Kusserow on Compliance: More details on new DOJ corporate compliance guidelines

Previous blogs outlined the Department of Justice (DOJ) Fraud Section’s “Evaluation of Corporate Compliance Programs” guidance for compliance officers. Since then, many have inquired about getting more specific details on questions the DOJ is now using to determine the adequacy of compliance programs, particularly as they relate to management and Board oversight.  Subsequent to the publishing of the Evaluation, the HHS Office of Inspector General (OIG) at the recent Health Care Compliance Association (HCCA) Compliance Institute also reported modifying its corporate integrity agreements (CIAs) to increase accountability of organization leadership, including the Board, that follows a similar path to that of the DOJ.  With these changes in mind, the following recaps in more detail the DOJ list of “important topics and sample questions” it now uses when evaluating the effectiveness of corporate compliance programs. This 119-question resource offers great insights for compliance officers working to build and enhance their compliance programs. These guidelines have grown out of the DOJ’s hiring of Compliance Counsel Expert Hui Chen in November 2015. One thing to remember about these guidelines is that they relate to all industry sectors.  As such, they track with the U.S. Sentencing Guidelines, but don’t focus on the health care sector in the way the OIG compliance guidance documents do.

Filip Factors

The Principles of Federal Prosecution of Business Organizations in the United States Attorney’s Manual describes specific factors that prosecutors should consider in conducting an investigation of a corporate entity, determining whether to bring charges, and negotiating plea or other agreements. Commonly known as the Filip Factors, they include “the existence and effectiveness of the corporation’s pre-existing compliance program” and the corporation’s remedial efforts “to implement an effective corporate compliance program or to improve an existing one.” The guidance was formulated to evaluate compliance programs after violations have been discovered and examining the existing misconduct as the benchmark against which the compliance program will be evaluated. It focuses on testing existing compliance programs and outlining steps that should be taken when problems are discovered to demonstrate a pre-existing commitment to compliance. It is also intended to inform the public about federal prosecutors’ review of compliance programs under the Filip Factors. There were eleven highlighted topics covered, as noted below, along with tie-in with OIG guidance, and followed with types of questions that one can expect the DOJ to ask when it confronts corporate misconduct.

 1. Analysis and remediation of underlying misconduct. The OIG guidance stresses seeking out weaknesses identified to ensure they are addressed and prevent misconduct in the future.

  • Has the organization done an analysis to see if there was a systematic failure in compliance?
  • Did the company miss prior opportunities to detect the misconduct?
  • Has the company evaluated why those opportunities were missed?
  • What remediation was undertaken once a problem was discovered?
  • What specific changes has the company made to reduce the risk of a reoccurrence?

2. Senior and middle management. This tracks to the OIG call for “top-down” compliance programs beginning at the Board and executive levels and cascading down through all levels of management.

  • Did senior managers, through their words and actions, encourage or discourage the misconduct in question?
  • Has senior leadership taken concrete steps to demonstrate commitment?
  • Does the Board have access to the right expertise to help it perform its oversight function?

3. Autonomy and resources. Prosecutors look for signs of “autonomy,” such as whether compliance personnel have “direct reporting lines to anyone on the board of directors” and whether “relevant control personnel in the field have reporting lines to headquarters.” The OIG has been calling for this type of independence for compliance offices for decades, which permits unfiltered information to flow between the compliance officer, CEO, and Board. The DOJ also looks for signs of “empowerment,” such as instances where “specific transactions or deals . . . were stopped, modified, or more closely examined as a result of compliance concerns.”  With the relatively recent hiring of full-time compliance counsel at the Fraud Section, this has been a particular point of focus.

  • Does the compliance function have the right resources and stature within the company to perform effectively?
  • Was the compliance department involved in the training and decisions relevant to any misconduct?
  • Does the compliance department have appropriate independence?

4. Policies and procedures. Policies and procedures are a foundational component of any corporate compliance program, and the Compliance Program Guidance devotes considerable attention to this topic, as does the OIG in its guidance documents. As a threshold matter, prosecutors consider the “design and accessibility” of policies and procedures—including whether they are tailored to a company’s risk profile, have been effectively implemented and communicated, and have been evaluated to ensure usefulness. Prosecutors also consider the “operational integration” of a company’s compliance policies and procedures—including the adequacy of payment systems and other controls that should have helped detect or prevent misconduct.

  • Did the company have policies and procedures in place that prohibited the misconduct?
  • Has the company assessed whether its policies and procedures were effectively implemented?
  • Are key gatekeepers adequately trained?
  • Was the program properly integrated and were adequate controls put in place to detect misconduct?

5. Risk assessment. This factor relates to the OIG guidance relating to ongoing monitoring and auditing of high risk areas.

  • What methodology has been used to identify, analyze and address the risks the organization faced?
  • Does the company collect information and metrics to adequately assess risks?

6. Training and communications. As with the OIG guidance, there is considerable expectation that all covered persons will undergo compliance training on high risk areas, governing laws and regulations, and what to do when misconduct is believed to have occurred.

  • What training was in place and is it properly tailored for high-risk or control employees?
  • Is the training offered in the right form and language for the target employees?
  • How does the company communicate to employees about any misconduct that does occur?

7. Confidential reporting and investigation. Like the OIG, the new guidelines focus on the means by which employees and others may report potential wrongdoing, as well as how this information is acted upon by the organization.

  • Does the company have in place an effective way of collecting and analyzing allegations of misconduct?
  • Does the company ensure investigations have been properly scoped, conducted, and documented?
  • Did the investigation look to root causes of the misconduct?
  • Did the investigation go high up enough in the company?

8. Incentives and disciplinary measures. The OIG stresses consistent implementation of disciplinary action for wrongdoers, without regard to station within the organization.

  • Is there proper accountability, as demonstrated by discipline for managers under whose watch misconduct occurred?
  • Is the application of discipline consistent?
  • Is there an incentive program for good compliance and ethical behavior?
  • Can the company point to specific examples of actions taken (such as promotions or awards denied) as a result of compliance and ethics considerations?

9. Continuous improvement, periodic testing, and review. The OIG calls for compliance officers to ensure that there is an audit work plan that focuses on identified high-risk areas. Many of these high-risk areas are specifically identified in its compliance guidance documents, advisory opinions, annual work plans, etc.

  • What types of audits would have identified the misconduct at issue and were they conducted?
  • Did management and the board follow up on audit findings and failures? Does the company test its controls?
  • Does the company routinely update its compliance program and make sure it adequately addresses current risks?

10. Third party management. In the case of the OIG, considerable attention and concern is placed on arrangements with individuals in a position to influence the flow of business. It calls for an Arrangements Database that includes processes, policies, and monitoring of such agreements.

  • Does the company’s third party management process adequately analyze risk?
  • Are there appropriate controls with regard to third parties?
  • Does the company adequately respond to third-party red flags?
  • Has company suspended, terminated, or audited a third party as a result of compliance issues?

11. Mergers and acquisitions (M&A). This analysis focuses on due diligence and integration.

  • In the event misconduct is discovered after a merger, was proper due diligence conducted during the M&A process?
  • How has the compliance function been integrated into the M&A process?

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2017 Strategic Management Services, LLC. Published with permission.