During a keynote speech today at the Compliance Week 2015 conference, Leslie Caldwell, assistant attorney general for the Justice Department’s Criminal Division, provided some insight on what a robust compliance function looks like. She also talked about what it means to conduct a thorough internal investigation in the eyes of the government.

“Overall, our message is really a simple one: we really expect that corporations will take compliance risks as seriously as they take other business risks,” Caldwell said. “Compliance is a really significant part of a company. It’s critical, and a lack of compliance can be devastating to a company.”

During her remarks, Caldwell spoke about how companies should go about designing a compliance program that doesn’t just look good on paper. “Compliance programs shouldn’t be designed just to avoid violations of the law and regulations,” she said. “It really should be designed to protect the company’s reputation, employees, customers, third parties, and, frankly, the public.”

Some companies misdirect their compliance focus by targeting only areas where they have regulatory and criminal exposure, rather than focusing on the actual misconduct of employees. For example, some companies have very little compliance in certain segments of their business where they’ve never had any contact with regulators, “because they see that as not a risk area,” Caldwell said. “That’s a wrong way to look at things.”

“As a result, we’ve seen too many compliance programs that are little bit behind the curve,” Caldwell added. “They’re effectively and carefully guarding against yesterday’s problems, but they’re failing to identify and prevent tomorrow’s problems.”

Compliance Hallmarks

During her remarks, Caldwell also stressed the hallmarks of effective compliance programs. In addition to tone-at-the-top, the Department of Justice also looks at the types of explicit messages being given to employees in the field, and factors like compensation and incentives. Paying a trader at a bank $200 million a year while he’s manipulating the LIBOR sends mixed messages, said Caldwell, citing a real-life example.

Additionally, oversight of compliance has to be at senior level; that includes an appropriate level of compensation. “Companies will say that they take compliance seriously, but then you find out that the chief compliance officer makes a fraction of what the general counsel makes, or other more junior people in the litigation department,” she said.

Other hallmarks of an effective program including have compliance program that is “clear, simple, and straightforward.” Having adequate resources and an effective means of reporting potential violations are also essential, she said.

“Sometimes the companies with the best compliance programs are the one that appear to have the most violations; that’s because their programs are actually working,” Caldwell added. If you’re a large company that had no compliance violations over the last two years, “I can tell you that have a bad compliance program.”

Another crucial component of a compliance program is that it be a “living document” that’s reviewed periodically, Caldwell said. Additionally, mechanisms should be in place to enforce compliance, including incentivizing good behavior, as well as disciplining violators of laws or policies, no matter the level of the employee, she said.

Thorough Internal Investigations

The Justice Department will “evaluate the quality of company’s investigation when we’re deciding whether to bring charges against that company,” Caldwell said. Thus, conducting a thorough internal investigations are important.

The Criminal Division does not look favorably upon companies that present facts in the form of “talking points,” or that sound “spun,” she said. Nor do they look favorably upon companeis that whitewash the truth.

Effective internal investigations, in comparison, are focused on rooting out facts, identifying and interviewing knowledgeable people, gathering relevant documents, and identifying individuals responsible for the misconduct.

Contrary to some reports, Caldwell said the Justice Department does not believe a company necessarily has to take a “boil the ocean” approach when conducting an internal investigation. “Make your investigations focused, targeted,” she advised. “We don’t expect a worldwide bill of health in every FCPA investigation.”

How thorough an investigation should be varies, depending on the type of problem and type of company, she said. For example, if a local employee in Russia paid a bribe to customs officials to get a shipment of automobiles into the country in an expedited fashion, “I don’t think there is reason to assume that same problem exists in every country,” she said. By contrast, if you discovery a problem in Country A, and the same group of sales managers are operating in other countries, “we would expect you to look in those other countries.”

Data Breaches

Caldwell also spoke about the importance of mitigating cyber risks. “We’ve seen a mushrooming of data breaches in the last couple of years,” she said. “Given the potential financial, reputational, privacy, and other harms that a data breach can cause, it’s really critical that a company put that risk front and center and have a compliance program and policies and cyber security program that’s designed to prevent data breaches.”

The Criminal Division will treat companies that suffer a data breach as victims. “We would very much invite you to cooperate with us and have a law enforcement contact,” she said.

To help companies to mitigate cyber risks, the Justice Department last month posted guidance on what it views as a primer on best practices for cyber security. That document may be found here.