Update to the DOJ evaluation of corporate compliance programs 

In September 2024, the U.S. Department of Justice (DOJ) released an updated version of its “Evaluation of Corporate Compliance Programs” (ECCP), a critical document that guides prosecutors in assessing the effectiveness of corporate compliance programs. This update reflects the DOJ’s evolving approach to corporate governance and compliance, emphasizing a more nuanced and individualized evaluation of each company’s compliance efforts. This summary aims to provide a general summary of the ECCP to serve as a reference tool, as well as highlight key updates and what it means for businesses striving to maintain robust compliance programs. 

Is the company’s compliance program well designed? 

The DOJ emphasizes that a well-designed compliance program starts with a thorough risk assessment tailored to the company’s specific operations and industry. This includes continuous updates to address emerging risks, such as the use of artificial intelligence (AI) and other new technologies. Effective compliance programs also have comprehensive policies and procedures that are clearly communicated and integrated into daily operations – not just filed away into a repository. Training programs should be tailored to the needs of different functional areas, focusing on high-risk areas, with regular evaluations of training effectiveness. An efficient reporting mechanism for misconduct, including anonymous channels and anti-retaliation policies, is essential. Additionally, risk-based due diligence on third-party relationships and comprehensive due diligence during mergers and acquisitions (M&A) are critical to ensure compliance standards are upheld throughout the supply chain and during corporate transactions. 

Is the company’s compliance program adequately resourced and empowered to function effectively? 

A strong compliance culture starts with a commitment from senior and middle management, whose actions and communications set the tone for the entire organization. Compliance personnel must have sufficient authority, resources and autonomy to perform their duties effectively, including adequate staffing, access to data and independence from management. Incentives for compliance and disincentives for non-compliance are essential for empowering others to engage in a culture of compliance. This includes clear consequence management procedures and consistent application of disciplinary measures. The DOJ also highlights the importance of aligning compensation structures with compliance objectives to promote ethical behavior.