In February 2017, the Fraud Section of the United States Department of Justice’s Criminal Division published a document entitled “Evaluation of Corporate Compliance Programs.” This document lists the assessment criteria for effective corporate compliance programs. The DOJ recognises that each company’s risk profile and the solutions it adopts to reduce risks should be evaluated on their own merits. The DOJ therefore tailors its determination to each case. However, even tailored determinations raise many of the same questions. The DOJ document explains the questions the DOJ may ask about a corporate compliance program. However, it gives no guidance on how companies can actually provide the right answers.
In December 2014, the International Organization for Standardization published ISO International Standard 19600 – Compliance management systems – Guidelines, which helps organisations establish, develop, implement, evaluate, maintain and improve an effective and responsive compliance management system. It is the first international standard on state-of-the-art compliance management and provides the conceptual basis for other international standards, such as ISO 37001 – Anti-bribery management systems.
The DOJ document and ISO Standard 19600 differ, yet they have a shared preventive goal. A comparison between the DOJ document and the ISO Standard 19600 shows that US policy and the Standard are largely compatible, and that ISO 19600 is an appropriate tool for companies to get to a level of compliance management that allows them to provide the right answers to the DOJ’s questions, should that be necessary: Risk and Compliance Management (PDF: 296 KB). The table in the comparison illustrates the overlap between the DOJ and ISO guidance; the flowchart opposite the table illustrates the iterative “plan-do-check-act” management system that the Standard advocates. The colour scheme of both graphics indicates the topical overlap. Continue reading