As I may have mentioned before, I recently was granted the honor of adding “CCEP” after my name, to go with my “CGFM” designation. CCEP means “Certified Compliance and Ethics Professional.” (CGFM means Certified Government Financial Manager.) The CCEP designation was granted by the Board of the Society of Corporate Compliance and Ethics (SCCE).

Which is really neither here nor there, except to note that, as part of my training, I was exposed to an entirely different view of compliance programs. Normally, when we discuss compliance on this website, we are talking about compliance with statutes and regulations that apply to government contractors, or perhaps about compliance with contract terms and conditions. We talk about the Federal Acquisition Regulation and the Defense Federal Acquisition Regulation Supplement.

From time to time we talk about other, related, matters—such as the Foreign Corrupt Practices Act (FCPA) or the export control regime (ITAR, EAR). We touch on Ethics/Business Conduct Policies when we discuss FAR Part 3. We mention investigations and contractor disclosures. (Indeed, we’ve written two in-depth analyses of contractor disclosures, which are available on this site under “knowledge resources.”)

But we have not really done a deep dive into the legal view of corporate compliance programs before. We have not dug into how such programs are defined by the Department of Justice and the U.S. Sentencing Guidelines. We glided past those issues because (1) there wasn’t much if any need to discuss them, and (2) we felt uncomfortable with those matters because we weren’t (and still are not!) attorneys. However, that second hesitation was removed when I attended the SCCE training and passed the test, and was awarded the CCEP designation. Now I think we can discuss the legal view of corporate compliance programs with some confidence that we know whereof we speak.

That all being said, today we want to discuss the very recent promulgation, by the Department of Justice, of a document called “Evaluation of Corporate Compliance Programs.” It is a document that identifies eleven areas in which a company’s compliance program will be evaluated by the DOJ when they are considering prosecution options.

This is an important document because it tells us what elements the DOJ considers to be important. As we list the eleven elements, ask yourself how well your company would fare if the DOJ evaluated you in these areas. They are:

1. Analysis and Remediation of Underlying Misconduct, including root cause analysis, analysis of any prior indications, and efficacy of remediation.

2. Senior and Middle Management, including conduct by corporate leadership, communication and shared commitment to ethical conduct, and the structure/expertise of the corporate oversight function (e.g., Board of Directors).

3. Autonomy and Resources available to the compliance function, including experience, qualifications, and stature within the corporation. Also includes empowerment and funding/resources. There is a hint in this factor that a fully outsourced compliance function will be viewed with suspicion.

4. Policies and Procedures, including internal assessments of the efficacy of the command media, oversight of compliance by process owners, and employee accessibility to the command media. This factor also includes a subfactor regarding controls, payment systems, and vendor management

5. Risk Assessment, including the risk management process and the process used to gather information/metrics to design its misconduct detect/prevent processes. This factor also evaluates the feedback loop—i.e., how do “manifested risks” influence subsequent risk assessments and internal controls?

6. Training and Communications, including availability of compliance guidance to employees and communication back to the workforce about misconduct that has been detected. In our experience, a number of corporate attorneys are reluctant to discuss misconduct after the fact. The DOJ evaluation factor asks the following questions (quoting): What has senior management done to let employees know the company’s position on the misconduct that occurred? What communications have there been generally when an employee is terminated for failure to comply with the company’s policies, procedures, and controls (e.g., anonymized descriptions of the type of misconduct that leads to discipline)?

7. Confidential Reporting and Investigation, including the effectiveness of the investigations, the qualifications of the investigative personnel, and whether the results of the investigations are used to enhance controls.

8. Incentives and Disciplinary Measures, including the disciplinary process and how personnel are held accountable, and whether ethical/compliance behavior is incentivized by the company.

9. Continuous Improvement, Periodic Testing, and Review, including the effectiveness of the internal audit function, whether internal control testing was updated/enhanced as the result of the misconduct, and the currency/scope of risk assessments.

10. Third Party Management, including risk assessments and related controls, and whether the third parties are incentivized to act in a compliant manner.

11. Mergers & Acquisitions, including the role of compliance and risk assessments in the due diligence process, and whether risks identified during the due diligence efforts are remediated during post-acquisition integration.

This blog has been geared towards those compliance practitioners working in the government contracting environment. We talk a lot about FAR, about DCAA, about the government contracting process. We talk about compliant cost accounting and billing practices. But clearly there is a bigger picture for government contractors: there is a bigger compliance regime in which FAR/CAS and other contracting compliance matters are but a part. This article has attempted to show the bigger picture.

We trust it was of value to you.