Compliance DOJ SFO Anti-Corruption Risk Management Corporate Governance

Introduction

An effective compliance program is essential for preventing misconduct and obtaining credit in enforcement actions. This article outlines global best practices based on guidance from leading enforcement agencies worldwide.

DOJ Evaluation Criteria

The DOJ's "Evaluation of Corporate Compliance Programs" guidance (updated 2023) emphasizes three fundamental questions:

  • Is the compliance program well designed? (Risk assessment, policies, training, third-party management)
  • Is the program adequately resourced and empowered to function effectively? (Resources, autonomy, compensation structures)
  • Does the program work in practice? (Implementation, monitoring, investigation, remediation)

SFO Guidance

The UK Serious Fraud Office expects:

  • Top-Level Commitment: Board and senior management commitment to compliance
  • Risk Assessment: Proportionate to organization's bribery risk profile
  • Due Diligence: Risk-based due diligence on counterparties
  • Communication and Training: Proportional and accessible policies and training
  • Monitoring and Review: Periodic review and improvement

Core Elements of Effective Programs

Risk Assessment

Continuous, risk-based approach identifying and prioritizing risks across operations, jurisdictions, and business units. Assessments should consider:

  • Geographic risk (Corruption Perceptions Index, sanctions exposure)
  • Transactional risk (third-party intermediaries, government contracts)
  • Industry risk (regulated sectors, government interaction)
  • Business unit risk (acquisitions, joint ventures)

Policies and Procedures

Clear, accessible, and regularly updated policies tailored to the organization's risk profile and operations. Key policies include:

  • Code of Conduct
  • Anti-Bribery and Anti-Corruption
  • Gifts, Entertainment, and Hospitality
  • Third-Party Due Diligence
  • Conflicts of Interest
  • Whistleblower Protection
  • Records Management

Training and Communication

Regular, role-specific training with measurable effectiveness assessment. Training should be:

  • Risk-based (higher-risk roles receive more training)
  • Regular (initial, annual refreshers, and event-driven)
  • Measured (testing, feedback, effectiveness metrics)
  • Documented (attendance, completion records)

Confidential Reporting and Investigation

Accessible reporting mechanisms, non-retaliation policies, and thorough investigation protocols:

  • Multiple reporting channels (hotline, email, web portal)
  • Anonymous reporting options where permitted by law
  • Clear anti-retaliation policy and enforcement
  • Trained investigation team
  • Documented investigation procedures
  • Appropriate remediation based on findings

Third-Party Management

Risk-based due diligence and ongoing monitoring of agents, distributors, and business partners:

  • Pre-contract due diligence
  • Contractual compliance provisions (audit rights, termination for misconduct)
  • Ongoing monitoring (periodic certifications, audits)
  • Training for high-risk third parties
  • Termination mechanisms for non-compliance

Mergers and Acquisitions

Pre-acquisition due diligence and post-acquisition integration of compliance programs:

  • Risk-based pre-acquisition due diligence
  • Contractual protections (indemnities, purchase price adjustments)
  • Post-acquisition integration within 6-18 months
  • Risk-based compliance audits of acquired entities

Global Enforcement Trends

  • Individual Accountability: DOJ's Yates Memo requires focus on individual prosecutions
  • Compensation Clawback: DOJ considers compensation structures and clawback policies
  • Voluntary Self-Disclosure: Strong incentives for timely, voluntary disclosure
  • Technology and Data Analytics: Expected use of data for monitoring
  • Cross-Border Enforcement: Increased coordination among global authorities
  • Compliance Program Effectiveness Testing: Moving beyond paper compliance to demonstrated effectiveness

Practical Recommendations

  1. Ensure board and senior management commitment with regular compliance reporting
  2. Allocate sufficient resources (personnel, technology, budget) to compliance function
  3. Conduct periodic compliance program assessments and benchmarking
  4. Implement technology solutions for third-party due diligence and monitoring
  5. Maintain robust documentation of compliance activities
  6. Respond promptly and thoroughly to detected misconduct
  7. Consider external audits and certifications where appropriate