In June 2019, when the Criminal Division of the Department of Justice, (DOJ), updated its guidance document on how prosecutors are to evaluate an organization’s compliance program, (Evaluation of Corporate Compliance Programs), one theme comes through loud and clear. Compliance policies, procedures and controls should never become stale or stagnant. Rather, the DOJ takes the position that to be effective a compliance program must be “dynamic and evolving” in order to meet new areas of risk that present to the organization. As an indication of the expectation that a program continue to develop, the guidance document instructs prosecutors to look at the program at the time of the offense or wrong doing, and (emphasis added)at the time of the charging decision or resolution. In other words, if bad activity is detected, the DOJ expects the provider to begin the process of changing systems, policies, procedures, etc. to address that risk right away rather than waiting until after the investigation process has been completed.
The DOJ places the responsibility on each provider to be constantly testing the program and tracking results, (auditing and monitoring), and then use that information and data to improve the program. It is clear the risk assessment process is an important part of ensuring compliance policies and procedures are continuously updated. Just looking at a policy and adding a “reviewed on” date to the bottom is not sufficient. Rather, the organization’s internal review of the components of the compliance program must be “based on continuous access to operational date and information across functions.”
The revised guidance document re-emphasizes the expectation that compliance programs be data driven, and that data be the basis for continuous refinement and improvement of the program. Compliance is not one and done. The program is a “living and breathing” thing that continues to evolve over time. Take a look at your program to see if maybe it is getting a little crusty around the edges!