Earlier this year the Justice Department published its latest guidance yet about corporate compliance programs: a document titled “Evaluation of Corporate Compliance Programs,” that listed more than 100 questions the department might ask if it is investigating misconduct at your company.
The guidance is specific, detailed, and comprehensive. The questions are written from the perspective of a prosecutor asking about a compliance program after a failure; but from them compliance officers can also reverse-engineer how a strong program should operate before a failure.
The single longest section of the guidance dwells on policies and procedures. Those twenty questions underscore that effective policies and procedures—ones that actually address possible misconduct; ones that fit within your regular business processes—are crucial to success.
Some of our favorite questions are these:
We like these questions for three reasons. First, they imply that the company should have a structure to create new policies and procedures. Second, they emphasize the importance of effective risk assessment that helps the company understand what its policies and procedures should actually do. Third, they stress the importance of people, communication and stakeholder input to the design of a compliance program.
Putting Those Ideas to Use
The point behind these questions is to see whether the company has a thoughtful, defensible logic to how it designs new policies and procedures. This is especially important in the complex and highly regulated life sciences sector, where the need for clear policy and process exists throughout core functions.
Start with the very first question the Justice Department asks on this subject: “What has been the company’s process for designing and implementing new policies and procedures?” The components for a good answer to that question are clear. You need a risk assessment that explores how employees might commit the misconduct in question. You need to solicit input from leaders in the operating units of the business, to ask them how that misconduct can be prevented. You write policies in a manner that employees can understand. And you need support from senior executives, who decide how much to emphasize ethical conduct and how much to emphasize speedy, profitable operations, setting the tone and influencing the culture of the company.
You need all those components assembled in proper sequence, so the process for developing new policies and procedures can run independently of any specific person involved in supporting good conduct.
How can all that be done? That is a subject for future posts.