Corporate compliance and the Department of Justice’s continued enforcement
In late 2021, the Department of Justice (DOJ or Department) established the Corporate Crime Advisory Group with the goal of strengthening the DOJ’s corporate criminal enforcement program. Combating corporate crime continues to be an investigative priority for the Department. This is evidenced in the Deputy Attorney General’s October 2021 Memorandum - Corporate Crime Advisory Group and Initial Revisions to Corporate Criminal Enforcement Policies which emphasizes the Department’s commitment to protect the public, promote integrity in the markets, discourage unlawful business practices, and combat transnational corruption, through the prosecution of individuals and companies for criminal malfeasance.
A holistic approach
As part of its enforcement strategy, the DOJ has stated it will take a holistic approach to determine whether a company has implemented appropriate internal controls and created a culture that discourages criminal activity. An effective corporate compliance program is paramount in the DOJ’s determination of whether to move forward with criminal prosecution. As Assistant Attorney General Kenneth A. Polite Jr. stated in his remarks at the NYU Law Program on Corporate Compliance and Enforcement in March 2022, “that is why we closely evaluate corporate compliance programs during our corporate investigations and after our corporate resolutions and give significant credit to companies that build strong controls to detect and prevent misconduct.” In conducting a corporate investigation, the DOJ evaluates the design, implementation, and effectiveness of the internal controls and compliance systems that an organization uses to prevent and detect illegal activity.
Beyond just the policies and controls
More importantly, the DOJ looks beyond just the existence of policies, procedures, and controls. Effective risk management must include an organization’s ability to adapt and change. This is measured through continuous monitoring of the organization’s risk and adjusting the organization’s strategy and compliance program to manage the identified risks as the process requirements change. In doing so, companies must regularly update risk assessments and assess operating environments, products, and services, to match the changing risk landscape and the organization’s risk tolerance. Additionally, companies must adequately train their staff to understand the policies, procedures, and high-risk elements of the company’s business model and have mechanisms to report policy violations or illegal activity. Similarly, the compliance department must have sufficient resources and be empowered to effectively function.
Risk management is much more than personnel, policies, and funding. It is a culture of governance and responsibility that starts from a “tone at the top”. Accordingly, management must engage all stakeholders including the board of directors. This in turn helps build transparency and a culture that is attuned to identifying and managing risk. As noted in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2004 Enterprise Risk Management-Integrated Framework, “value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.”
Companies must not only demonstrate a commitment to compliance and ethics but also must show knowledge and ownership of the compliance program. When things go wrong as they eventually do, those companies that have effectively deployed capabilities to conduct independent monitoring and testing of more than just their financial controls (e.g., testing the effectiveness of training), consistently work to improve the compliance program and have created a compliance culture that will set themselves apart from those who simply check the box.
For a more robust discussion on this topic, or to learn how Baker Tilly can assist your compliance program, contact our team.
