DOJ Guidance on Corporate Compliance Programs

The Challenge of addressing DOJ Compliance Guidance

The Evaluation of Corporate Compliance Programs is the U.S. Department of Justice’s guidance to federal prosecutors on how to determine the size and severity of punishment a company should face in the event of a compliance failure. With their June 2020 update to the guidance, regulators have also sought to provide guidance and transparency to organizations by clearly communicating their expectations of what a well-designed and properly executed compliance program should look like.

Compliance officers can start by answering the three questions the DOJ instructs prosecutors to ask at the start of their evaluation: 1) Is the corporation’s compliance program well designed? 2) Is the program adequately resourced and empowered to function? 3) Does the program work in practice?

The DOJ guidance then provides detailed questions to evaluate each response. Someone measuring a risk and compliance program’s design, for example, should start by reviewing its risk assessment. How did the company define its risk profile? Did it tailor its programs to detect the specific types of misconduct identified, and allocate resources accordingly? Did it periodically review and revise its assessment? By proactively addressing the questions posed in the DOJ guidance, organizations can prevent the need for prosecutors to seek answers in the wake of compliance failure.

Learn how we can help

Risk Assessment

How have you identified, assessed, and defined your risk profile? What is the rationale behind the program design decisions you've made?

Policies & Procedures

Do you have a code of conduct? Do your policies and procedures incorporate a culture of compliance into your day-to-day operations? Are your policies easy to reference and update?

Training & Communications

Is your training risk-based? How do you measure training effectiveness? Do you offer shorter, targeted training on key issues?

Confidential Reporting & Investigation

Do you have a way for employees and third parties to anonymously or confidentially report misconduct? Do employees feel comfortable using it? How do you measure its effectiveness?

Third Party Management

Do you apply risk-based due diligence to your third party relationships? Do you engage in risk management of third parties throughout the lifespan of the relationship?

Mergers & Acquisitions

Does your organization conduct pre-acquisition due diligence? Do you have a process for integrating acquired entities into existing compliance program structures?

Commitment by Senior & Middle Management

Does your company create and foster a culture of ethics and compliance? How have your senior leaders and middle managers demonstrated their commitment to compliance?

Autonomy & Resources

Do compliance personnel have sufficient authority, resources and autonomy? Do they have continuous access to operational data and information across functions?

Incentives & Disciplinary Measures

Have disciplinary actions and incentives been fairly and consistently applied across the organization? Do you monitor investigations to ensure consistency?

Continuous Improvement, Periodic Testing, & Review

Does your compliance program conduct periodic audits and control testing? Does your company review and adapt its compliance program based upon lessons learned?

Investigation of Misconduct

Do you have a well-functioning and appropriately funded mechanism for timely and thorough investigations of misconduct?

Analysis & Remediation of Any Underlying Misconduct

To what extent is your company able to analyze and address the root causes of misconduct?

Step 1

Review NAVEX Global's annotated copy of the DOJ guidance to view the latest changes from the June 2020 update.

Step 2

Consult NAVEX Global’s Corporate Compliance Evaluation Matrix to determine which products and services correspond the specific area of corporate compliance you want to address.

Step 3

Evaluate and improve your policies and procedures to reduce targeted risks and incorporate a culture of integrity into your day-to-day operations.

Step 4

Offer multiple whistleblower incident management reporting methods, including a compliance hotline to create effective reporting mechanisms that allow for properly scoped investigations conducted in a timely manner.

Step 5

Provide training tailored for the unique risks of your organization in a form and language appropriate for each audience.

Step 6

Integrate risk-based third-party due diligence into your procurement and vendor management processes to assess and continuously monitor the qualifications and associations of third-party partners.