DOJ Explains What It Wants from a Compliance Program

While it may not prevent all violations, the right compliance program can help your lab get lighter penalties if things go wrong. But what exactly is "the right compliance program." On April 30, the DOJ issued new internal guidance that goes a long way in answering that question. Bottom line on top: Just having a compliance program isn't enough; to win credit, you must be able to show that you actually execute it in both action and principle. 

What's At Stake 

The so called Evaluation of Corporate Compliance Programs (Guidance) summarizes how the DOJ will evaluate whether a lab had an effective compliance program at the time it committed an offense. This evaluation will directly affect the DOJ's decision on what to do about your case—bring charges, negotiate a plea deal, charge you a lighter penalty, require you to enter a corporate integrity agreement, etc. 

The Guidance lists the "fundamental questions" DOJ attorneys will ask when evaluating your compliance program: 

• Is the compliance program well designed?
• Is the program being applied effectively, i.e., earnestly and in good faith?
• Does the compliance program work in practice? 

Using the Guidance to Vet Your Own Compliance Program 

The Guidance is a godsend because it enables you to evaluate whether your lab's own compliance program would meet DOJ standards. Let's go through the four questions you should ask in doing your vetting.

1. Do You Have a "Culture of Compliance"? 

Before getting into the compliance program document, take a step back and examine whether your lab has what the Guidance calls a "culture of compliance and ethics." The Guidance makes it clear that the "tone" for compliance must be set at the most upper levels of management and the board of directors. Leadership must communicate a high level of commitment to implementing such a culture of compliance from the top down. This includes the development of policies and procedures enforced by middle management and the education and training of staff. DOJ also warns that it will look to how senior leaders, through their words and actions, have encouraged or discouraged compliance.

2. Is Your Compliance Program "Well Designed"? 

Next, make sure your compliance program contains all the elements the Guidance lists as essential to being "well-designed," including: 

• A robust risk assessment process;
• Appropriate and updated policies and procedures;
• Tailored training and communications;
• A confidential reporting structure and investigation process; and
• The application of risk-based due diligence to its third-party relationships. 

Additionally, DOJ emphasizes that comprehensive due diligence of any acquisition targets must be done warning that "flawed or undetected due diligence can allow misconduct to continue at the target company."

3. Is Your Implementation Effective? 

Effective implementation, the Guidance explains, requires that those charged with day-to-day oversight of the compliance program have appropriate autonomy and resources to act with adequate authority and stature. DOJ attorneys will look at the sufficiency of personnel and resources within the compliance function by evaluating whether those responsible for compliance have: 

• Sufficient seniority within the organization;
• Sufficient staff and resources to effectively undertake the requisite auditing, documentation and analysis functions; and
• Autonomy from management and direct access to the board of directors or its audit committee. 

Internal audit functions must be conducted "at a level sufficient to ensure their independence and accuracy." In addition, incentives should be established for compliance and disincentives for noncompliance. Disciplinary actions and incentives should be applied are fairly and consistently across its organization.

4. Does Your Compliance Program "Work in Practice"? 

The DOJ will rely on the following factors to judge whether a compliance program works in practice: 

• Whether there's continuous improvement, periodic testing and review of the program;
• The frequency of internal audits, testing and review;
• The timeliness and comprehensiveness of investigations of allegations or suspicions of misconduct;
• The documentation of any findings, including documentation of any disciplinary or remediation measures taken; and
• The extent to which a thoughtful root cause analysis of misconduct is conducted and whether there's a timely and appropriate method to address the root causes.

Takeaway: Don't Fall in Love with the Document

Although the writing is important, there's much more to a compliance program than the actual document. That's the upshot of the Guidance and it reiterates previous DOJ previously warnings against "paper compliance programs," i.e., those not backed with adequate:

• Staffing to audit, document and analyze compliance efforts; and
• Training and notification of employees about the compliance program and the lab's commitment to it.