Corporate criminal liability; the impact of an effective compliance program
An effective compliance program is essential for any business and it needs to be strong, both on paper and in practice. It addition to providing measures to assist companies to prevent, detect and respond to violations of laws and regulations, such programs have an important role to play as part of any defence against corporate criminal investigations and prosecutions.
The Evaluation of Corporate Compliance Programs (the "Guidance") published earlier this year by the US Department of Justice (the "DOJ") provides practical examples on how the DOJ evaluates corporate compliance programs within the context of criminal investigations.
Given the extraterritorial effect of the US Foreign Corrupt Practices Act's (the "FCPA") the Guidance will be directly applicable to many Norwegian companies. Even in the absence of any US nexus, the Guidance serves as a useful tool for companies to evaluate the effectiveness of their compliance programs and to identify opportunities for improvement.
The content of the Guidance does not significantly differ from prior guidance issued by the DOJ, the U.S. Sentencing Commission (the Federal Sentencing Guidelines) and other organisations such as the OECD. However, the format of the Guidance is different as it provides companies with a more hands-on and process-oriented set of practical questions which provide an understanding of the DOJ's expectations for effective corporate compliance programs.
The Guidance sets out 11 key compliance evaluation topics and lists 119 questions that the DOJ may routinely ask when assessing the quality and effectiveness of a company's compliance program. The topics covered are as follows:
- Analysis and remediation of underlying conduct
- Senior and middle management
- Autonomy and resources
- Policies and procedures
- Risk assessment
- Training and communication
- Confidential reporting and investigation
- Incentives and disciplinary measures
- Continuous improvement, periodic testing and review
- Third party management
- Mergers and acquisitions
For each topic, the sample questions are designed to look behind a company’s compliance program on paper and evaluate how the program has been effectively implemented, updated and enforced in practice.
When assessing whether a company has embedded compliance into its culture, the DOJ, for example, focus on (1) the integration of compliance into the business operations, (2) the dynamics of the compliance program, (3) the company’s processes for lessons learned and (4) autonomy and resources of the gate keepers.
- Integration of compliance into business. The compliance program is expected to be fully integrated into the operations of the company, from the board room to the work floor. By way of example compliance policies and procedures must be effectively incorporated into a company’s financial systems, approval processes and control matrix.
- Dynamic Program. The compliance program must be continuously improved based on a continual review and assessment of external risk factors and any growth or changes in the business. Testing and auditing is expected to be performed regularly and adjustments to the program made accordingly.
- Lesson learned and accountability. Anyalleged misconduct must be investigated appropriately and in the event that allegations are substantiated the individuals responsible, including managers, are to be held accountable. The questions also focus on whether the company is seeking to learn from prior compliance wrongdoings and correcting system failures.
- Autonomy and Resources. The compliance function has to be independent and autonomous and supported by adequate resources. The level of resources dedicated to compliance needs to reflect the size, complexity and risks being faced by the company. The questions focus on what role compliance plays in the company's strategic and operational decisions and access that the compliance function's has to key-decision makers within the company.
In short the Guidance reinforces the DOJ's message that an effective compliance program on paper is not sufficient and that close attention will be paid to the active steps a company takes in order to develop a corporate compliance culture.
The Guidance provides a genuine and helpful opportunity to Norwegian companies to assess elements of their key compliance programs by testing them against clear practical questions. The Guidance also provides a helpful best practice guide which is important for companies in Norway and worldwide given the increasing risk of corporate criminal liability in various jurisdictions.