* In April, the Department of Justice issued updated guidance regarding the evaluation of corporate compliance programs to assist prosecutors in deciding whether they were adequate and effective at the time of an offense, as well as at the time of a charging decision. It builds upon earlier guidance and provides further specificity as to the factors the department will consider in their evaluations.
The department disclaims using "any rigid formula to assess the effectiveness of corporate compliance programs," but instead makes "an individualized determination in each case" based on three fundamental questions: Is the program well designed? Is it being applied earnestly and in good faith? And does it work in practice?
For each of these questions, the department posits a list of factors to consider. However, when it comes to small- and medium-sized businesses, some of the features described by the department may be out of reach in terms of staffing, operations and cost. While large corporations can take the guidance and turn it into a checklist to determine that their compliance programs have all the features endorsed by Justice, smaller companies must make a very different and difficult assessment: what program elements can they effectively implement, and how much compliance can they afford?
As to program design, Justice will look at five elements: risk assessment; policies and procedures; training and communications; confidential reporting and investigation processes; third party management, if any; and procedures for compliance issues in mergers and acquisitions. Setting aside the last element, small- and medium-sized defense contractors should already have these basic elements in place, given the requirements of the Federal Acquisition Regulation Part 3.1002 for a written code of business ethics and conduct as well as an internal control system that promotes compliance, and FAR [section]52.203-13, which requires the contractor to adopt a code for contracts expected to exceed $5.5 million.
But for many companies, both risk assessment and reporting and investigation structures may pose challenges to organizational and financial resources. Justice looks for a risk management process, with risk-tailored resource allocation, and ongoing revisions based on lessons learned. Smaller organizations that lack internal audit or legal resources should consider engaging outside compliance experts to help them meet these expectations. Given that a...