Yesterday I began a two-part series on the Department of Justice (DOJ’s) “Evaluation of Corporate Compliance Programs” (Evaluation) posted on the Fraud Section in February. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner.

Picking up from yesterday, the next area of inquiry is in training and communications. Here the inquiries are around whether you have adequately risk-based your training and then delivered effective training “tailored” for high-risk employees. This picks up the language from the most General Cable Foreign Corrupt Practices Act (FCPA) enforcement action and demonstrates how the continuous loop of innovation in compliance is driving the evolution of best practices. It was General Cable which provided the tailored training as a part of their remediation efforts and now we find that being built into this DOJ Evaluation. The DOJ also reiterates you need to determine the effectiveness of your compliance training.

The Evaluation specifically suggests a company communicate about employee misconduct throughout its organization. Added to this is an inquiry into the effectiveness and availability of compliance guidance. Finally, and definitely a key inquiry, is whether employees are able and willing to seek compliance advice.

Under confidential reporting and investigations, the tests are around determining the effectiveness of your compliance reporting mechanisms through your triage protocol, the seriousness of how a company might take a reported issue and whether compliance is kept in the loop around investigations. You will also need to consider your investigative protocol and whether investigations “have been properly scoped, and were independent, objective, appropriately conducted, and properly documented”? Following these protocol inquiries are those regarding your company’s response to investigations. The Evaluation asks, “Has the company’s investigation been used to identify root causes, system vulnerabilities, and accountability lapses, including among supervisory manager and senior executives? What has been the process for responding to investigative findings? How high up in the company do investigative findings go?” While it seems clear, it bears stating now, that all such actions must be documented going forward to show to any regulator who comes knocking.

The next section is an inquiry into carrots and sticks, or more formerly incentives and disciplinary measures. Once again demonstrating the need to put compliance into the fabric of an organization there is an inquiry into the role of Human Resources (HR) in any disciplinarily process. There is also a series of inquiries into the response to Code of Conduct or other violations, “What disciplinary actions did the company take in response to the misconduct and when did they occur? Were managers held accountable for misconduct that occurred under their supervision? Did the company’s response consider disciplinary actions for supervisors’ failure in oversight?” Of course, the disciplinary action will should be evaluated. Finally, and in an inquiry which I can only say warms my heart, it asks has “the disciplinary actions and incentives been fairly and consistently applied across the organization?”

But it is not only the sticks a company employs but also what incentives you have in place for doing business ethically and in compliance. You need to consider how you have incentivized compliance and what the rewards have been. Also recognizing that compensati