The modern era of corporate compliance began on November 1, 1991, when the Federal Sentencing Guidelines for Organizations (the “FSGO”) – the first set of general standards for assessing the efficacy of what were then called “program[s] to prevent and detect violations of law” – went in effect. Since then, the Department of Justice (the “DOJ”) and other governmental bodies in the US and elsewhere have built upon the FSGO approach to compliance and ethics (“C&E”) program evaluation criteria.
The latest chapter in this story unfolded on April 30, 2019, when Assistant Attorney General Brian Benczkowski announced the publication of an updated and expanded version of the Evaluation of Corporate Compliance Programs (“the 2019 Guidance”), superseding an evaluation criteria document published in 2017 by the DOJ. The 2019 Guidance – available here – does not revise the DOJ’s particular criteria for evaluating C&E program efficacy in any material way. But overall it is more comprehensive than anything of its kind that has come before.
In this post we provide a brief overview of the 2019 Guidance and initial thoughts on what the document means for program assessment.

    The 2019 Guidance

The 2019 Guidance is structured around three “fundamental questions”:
• “Is the Corporation’s Compliance Program Well Designed?”
• “Is the Corporation’s Compliance Program Being Implemented Effectively?”
• “Does the Corporation’s Compliance Program Work in Practice?”
For each of these fundamental questions, prosecutors are provided with various topics and questions. For the design question, these topics and questions concern C&E risk assessment, policies and procedures, training and communications, confidential reporting structure and investigation process, third-party management and mergers and acquisitions. For the implementation question, they concern commitment by senior and middle management (including conduct at the top), program autonomy and resources, and incentives and disciplinary measures. For the third fundamental question the topics and questions concern continuous improvement, periodic testing and review, investigation of misconduct, and analysis and remediation of any underlying misconduct.
The various topics and questions are – in our view – quite good, and some can be considered state of the art in the C&E field. There are far too many of these to cover in this post, and C&E professionals should of course read the original. But to give a flavor of the document, we note the following from the risk assessment section, which states, among other things: “Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.” This is an important point, as it should provide an extra incentive for conducting robust risk assessments to those companies that have felt that conducting risk assessments is often a feckless exercise given that it is impossible to identify all conceivable risks. This section also charges prosecutors with asking: “What methodology has the company used to identify, analyze, and address the particular risks it faces?” We think this is important because too few companies consider whether their methodologies are in fact “fit for purpose.” Finally, this section also has well-thought-out topics and questions regarding risk-tailored resource allocations and updates and revisions to the program.

Assessments under the 2019 Guidance

Given the considerable thought and effort that the DOJ put into drafting this document, a company (at least one doing business in the US) would be hard-pressed to ignore it in designing, enhancing or assessing a C&E program. Indeed, in a speech given the day the 2019 Guidance was published (available here , Mr. Benczkowski noted that the document was drafted not only for use by prosecutors but also by companies.
Of course, there are other models of program evaluation criteria available, some of which are quite good. But in an investigation, it is the 2019 Guidance that will frame the discussion with DOJ, and this should be considered when deciding on an assessment methodology.