Advance your career
and leadership potential
on your own time.

Become a trusted expert on the critical nuances of compliance and risk management through a flexible online degree program.

Three Questions for Evaluating the Effectiveness of a Compliance Program

by | Aug 19, 2021

Compliance Program | Frank DiMarinoSeattle U Law faculty member Professor Frank DiMarino, JD, LL.M., served as an assistant United States attorney for 18 years, presenting cases before the U.S. District and Appeals Courts while prosecuting corporations and individuals for crimes such as wire and bank fraud, money laundering, embezzlement, and tax evasion. Professor DiMarino oversaw corporate compliance programs as part of criminal sentences under the United States Sentencing Guidelines. 

We spoke with Professor DiMarino about guidance from the U.S. Department of Justice that helps compliance officers understand how the DOJ performs compliance investigations. As an expert in this area, he explained the three fundamental questions the DOJ asks during an investigation to determine whether a compliance program is truly effective or is merely window dressing. You can listen to the webinar for more information (see especially beginning at the 14:35 mark).

Guidance from the Department of Justice

In June 2020 the Department of Justice (DOJ) provided an update that aimed to clarify the process it uses to assess the effectiveness of an organization’s compliance program after a corporation has been indicted and found guilty of a federal offense (see U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs). The update is intended for compliance officers and other relevant parties, such as boards of directors. 

Because a corporate compliance program must be evaluated in the specific context of a criminal investigation, the DOJ does not use any rigid formula to assess the effectiveness of corporate compliance programs. Each company’s situation will be unique. Prosecutors recognize that it is reasonable to consider a company’s unique situation, including how a company’s size, industry, geographic footprint, regulatory landscape, or other factors may impact their compliance program. There are, though, three common “fundamental questions” a DOJ prosecutor will ask:

  1. Is the corporation’s compliance program well designed?
  2. Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
  3. Does the corporation’s compliance program work in practice?

Is a Compliance Program Well Designed? 

Prosecutors seeking to perform a thorough examination of whether a compliance program is well designed will consider risk assessment. They will seek to understand the company’s unique business environment and how the company has identified and assessed its specific risk profile. Prosecutors will assess the degree to which a program devotes appropriate scrutiny and resources to the risks it faces. Why did the company choose to set up its compliance program the way it did? How has the program evolved over time?

Additionally, prosecutors will examine whether a company has a code of conduct and policies and procedures that incorporate a culture of compliance into its day-to-day operations. The DOJ considers an organization’s code of conduct as the foundation of its compliance program. The code of conduct must be clear and concise. It ought to provide guidance to all levels of employees so that they know how to act in day-to-day operations. A code of conduct must also have internal controls appropriate to the risks the organization faces and the organization’s business model.

Prosecutors will also evaluate a company’s process for designing policies and procedures, the comprehensiveness of the policies, their accessibility, and the effectiveness of the operational implementation. 

Finally, training and communications is another hallmark of a well-designed compliance program. Prosecutors will assess steps taken by an organization to disseminate its policies and procedures to its workforce and whether employees understand and act in accordance with the information.  

Is a Compliance Program Applied in Good Faith?

Considering whether a compliance program is applied in good faith means establishing whether the program is meaningful, addressing the unique types of risks that apply to the organization, or whether the program is simply window dressing.  If applied in good faith, the program has adequate resources and is empowered to function effectively.

One hallmark of a good faith compliance program is commitment from senior management. The DOJ will look for evidence of commitment to the program in day-to-day behavior that establishes a strong ethical culture. If senior managers are accountable, their behavior inspires middle managers to reinforce the standards of a company’s culture. The DOJ will consider whether senior management has clearly articulated an organization’s compliance standards and disseminates them throughout all levels of an organization, and whether all workers are held to the same standards.

Another aspect of determining whether a program is implemented in good faith involves autonomy and resources. The chief compliance officer must have sufficient independence and autonomy to do their job, and there must also be proper oversight. Prosecutors will look for a clear reporting line from the chief compliance officer to either the general counsel or the board of directors, with both parties working together to make certain the compliance department carries out its proper function and achieves the company’s goal of preventing misconduct.

The DOJ considers the adequacy of the department’s staffing and resources. If a compliance officer is a lone person in a very large corporation, overwhelmed by the amount of issues that need attention, the DOJ Department of Justice may consider the compliance department to be window dressing because the compliance officer lacks sufficient resources and staffing. 

The DOJ considers whether a compliance program uses incentives or disciplinary measures to encourage greater effectiveness. Both systems can be used in tandem. 

Importantly, the Department has made clear that the compliance program should apply from the boardroom to the supplier. No one should be exempt from the compliance program and the requirement to act in accordance with the company standards.

Does a Compliance Program Work in Practice?

Simply put, to assess a program’s effectiveness, regulators will assess whether the program prevents misconduct. 

Importantly, the DOJ recognizes that no compliance program can ever prevent all criminal activity by a corporation’s employees. But when misconduct occurs, the DOJ will ask whether it is responsibly addressed.

 Prosecutors will look for evidence of continuous improvement of the program. For example:

  • As a company’s business changes over time, has the company engaged in meaningful efforts to review its compliance program and ensure the program is not stale?
  • Is there evidence of revisions to corporate compliance documents as a result of lessons learned?
  • What is the process for determining how and when internal audits occur?

Prosecutors will assess whether leaders look at misconduct that happened and consider how to prevent misconduct from recurring. They will look for well-functioning and appropriately funded mechanisms for investigations of misconduct. Investigators will consider whether qualified personnel conducted properly scoped investigations. They will consider whether investigations yielded meaningful information about root causes and other factors, including among supervisory managers and senior executives.  

Finally, prosecutors look for evidence of remediation. When misconduct occurs, does the company conduct a thoughtful root cause analysis of misconduct, with appropriate measures to address the root cause?  When misconduct occurs, an organization should consider and act upon whatever it was about the organization’s systems and culture that allowed the misconduct to occur.

Master of Legal Studies in Compliance and Risk Management Program

Compliance and risk professionals play a critical role in communicating and complying with the regulations and guidance of the Department of Justice (DOJ) as well as other agencies and administrative bodies. Additionally, leaders in compliance or risk may have careers within enforcement or regulatory agencies. Knowledge about how the DOJ evaluates the effectiveness of compliance programs is one of the broad set of practical and relevant skills that students in Seattle U Law’s Master of Legal Studies in Compliance and Risk Management program learn. Students graduated prepared for a broad range of careers as well as for career advancement within a current role. 

Depending on professional goals and interests, students in the fully online program can optionally choose to focus on financial compliance, healthcare compliance, corporate compliance, or data & cybersecurity compliance. The MLS program provides opportunities to solve problems through a legal lens and gain foundational knowledge of the law, but without a JD. It prepares graduates to lead compliance efforts in any organization, regardless of industry. Students graduate with a commanding knowledge of law, legal analysis, and the frameworks used to identify, assess, and respond to risk. The program’s values-based approach moves beyond a narrow sense of compliance and helps establish a sense of equity, justice, and inclusion.

For more information, contact us at lawgraduateonline@seattleu.edu.