How Does DOJ Evaluate your Compliance Program
Compliance Program Criteria
DOJ internal manuals set a high bar for corporate compliance programs, expecting them to be well-designed, adequately resourced and functioning at all times. Although the Department admits that even the best compliance programs cannot prevent all types of violations, the DOJ expects companies to have a robust and working mechanism to identify and prevent misconduct.
In the previous article, we discussed how the DOJ defines a well-designed program and the criteria it uses. This report focuses on the last two pillars of effective compliance in the eyes of the DOJ, including the allocation of adequate resources and program implementation.
How Is Your Compliance Program Resourced?
Even if a company leverages an all-around well-designed compliance program, it can only be successful if supported by adequate resources. On the other hand, the DOJ instructs its attorneys to probe if the corporate compliance agenda is actually implemented and properly resourced or if it exists only as a “paper program.”
When assessing the allocation of resources for the compliance efforts, the DOJ examines whether:
- the senior management takes steps towards and is committed to achieving compliance,
- there is an effective compliance structure having sufficient autonomy to fulfill its functions,
- the compliance structure is adequately staffed with personnel qualified to implement audits and analyses and take remedial actions,
- the compliance personnel is provided with access to the corporate data, as well as to policies, controls and transactions,
- the staffing and resources allocated to the compliance function are proportionate to the size and complexity of the operation.
Is the Compliance Agenda Regularly Improved, Tested and Reviewed?
When probing the efficiency of a corporate compliance program, the DOJ checks such program’s capacity to improve and evolve to address existing and novel compliance risks. Since companies operate in a constant change of regulatory environment and market conditions, businesses need to take continuous steps to adapt their compliance program to ensure they stay current.
For example, companies are expected to gauge the strength of controls to ensure that these controls are functioning, survey their employees and run internal audits. Businesses also need to implement regular risk assessments to account for new challenges and update their compliance agendas based on ongoing monitoring of the regulatory environment and market situation.
How Are Instances of Alleged Non-Compliance Investigated?
According to the DOJ perspective, a working compliance system should have a well-functioning mechanism for investigating any alleged violations by the company or third parties. Such mechanism should provide for prompt and effective responses and be properly scoped and well-documented. The Department also expects organizations to have documented reports on investigations, including information on remediation or disciplinary actions.
In its internal guidance related to investigations, the DOJ places a strong focus on how companies should handle their communication channels and manage their data.
The Department highlights that businesses should regulate the use of messaging applications and devices to preserve information and protect the privacy and security of data, which is especially important for the pharma and healthcare industries. The guidance requires DOJ attorneys to check instances of implementing “bring your own device” (BYOD) programs by companies and whether businesses have specific policies governing access and storage of data on personal devices.
Are the Root Causes of Misconduct Properly Analyzed and Addressed?
Finally, a working compliance program should empower businesses to analyze the root causes of misconduct as well as to address and remediate them when such instances occur.
In particular, the DOJ guidelines require attorneys who investigate instances of non-compliance to check:
- how the company approaches the analysis of root causes of misconduct,
- how effective the company is in implementing its policies or procedures,
- whether the company has adequate safeguards against improper use of funds leading to non-compliance,
- what the vendor due diligence process is in instances where vendors were involved,
- what steps the company has taken to reduce the risk of similar occurrences in the future,
- what were the disciplinary actions taken by the company in relation to each case of misconduct.
Ensuring an Effective Compliance Framework with MedCompli
Considering the regulatory and market complexity of the pharma and healthcare sector and the ever-changing environment, companies looking beyond paper compliance need to regularly revisit their compliance agenda. Specifically, the DOJ expects businesses to scale their compliance-dedicated resources proportionate to the size and complexity of operations and implement ongoing assessments of their risks and controls.
In those instances when organizations have to address alleged violations, companies need robust mechanisms for investigation of root causes and prompt remediation to minimize the negative consequences of non-compliance. For more information on implementing a well-designed and fully functioning compliance program which meets the expectations of regulators for pharma and healthcare businesses, please don’t hesitate to contact the MedCompli team for a free consultation.