By Cynthia Schnedar, executive VP of regulatory compliance, Greenleaf Health
The United States Attorneys’ Manual is an online document prepared by the U.S. DoJ to be used as a “quick and ready reference” by DoJ prosecutors. Thus, corporations generally do not become too familiar with the majority of the manual.
However, the manual has long contained a provision that should be of interest to all corporations. This particular section, entitled “The Principles of Federal Prosecution of Business Organizations,” describes factors prosecutors “should consider in conducting an investigation of a corporate entity, determining whether to bring charges, and negotiating plea or other agreements.” The principles described in this part are known as the “Filip Factors” because they were revised and expanded in 2008 under the leadership of then-Deputy Attorney General Mark Filip.
Among the nine Filip Factors for prosecutors to consider when deciding whether to bring charges or negotiate a plea, there are two directed at evaluating a corporation’s compliance program. First, prosecutors should take into account the “existence and effectiveness of the corporation’s preexisting compliance program.” Second, prosecutors should consider “the corporation’s remedial actions, including any efforts to implement an effective corporate compliance program or to improve an existing one, to replace responsible management, to discipline or terminate wrongdoers, to pay restitution, and to cooperate with the relevant of government agencies.”
While the Filip Factors have been around since 2008, the DoJ issued new guidance this past February titled “Evaluation of Corporate Compliance Programs” (the guidance) to be used in conjunction with a Filip Factors examination of a company’s conduct. The guidance was issued by the Fraud Section of the DoJ’s Criminal Division, a unit that investigates and prosecutes complex white-collar crimes throughout the country. In this latest guidance, the DoJ notes that while corporate compliance programs must be evaluated in the specific context of a criminal investigation, there are common questions the DoJ may ask in making a determination of the effectiveness of a particular compliance program.
The Fraud Section’s 2016 enforcement statistics show it concentrated its enforcement efforts in cases involving foreign bribery, healthcare fraud, and securities and financial fraud. However, the principles espoused in the latest guidance apply across all industries, including the pharmaceutical and medical device industries. Corporations can use this guidance, which addresses the 11 key topics discussed below, as an evaluative tool to ensure they have a strong compliance program already in place should they ever fall under the microscope of the DoJ.
1. ANALYSIS AND REMEDIATION OF UNDERLYING MISCONDUCT
When the DoJ becomes aware that a company has discovered misconduct, the company will be expected to demonstrate that it has conducted a systemic evaluation and found the true root cause. The company must show whether it missed prior opportunities to identify the misconduct and what steps it has taken so it will not miss such opportunities in the future. The company must be prepared to demonstrate that its remediation efforts address both the root cause and the missed opportunity to find the misconduct.
2. SENIOR AND MIDDLE MANAGEMENT
The DoJ will want to see that both senior leaders and middle management are engaged in modeling appropriate behavior, addressing the misconduct, and preventing similar misconduct in the future. The company should be able to demonstrate a commitment across the organization to a strong compliance program. At the senior level, the board of directors can demonstrate the independence of the compliance function and of the external auditors by holding executive sessions with those groups. The board of directors should be able to demonstrate that it is actively examining information it receives and exercising appropriate oversight.
3. AUTONOMY AND RESOURCES
The DoJ will look to see if the compliance function has the stature, resources, and independence to do its job. The DoJ will compare the compliance function to other key strategic functions to see if compensation levels, rank/title, reporting lines, resources, and access to key decision makers are comparable. The DoJ will expect the compliance and control personnel to have appropriate experience and qualifications. It will look to reporting lines and the frequency of meetings to determine if the compliance and control function was operating with autonomy. The DoJ will test for “empowerment” of the compliance function by examining how the company has responded when that function raised concerns. The DoJ will also expect the compliance function to be adequately funded and will assess whether denials of requests for resources were reasonable. Compliance functions that have been outsourced will be closely examined by the DoJ to determine who made that decision and how, how it is being managed, whether the external compliance team has access to the information it needs, and how the effectiveness of the outsourced compliance is assessed.
4. POLICIES AND PROCEDURES
The DoJ will also examine the policies and procedures a company has in place that should have addressed the misconduct in question. First, the DoJ will assess the design and accessibility of these policies and procedures. That assessment will include a careful look at why the policies were designed, how they were rolled out, whether the appropriate employees were involved, whether they were assessed for effectiveness, and whether they were effectively communicated to relevant employees and third parties.
The second aspect the DoJ will assess is the operational integration of those policies and procedures. The DoJ will want to see clear and appropriate responsibility for integrating the policies and procedures, a practice of assessing controls, a determination if better payment systems could have prevented misconduct, a determination of whether the approval/certification process is being used to identify misconduct, and an assessment of the vendor selection process if a vendor has been involved in misconduct.
5. RISK ASSESSMENT
The DoJ will look at what methodology the company is using to identify, analyze, and address its risks. It will want to see what information or metrics the company has collected and how it has used that information in its compliance program. It will evaluate whether the company’s risk assessment process accounted for manifested risks.
6. TRAINING AND COMMUNICATIONS
The DoJ will expect companies to have received risk-based training, that is, training tailored to address the risks in the area where misconduct occurred. The DoJ will drill down and examine the form, content, and effectiveness of the training. When misconduct has occurred, the DoJ will examine senior management’s communications to employees concerning the company position on the misconduct that occurred. The DoJ also will want to see that resources for its compliance policies are readily available to all employees, and employees are willing to seek guidance.
7. CONFIDENTIAL REPORTING AND INVESTIGATION
The DoJ will want to see that the company has assessed the effectiveness of its confidential reporting mechanism to ensure it is adequately collecting, assessing, and following up on allegations it receives. The company should ensure any resulting investigations are properly scoped and are performed independently and objectively. The DoJ will also expect that the company is using its confidential reporting system to identify root causes and system vulnerabilities and appropriately reporting that information to senior management.
8. INCENTIVES AND DISCIPLINARY MEASURES
The DoJ will expect to see accountability when misconduct occurs. The company must show it took appropriate disciplinary action for misconduct, including disciplining managers responsible for failures in oversight. The company should have an appropriate human resource process in place to ensure the correct persons are involved in disciplinary decisions and that disciplinary penalties are consistent across the organization. The company also should have an incentive system in place, such as granting awards for ethical behavior and denying awards for misconduct, to encourage ethical behavior.
9. CONTINUOUS IMPROVEMENT, PERIODIC TESTING, AND REVIEW
The DoJ will assess a company’s internal audit function to see if it is conducting the types of audits that should have identified the misconduct and an adequate audit reporting remediation function to address any reported misconduct. The DoJ will want to examine the control testing the company has performed to ensure the adequacy of its compliance program. The DoJ also will look to see if the company is proactive and is updating its risk assessments and compliance policies, procedures, and practices on an evolving basis.
10. THIRD-PARTY MANAGEMENT
A company should be able to demonstrate risk-based and integrated processes for managing its third-party vendors. The DoJ will want to see that the company has appropriate controls over the vendor, is actively involved in monitoring the third party to ensure those controls are followed, and is identifying and following up on any red flags concerning third-party conduct.
11. MERGERS AND ACQUISITIONS (M&A)
When the misconduct has occurred at a newly acquired company, the DoJ will look to see if the risk of misconduct should have been identified during the due diligence conducted prior to the acquisition. The DoJ will want to see that the compliance function was integrated into the merger, acquisition, and integration process. The DoJ will also want to see that the company continued to track and remediate misconduct during the due diligence process and implemented compliance policies and procedures at the new entities that were formed through the process.
The DoJ has long espoused that an effective corporate compliance program can help persuade a prosecutor to mitigate charges or sanctions it is seeking from a corporation. However, now, through its guidance on “Evaluation of Corporate Compliance Programs,” the DoJ has given additional insight into how it will determine if a corporate compliance program was effective. Thus, corporations would be wise to use this guidance as a checklist to evaluate their own compliance programs. Using this list not only will help if a company comes under the scrutiny of a federal prosecutor, it will also help build a compliance program strong enough to avoid coming under the scrutiny of the DoJ in the first place.