What Contractors Should Know about DOJ’s Revised Guidance on Evaluations of Corporate Compliance

Brian S. Gocial and Stephanie M. Harden

As government contractors know well, a robust compliance program can be critical—both in preventing, detecting, and resolving compliance problems and in working with agencies and/or the Department of Justice (“DOJ”) to resolve compliance issues when they arise. Though DOJ has previously issued guidance on how it evaluates corporate compliance programs, on April 30, 2019, it greatly expanded upon its earlier guidance with a lengthy new guidance document. The document is notable for its emphasis not just on the design of compliance programs, but also on their effectiveness in practice. The document is a useful benchmark for contractors to evaluate their compliance programs, as well as to demonstrate their affirmative responsibility to agencies when facing agency-level investigations.

The guidance document focuses on three central questions:

  1. Is the corporation’s compliance program well designed?
  2. Is the corporation’s compliance program implemented effectively?
  3. Does the compliance program actually work in practice?

The following outline provides a summary of the various factors DOJ discusses in connection with each of these questions—and more information on each topic can be found here.

Contractors should assess how their own compliance programs measure up against these factors:

  1. Is the corporation’s compliance program well designed?
    • Risk Assessment
      • Risk Management Process: Has the company identified, assessed, and defined its risk profile?
      • Risk-Tailored Resource Allocation: Is the company’s compliance program appropriately tailored to its risk profile?
      • Updates and Revisions: Is the company’s compliance program periodically updated in light of lessons learned?
    • Policies and Procedures
      • Does the company have a Code of Conduct?
      • Does the company have policies/procedures that incorporate a culture of compliance into operations?
    • Training and Communications
      • Risk-based Training—e.g., Does training adequately cover prior compliance issues?
      • Form/Content/Effectiveness of Training
      • Communications about Misconduct
      • Availability of Guidance
    • Confidential Reporting Structure and Investigation Process
      • Effectiveness of the Reporting Mechanism—e.g., Is there an anonymous/confidential reporting system? Are whistleblower protections in place?
      • Properly Scoped Investigations by Qualified Personnel—e.g., How does the company ensure investigations are independent, objective, and documented?
      • Investigation Response—e.g., Is the response timely? Does the company monitor the outcome of the investigation?
      • Resources and Tracking of Results
    • Third Party Management
      • Risk-based and Integrated Processes
      • Appropriate Controls—e.g., What diligence does the company do prior to contracting with a third party?
      • Management of Relationships—e.g., How does the company monitor third parties? Does the company have audit rights and has it exercised those rights?
      • Real Actions and Consequences—e.g., Are “red flag” issues tracked and addressed?
    • Mergers & Acquisitions
      • Due Diligence Process
      • Integration in the M&A Process
      • Process Connecting Due Diligence to Implementation

2. Is the corporation’s compliance program being implemented effectively?

    • Commitment by Senior and Middle Management
      • To what extent has the company’s top leaders—the board and executives—set high-level commitment to culture of ethics and compliance?
      • To what extent has middle management reinforced the standards set by the top leaders?
      • What oversight mechanisms are in place and how active are top leaders in oversight?
    • Autonomy and Resources
      • Structure—e.g., To whom does the compliance function report? At what level is it housed?
      • Seniority and Stature—e.g., How are compliance personnel treated compared to others in terms of statute, compensation, rank, title, etc.?
      • Experience and Qualifications
      • Funding and Resources—e.g., Has the company devoted appropriate resources to train and audit compliance personnel?
      • Autonomy—e.g., Do compliance personnel have direct report to Board of Directors or audit committee?
      • Outsourced Compliance Functions—e.g., If the compliance function has been outsourced, who oversees it? How does the company measure effectiveness?
    • Incentives and Disciplinary Measures
      • Human Resources Process—e.g., Is the same process followed regardless of misconduct? Who participates?
      • Consistent Application of Disciplinary Measures
      • Incentive System—e.g., Does the company incentivize ethical behavior?

3. Does the Corporation’s Compliance Program Work in Practice?

    • Continuous Improvement, Periodic Testing, and Review
      • Internal Audit—e.g., How frequent? What issues identified? Any reports to management and board?
      • Control Testing—e.g., Has company reviewed/audited compliance in connection with misconduct?
      • Evolving Updates—e.g., How often does the company update its risk assessments/policies/procedures? When was last gap analysis performed?
      • Culture of Compliance—e.g., How does company measure culture?
    • Investigation of Misconduct
      • Properly Scoped Investigation by Qualified Personnel
      • Response to Investigations—e.g., How does company respond? Is senior leadership informed?
    • Analysis and Remediation of Any Underlying Misconduct
      • Root Cause Analysis—e.g., Has company identified root cause of misconduct?
      • Prior Weaknesses—e.g., What controls failed? Were policies effectively implemented?
      • Payment Systems—e.g., How was misconduct funded? What processes could have prevented improper use of funds? Have processes been improved?
      • Vendor Management—e.g., Process for vendor selection and diligence related thereto?
      • Prior Indications—e.g., Prior opportunities to detect misconduct?
      • Remediation—e.g., What measures has company taken to reduce risk of recurrence?
      • Accountability—e.g., What disciplinary actions were taken? Were they timely? Managers held responsible for misconduct under their supervision? How many terminations?