DOJ Update for Corporate Compliance Programs

How is your compliance program affected by the 2020 DOJ Compliance Guidance update? What else do you need to know?

The U.S. Department of Justice issued new guidance that unequivocally supports the compliance officer’s role. Moving forward, compliance programs will need to be dynamic, data-backed, and adequately resourced and empowered to function. Are you ready?

Fill out the form to learn more!

Set Up a Program Review

This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply to the reCAPTCHA services. You can learn more about how NAVEX processes your personal data by reviewing the NAVEX privacy statement.

Thank you for your interest!

We’ll be in touch with you shortly. If you have any immediate questions, please give us a call at 1-866-297-0224.

NAVEX One®

What the DOJ's New Guidance on Evaluating Corporate Compliance Programs Covers

Risk Assessment

How have you identified, assessed, and defined your risk profile? What is the rationale behind the program design decisions you’ve made?

Commitment by Senior & Middle Management

Does your company create and foster a culture of ethics and compliance? How have your senior leaders and middle managers demonstrated their commitment to compliance?

Policies & Procedures

Do you have a code of conduct? Do your policies and procedures incorporate a culture of compliance into your day-to-day operations? Are your policies easy to reference and update?

Autonomy & Resources

Do compliance personnel have sufficient authority, resources and autonomy? Do they have continuous access to operational data and information across functions?

Training & Communications

Is your training risk-based? How do you measure training effectiveness? Do you offer shorter, targeted training on key issues?

Incentives & Disciplinary Measures

Have disciplinary actions and incentives been fairly and consistently applied across the organization? Do you monitor investigations to ensure consistency?

Confidential Reporting & Investigation

Do you have a way for employees and third parties to anonymously or confidentially report misconduct? Do employees feel comfortable using it? How do you measure its effectiveness?

Continuous Improvement, Periodic Testing, & Review

Does your compliance program conduct periodic audits and control testing? Does your company review and adapt its compliance program based upon lessons learned?

Third Party Management

Do you apply risk-based due diligence to your third party relationships? Do you engage in risk management of third parties throughout the lifespan of the relationship?

Investigation of Misconduct

Do you have a well-functioning and appropriately funded mechanism for timely and thorough investigations of misconduct?

Mergers & Acquisitions

Does your organization conduct pre-acquisition due diligence? Do you have a process for integrating acquired entities into existing compliance program structures?

Analysis & Remediation of Any Underlying Misconduct

To what extent is your company able to analyze and address the root causes of misconduct?

The Challenge of addressing DOJ Compliance Guidance

With the DOJ’s June 2020 update to their guidance on corporate compliance programs, regulators have further sought to provide guidance and transparency to organizations by clearly communicating their expectations of what a well-designed and properly executed compliance program should look like.

Compliance officers can start by answering the three questions the DOJ instructs prosecutors to ask at the start of their evaluation: 1) Is the corporation’s compliance program well designed? 2) Is the program adequately resourced and empowered to function? 3) Does the program work in practice?

The DOJ guidance then provides detailed questions to evaluate each response. Someone measuring a risk and compliance program’s design, for example, should start by reviewing its risk assessment. How did the company define its risk profile? Did it tailor its programs to detect the specific types of misconduct identified, and allocate resources accordingly? Did it periodically review and revise its assessment? By proactively addressing the questions posed in the DOJ guidance, organizations can prevent the need for prosecutors to seek answers in the wake of compliance failure.

Steps You Can Take to Meet DOJ Guidance on Corporate Compliance Programs

It’s time to do a health check on your compliance program

Enforcement agencies want to know if the effectiveness of your program is limited to a snapshot in time or continuously improving to keep pace with evolving risk. Integrated risk and compliance management software provides ongoing monitoring capabilities, fueled by a steady stream of relevant data. Explore the chart below to understand the DOJ’s expectations on common compliance program gaps and how our solutions can help.

Download: Full 2020 DOJ Tracked Updates

Program Component	DOJ Evaluation Question	Program Action Step
Risk Assessment	Section 1 (A): Does your company have a process for tracking and incorporating lessons from your own issues or from other companies into your own risk assessment process?	Your organization should have processes in place to measure your compliance program effectiveness and should have access to reporting tools that help your company detect problems and analyze trends. Your organization should also have visibility into industry-level data to evaluate and benchmark your compliance program against your peers – allowing you to identify where your program is succeeding and where your program can be improved.
Policies and Procedures	Section I (B): Are your organization’s policies and procedures published in a searchable format for easy reference?	Your policies and procedures management system should have extensive search capabilities, allowing users to search by title, keyword, full text, or reference number.
	Section I (B): Does your organization track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?	Your system needs to be able to track how many times a policy has been viewed, who has viewed it, what version was viewed, and who has attested to the policy.
Training and Communications	Section 1 (C): What is the interactive nature of your training? Does it provide opportunities to ask questions?	Your training courses should be interactive and provide learners with access to your organization’s policies, as well as information on how to ask questions or make a report. These interactive resources should always be available to learners throughout a training course.
	Section 1 (C): Can you accurately measure the impact of your training and how it affects employee behavior or operations?	Your Learning Management System (LMS) should deploy, track and report on compliance training programs, including metrics that measure progress toward goals. Program administrators should also be able to validate course completions and overall program health through dashboards and audit-ready reporting.
Confidential Reporting Structure and Investigation Process	Section 1 (D): Can your company confirm employee awareness of your hotline?	As part of your organization’s hotline and investigation management system, you should have a selection of awareness materials including posters, brochures and wallet cards.
	Section 1 (D): Are you periodically testing the effectiveness of your hotline (e.g. by using a tracking report)?	To accurately test and measure the effectiveness of your hotline, your organization should have access to reporting tools that help detect problems and analyze trends. Reporting should also include details about the status, volume and resolution of your investigations.
Third-Party Management	Section 1 (E): Are your risk assessments of third parties done throughout the life span of the relationship, or just during the onboarding process?	Your third-party risk management solution should allow you to not only screen, but continuously monitor third parties against adverse media, sanctions lists, politically exposed persons. It should also support real-time reputation alerts when a third party’s status changes and additional due diligence when needed.