authorities across the globe are responding with targeted investigations and task forces,[8] assisted by an increase in whistleblower reporting.[9]

Understanding and planning a company's approach to these increases in risk profile can help to make the commercial case for compliance as a competitive advantage and support the value of investing in compliance resourcing to enable business growth.

Look for Strategies That Build From a Company's Existing Strengths

A company's compliance program strengths can also be a baseline foundation for efficiently and effectively covering new and emerging risk areas. For example, a strong anti-corruption program can create a foundation for human rights risk mitigation. When companies start to map and align these nonfinancial risks holistically, they not only have a better view of the risk landscape, but can close gaps and address new emerging risks.

Documenting the "Why": Rationale and Risk-Based Decisions

Another repeating theme in the DOJ's evaluation guidance encourages companies to document why they make decisions and how they incorporate risk-based criteria into decision-making. The updates make clear that being able to evidence the contemporaneous "why" for a company's compliance program, transactions and third-party decisions is vital.

The recent additions to the guidance include a callout to prosecutors to "understand why the company has chosen to set up the compliance program the way that it has, and why and how the company's compliance program has evolved over time ... What are the reasons for the structural choices the company has made?" In the context of third-party transactions, the evaluation guidance now specifically queries "whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners."  

This message was also repeated in a recent DOJ, U.S. Securities and Exchange Commission and FBI virtual panel discussing enforcement efforts during the COVID-19 response. While recognizing the impacts upon companies, the enforcement panelists consistently emphasized that companies still need reasoned explanations for compliance decision-making throughout the crisis.[10]

The emphasis on documentation of risk-based rationale has practical application in the dynamic COVID-19 environment in decision-making around:

• Emergency or interim protocols and resources;

• Stretched supply chains;

• Remote working;

• Increased corruption touch points with changing trade requirements and government spending programs;

• Potential for increasing reliance on local third-parties due to travel restrictions; and

• Change in business models, business reorganizations and functional optimization.

A further relevant addition found in the evaluation guidance footnotes recognizes the increasingly global nature of laws (from privacy and blocking to employment and labor requirements) that multinational compliance programs must navigate. A new footnote calls on companies to document the "why" and "how" when relying on local law in structuring their program and making compliance decisions.[11]

The Goal: A Dynamic State of Continuous Improvement

There is no perfect compliance program, and there can be unintended collateral risks in thinking that there exists a static perfect state that, when reached, means a company will be done with compliance evolution. What companies should be aiming for, and what COVID-19 has made all the more important, is creating structures and ways of working that promote a dynamic state of continuous improvement. The DOJ guidance updates emphasize this key takeaway, with additions targeted at:

• Prioritizing active risk feedback loops;

• Tailoring and evolving training; and

• Learning from others. 

Prioritizing Active Risk Feedback Loops

When talking about risk assessment, the DOJ updated its evaluation guidance to ask if a company's "periodic review[s] [are] limited to a 'snapshot' in time or based upon continuous access to operational data and information across functions," and whether companies are incorporating "lessons learned either from the company's own prior issues or from those of other companies operating in the same industry and/or geographical region."

The DOJ's addition of language encouraging continuous feedback versus relying on stand-alone snapshot risk assessment is also particularly applicable in the COVID-19 compliance environment. Setting up and institutionalizing intentionally short and iterative feedback loops — to evaluate the changing risk landscape — can help keep a company's program aligned to its rapidly changing risk profile. These additions also emphasize the practical power of a company understanding changes to its risk profile in near-real time.

A company's industry, jurisdiction and business model create corruption risk touch points that drive a significant portion of its risk profile. If companies map their business and align against the lessons learned from investigations and overlapping risk touch points from their industry, jurisdictions and those with similar business models, they can create a baseline corruption risk profile.

In this dynamic environment, companies should also be asking: Have the company's highest short-term risk areas changed? Is that feedback being timely communicated and incorporated into targeted second- and third-line activities? Companies can gain value from structuring short-term milestone and continuous feedback loops to reassess controls, monitoring, review and audit plans, and to understand their changing profile — even short of formal risk assessment events.  

Tailoring and Evolving Training

The DOJ guidance updates acknowledge tailored approaches to training and encourage evaluating training impact on employee behavior. Another related update refers to tracking actual instances of policy access by company employees, an exercise that can also inform future training plans.

In the COVID-19 environment, with remote work or partial in-office protocols in place, companies should also ask: How does this affect the company's training approach, tools and allocations? Are the company's tools for policy access user-friendly and effective in this new environment? Have employees' policy access patterns changed with remote working or return-to-office environments?

Learning From Others

Learning from your own mistakes promotes survival; being alert and self-aware enough to learn from others' mistakes is a potential strategic advantage. The DOJ's updated evaluation guidance adds the question: "Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?"

The guidance now makes clear that where a company in the same industry, operating in the same jurisdiction and with a like business model, is involved in an investigation, the DOJ will want to know how your company operates within these similar conditions without those same challenges.

While a company cannot prove the negative, it can ask these questions before enforcers do, and it can learn from others. Conducting practical internal proactive reviews can provide this type of strategic learning advantage and, where documented, can also prepare a company to answer potential future enforcement queries. Companies can design tailored and realistic review protocols to help answer related questions, including:  

• Could the fact pattern as described happen to my company?

• What about my company's program would prevent or detect the alleged misconduct?

• Does my company have any actual touch points to the other industry investigation?

Speak-Up Reporting: Communicate, Catch and Be Consistent

Updates to the DOJ evaluation guidance also focus on promoting speak-up behavior, being ready to timely and credibly respond to reporter concerns, and driving consistent conduct accountability. Edits to the guidance include a direction to test the operation of hotlines, whether employees are aware of confidential reporting methods and are actually comfortable using them. Companies also need to get ready to catch a change in the nature and escalation in volume of internal whistleblower, human resources and hotline reports — especially during this dynamic COVID-19 period.[12]

In a May 12 speech, the co-director of the SEC Division of Enforcement, Steven Peikin, reported that, "since mid-March, the staff has triaged more than 4,000 tips, complaints and referrals — a 35% increase over the same period last year," noting that "in that same period, it has opened hundreds of new investigations, many COVID-19-related, but many in other traditional areas."[13] And a recent Wall Street Journal article reported that tips to the SEC have surged as "working from home emboldens whistleblowers" and included whistleblower plaintiff counsel accounts of increased contact and complaint filings.[14]

The DOJ's additions to the evaluation guidance also encourage conduct accountability, by incorporating language inquiring about whether programs track their internal investigations and consistency of action and application of discipline. It may be a recognition that if there is a view among employees that the company applies "two sets of rules" — depending on who you are — it may also create conditions for increased employee ethical relativism or provide justification for making decisions that are not aligned to company values.

M&A Due Diligence and Integration: You Are What You Buy

Finally, the DOJ has also updated the section of the evaluation guidance regarding mergers and acquisitions to emphasize the importance of post-acquisition integration efforts. Edits include new references to the "process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls," and the addition of "post-acquisition audits at newly acquired entities."

Incorporating integration efforts into transaction planning and risk analysis from the outset is key to meeting the DOJ's expectations in this area, as is ensuring that the potential corruption risks associated with a target are included in the transaction decision-making.

The updates emphasize that the work is not complete once due diligence closes or the transaction is finalized. Rather, after closing is where the next phase of compliance work begins.

Once more information is accessible, the company should take steps to stabilize risk points and institute rigorous compliance processes, while also conducting inquiries into any identified historic and ongoing risk points highlighted in the due diligence. This will enable the acquiring company to potentially mitigate risks, including by availing itself of voluntary disclosure if historic issues are later detected.  

As businesses begin to adjust to their new business models and ways of working, we are likely to see companies looking to capitalize on growth opportunities. Proactive incorporation of holistic nonfinancial-risk due diligence and post-close integration into a company compliance program can both mitigate risk and add bottom-line value.  

Ultimately, while the updates to the evaluation guidance may not be new, loud proclamations, it is sometimes worth listening for the whispers in the midst of the storm. These quieter messages, when thoughtfully applied, are the bricks of value that can strengthen a company against the storm of today and the winds of tomorrow.

---

Audrey Harris is a partner at Mayer Brown LLP and co-chair of its global anti-corruption and FCPA practice. She is a former chief compliance officer at BHP.

Juliet Gunev is an associate at Mayer Brown.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs (June 1, 2020), https://www.justice.gov/criminal-fraud/page/file/937501/download. This update follows the DOJ's release of the original guidance in February 2017, and a prior substantial update in April 2019.

[2] For our earlier article examining the nature of "effective compliance" and related strategies, see: https://www.mayerbrown.com/en/perspectives-events/publications/2019/11/effective-compliance-in-the-spotlight-roles-reality-and-real-life-suggestions.

[3] Kristin Broughton, Wall St. J. (May 25, 2020, 7:00 AM), https://www.wsj.com/articles/compliance-layoffs-budget-cuts-raise-prospect-of-looser-internal-oversight-11590404400?mg=prod/com-wsj.

[4] For a recent Mayer Brown update regarding these developments, see: https://www.mayerbrown.com/en/perspectives-events/publications/2020/05/business-and-human-rights-mandatory-human-rights-due-diligence-european-commission-to-introduce-a-legislative-initiative-by-2021.

[5] See, the UN Global Compact corporate sustainability initiative: https://www.unglobalcompact.org/; and the UN Principles on Responsible Investing: https://www.unpri.org/.

[6] Thomas Y. Choi, Dale Rogers and Bindiya Vakil, Harv. Bus. Rev. (March 27, 2020), https://hbr.org/2020/03/coronavirus-is-a-wake-up-call-for-supply-chainmanagement; Kristin Broughton and Maitane Sardon, Wall St. J. (March 25, 2020 4:18 PM), https://www.wsj.com/articles/coronavirus-pandemic-could-elevate-esg-factors-11585167518?mg=prod/com-wsj.

[7] See, e.g. The Covid-19 Corporate Response Tracker: How America's Largest Employers Are Treating Stakeholders Amid the Coronavirus Crisis, Just Capital, https://justcapital.com/reports/the-covid-19-corporate-response-tracker-how-americas-largest-employers-are-treating-stakeholders-amid-the-coronavirus-crisis/ (last visited June 23, 2020).

[8] E.g. Memorandum from William P. Barr, U.S. Attorney Gen., to All Heads of Department Components and Law Enforcement Agencies and All U.S. Attorneys, DOJ's Covid-19 Hoarding and Price Gouging Task Force (Mar. 24, 2020), https://www.justice.gov/file/1262776/download; and the World Bank's policy brief on Ensuring Integrity in Government's Response to Covid-19 (Apr. 28, 2020), http://documents.worldbank.org/curated/en/801501588782665210/Ensuring-Integrity-in-Governments-Response-to-COVID-19.

[9] See discussion of recent whistle-blower statistics addressed further below in this article.

[10] DOJ, SEC, and FBI Joint Virtual Town Hall Discussing FCPA and Healthcare Fraud Enforcement Efforts During Covid-19 Emergency, May 20, 2020, https://www.americanconference.com/fcpa-new-york/webinar/.

[11] See Evaluation Guidance, footnote 2: "Prosecutors should consider whether certain aspects of a compliance program may be impacted by foreign law. Where a company asserts that it has structured its compliance program in a particular way or has made a compliance decision based on requirements of foreign law, prosecutors should ask the company the basis for the company's conclusion about foreign law, and how the company has address the issue to maintain the integrity and effectiveness of its compliance program while still abiding by foreign law."

[12] See our earlier article regarding the role of Ethics & Compliance functions in helping their companies effectively navigate the challenges posed in the wake of the COVID-19 shutdown, including responding to changes in reporting and triage, see: https://www.law360.com/articles/1258164/addressing-ethics-and-compliance-risks-in-uncertain-times.

[13] Steven Peikin, SEC Co-Director, Division of Enforcement, Keynote Address: Securities Enforcement Forum West 2020 (May 12, 2020), https://www.sec.gov/news/speech/keynote-securities-enforcement-forum-west-2020.

[14] Mengqi Sun, Wall St. J. (June 1, 2020 5:30 AM), https://www.wsj.com/articles/tips-to-sec-surge-as-working-from-home-emboldens-whistleblowers-11591003800.

For a reprint of this article, please contact reprints@law360.com.