Compliance Perspectives: Use New DOJ Criteria to Vet the Effectiveness of Your Lab Compliance Program

One of the primary responsibilities of a lab manager is to ensure that the lab’s compliance program is effective. There’s a lot on the line. Having an effective compliance program can help prevent violations that can get your lab into legal hot water; and if things do go wrong, it can keep the resulting penalties to a minimum and may even enable you to avoid penalties altogether.  There’s just one little problem. How do you know exactly what makes a compliance program “effective”?

Wouldn’t it be nice if the government actually came out and told you what it wants from your compliance program? Well, guess what: they just did. It happened on April 30, when the DOJ issued new internal guidance that explains what makes a compliance program effective. And since they’re the ones who make that determination in actual cases, you’d be well advised to go to school on what the guidance says. Specifically, you should use the criteria the DOJ lays out to vet your own compliance program. Here’s how to do that.

Why the Guidance Is So Important

The so called Evaluation of Corporate Compliance Programs (Guidance) summarizes how the DOJ will evaluate whether a lab had an effective compliance program at the time it committed an offense. This evaluation will directly affect the DOJ’s decision on what to do about your case—bring charges, negotiate a plea deal, charge you a lighter penalty, require you to enter a corporate integrity agreement, etc. The Guidance actually lists the “fundamental questions” DOJ attorneys will ask when evaluating your compliance program to determine how hard to come down on your lab:

• Is the compliance program well designed?
• Is the program being applied effectively, i.e., earnestly and in good faith?
• Does the compliance program work in practice?

Using the Guidance to Vet Your Own Compliance Program

Bottom line on top: Just having a compliance program isn’t enough; to win credit with the DOJ, you must be able to show that you actually execute it in both action and principle. Let’s go through the four questions you should ask in vetting your own compliance program against this imperative:

1. Do You Have a “Culture of Compliance”?

Before getting into the compliance program document, take a step back and examine whether your lab has what the Guidance calls a “culture of compliance and ethics.” The Guidance makes it clear that the “tone” for compliance must be set at the most upper levels of management and the board of directors. Leadership must communicate a high level of commitment to implementing such a culture of compliance from the top down. This includes the development of policies and procedures enforced by middle management and the education and training of staff. DOJ also warns that it will look to how senior leaders, through their words and actions, have encouraged or discouraged compliance.

2. Is Your Compliance Program “Well Designed”?

Next, make sure your compliance program contains all the elements the Guidance lists as essential to being “well-designed,” including:

• A robust risk assessment process;
• Appropriate and updated policies and procedures;
• Tailored training and communications;
• A confidential reporting structure and investigation process; and
• The application of risk-based due diligence to its third-party relationships.

Additionally, DOJ emphasizes that comprehensive due diligence of any acquisition targets must be done warning that “flawed or undetected due diligence can allow misconduct to continue at the target company.”

3. Is Your Implementation Effective?

Effective implementation, the Guidance explains, requires that those charged with day-to-day oversight of the compliance program have appropriate autonomy and resources to act with adequate authority and stature. DOJ attorneys will look at the sufficiency of personnel and resources within the compliance function by evaluating whether those responsible for compliance have:

• Sufficient seniority within the organization;
• Sufficient staff and resources to effectively undertake the requisite auditing, documentation and analysis functions; and
• Autonomy from management and direct access to the board of directors or its audit committee.

Internal audit functions must be conducted “at a level sufficient to ensure their independence and accuracy.” In addition, incentives should be established for compliance and disincentives for noncompliance. Disciplinary actions and incentives should be applied are fairly and consistently across its organization.

4. Does Your Compliance Program “Work in Practice”?

The DOJ will rely on the following factors to judge whether a compliance program works in practice:

• Whether there’s continuous improvement, periodic testing and review of the program;
• The frequency of internal audits, testing and review;
• The timeliness and comprehensiveness of investigations of allegations or suspicions of misconduct;
• The documentation of any findings, including documentation of any disciplinary or remediation measures taken; and
• The extent to which a thoughtful root cause analysis of misconduct is conducted and whether there’s a timely and appropriate method to address the root causes.

Takeaway: Don’t Fall in Love with the Document

Although the writing is important, there’s much more to a compliance program than the actual document. That’s the upshot of the Guidance and it reiterates previous DOJ previously warnings against “paper compliance programs,” meaning those not backed with adequate:

• Staffing to audit, document and analyze compliance efforts; and
• Training and notification of employees about the compliance program and the lab’s commitment to it.