Skip to content.

DOJ Guidance on Corporate Compliance

The Evaluation of Corporate Compliance Programs is the U.S. Department of Justice’s guidance to federal prosecutors on how to determine the size and severity of punishment a company should face in the event of a compliance failure.

Man on the phone and another man looking at a document

The Challenge of addressing DOJ Compliance Guidance

With the DOJ’s June 2020 update to their guidance on corporate compliance programs, regulators have further sought to provide guidance and transparency to organizations by clearly communicating their expectations of what a well-designed and properly executed compliance program should look like.

Compliance officers can start by answering the three questions the DOJ instructs prosecutors to ask at the start of their evaluation: 1) Is the corporation’s compliance program well designed? 2) Is the program adequately resourced and empowered to function? 3) Does the program work in practice?

The DOJ guidance then provides detailed questions to evaluate each response. Someone measuring a risk and compliance program’s design, for example, should start by reviewing its risk assessment. How did the company define its risk profile? Did it tailor its programs to detect the specific types of misconduct identified, and allocate resources accordingly? Did it periodically review and revise its assessment? By proactively addressing the questions posed in the DOJ guidance, organizations can prevent the need for prosecutors to seek answers in the wake of compliance failure.

What the DOJ's New Guidance on Evaluating Corporate Compliance Programs Covers

Risk Assessment

How have you identified, assessed, and defined your risk profile? What is the rationale behind the program design decisions you’ve made?

Commitment by Senior & Middle Management

Does your company create and foster a culture of ethics and compliance? How have your senior leaders and middle managers demonstrated their commitment to compliance?

Policies & Procedures

Do you have a code of conduct? Do your policies and procedures incorporate a culture of compliance into your day-to-day operations? Are your policies easy to reference and update?

Autonomy & Resources

Do compliance personnel have sufficient authority, resources and autonomy? Do they have continuous access to operational data and information across functions?

Training & Communications

Is your training risk-based? How do you measure training effectiveness? Do you offer shorter, targeted training on key issues?

Incentives & Disciplinary Measures

Have disciplinary actions and incentives been fairly and consistently applied across the organization? Do you monitor investigations to ensure consistency?

Confidential Reporting & Investigation

Do you have a way for employees and third parties to anonymously or confidentially report misconduct? Do employees feel comfortable using it? How do you measure its effectiveness?

Continuous Improvement, Periodic Testing, & Review

Does your compliance program conduct periodic audits and control testing? Does your company review and adapt its compliance program based upon lessons learned?

Third Party Management

Do you apply risk-based due diligence to your third party relationships? Do you engage in risk management of third parties throughout the lifespan of the relationship?

Investigation of Misconduct

Do you have a well-functioning and appropriately funded mechanism for timely and thorough investigations of misconduct?

Mergers & Acquisitions

Does your organization conduct pre-acquisition due diligence? Do you have a process for integrating acquired entities into existing compliance program structures?

Analysis & Remediation of Any Underlying Misconduct

To what extent is your company able to analyze and address the root causes of misconduct?

Steps You Can Take to Meet DOJ Guidance on Corporate Compliance Programs

Step 1

Review NAVEX’s annotated copy of the DOJ guidance to view the latest changes from the June 2020 update.

Step 2

Consult NAVEX’s Corporate Compliance Evaluation Matrix to determine which products and services correspond the specific area of corporate compliance you want to address.

Step 3

Evaluate and improve your policies and procedures to reduce targeted risks and incorporate a culture of integrity into your day-to-day operations.

Step 4

Offer multiple whistleblower incident management reporting methods, including a compliance hotline to create effective reporting mechanisms that allow for properly scoped investigations conducted in a timely manner.

Step 5

Provide training tailored for the unique risks of your organization in a form and language appropriate for each audience.

Step 6

Integrate risk-based third-party due diligence into your procurement and vendor management processes to assess and continuously monitor the qualifications and associations of third-party partners.