An introduction to the DOJ Guidelines for the Evaluation of Corporate Compliance Programs
First issued by the U.S. Department of Justice’s Criminal Division in February 2017, revised in June 2020, and again updated in March 2023 and September 2024, the so-called “Guidelines for the Evaluation of Corporate Compliance Programs” (“Guidance” or “Guidelines”) have become the cornerstone of contemporary compliance practice and are widely relied on by organizations in benchmarking the totality of their regulatory risk exposure against the Guidelines’ essential components. Designed primarily as a guide for federal prosecutors faced with the daunting task of prosecuting large organizations under multiple statutory authorities, the Guidelines have become the proverbial Bible of contemporary compliance practice and are frequently used by compliance practitioners as a framework for approaching compliance and ethics practice methodically and strategically.
While the details underlying the Guidelines’ essential components have morphed over time—reflecting the utilization of more sophisticated means by which corporate criminal activity is concealed and different emphases under the leadership of Attorneys General with distinct priorities—the core of the Guidelines has remained the same. The core framework of the Guidelines continue to revolve around three (3) essential questions—namely, (1) Is the corporation’s compliance program well designed?; (2) Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?; and (3) Does the corporation’s compliance program work in practice?
(1) Is the corporation’s compliance program well designed?
The predicate to the functioning of an effective compliance program is, of course, the manner in which the program is designed to maximize the potential that an organization’s risk assessment, internal controls, policies and procedures, employee training, internal reporting structure, and third-party risk management processes coalesce to mitigate the potential that a violation of law or serious regulatory infraction will occur. While the DOJ does not expect—and indeed, it is practically impossible—for corporations to guard against each instance of malfeasance (particularly where the organization is large or has significant international exposure), the DOJ does expect corporations to utilize the resources at their disposal effectively, in a manner most conducive to ethical and legal conduct.
(a) Risk assessment
In that vein, the Guidelines preliminarily emphasize the need for a continuous risk assessment process as a roadmap for identifying legal and compliance risks arising from the activities of the organization. During the risk assessment phase, the Guidelines broadly require organizations to appropriately identify, assess and define its risk profile and construct a compliance program that “devotes appropriate scrutiny and resources” to those risks. Key elements of the risk assessment process include, but are not limited to, (1) consideration of the particular methodology the company has utilized to identify, analyze and address the particular risks it faces, including reliance on information and metrics that are collected in the ordinary course of business to address those risks; (2) whether the organization allocates sufficient resources to address higher-risk priorities, initiatives, and transactions (e.g., questionable payments to third party consultants, suspicious trading activity, and excessive discounts to resellers or distributors—all of which can be utilized to conceal bribery); (3) whether the risk assessment itself is subject to continuous review on a periodic basis, relying on “continuous access to operational data and information across corporate functions” and whether policies, procedures and controls have been updated in response to that information; (4) whether the company has a process for incorporating “lessons learned”—both internally from its own experiences and externally from enforcement actions taken in similar industries—into its risk assessment process; and (5) whether the company has a process for identifying (and appropriately managing) emerging internal and external risks that impact its overall ability to comply with the law.
Added to the Guidelines in September 2024, the fifth element of the risk assessment process calls on companies to address both the opportunities and risks associated with the utilization of emerging technologies, including but not limited to, artificial intelligence (“AI”). To that end, the Guidelines now explicitly require companies to assess whether reliance on AI compromises their ability to observe their legal obligations, including compliance with the various criminal statutes that the DOJ is charged with enforcing. The new Guidance makes it clear that companies are expected to integrate the management of risks related to AI and other emerging technologies into the fabric of the organization’s overall enterprise risk management (“ERM”) framework. In this vein, the Guidelines require that organizations assess how they intend to curb potential negative consequences resulting from the deployment of AI both in the context of commercial operations and within the company’s own compliance program. Finally, the Guidelines stipulate that organizations adopt internal controls sufficient to ensure the overall “trustworthiness” and “reliability” of AI and related technologies, as well as accountability for their usage.
(b) Policies and procedures
The Guidelines stipulate that the risk assessment process be supplemented by serious contemplation of what policies and procedures are necessary from an operational perspective to ensure the organization properly addresses the risks continuously identified. As a starting point, the Guidelines stipulate that an organization should adopt a code of conduct that sets forth the company’s commitment to full compliance with all applicable federal laws. The code of conduct, in turn, should be supplemented by policies and procedures that “incorporate” compliance and ethics considerations into the culture of the organization and its daily activities. Accordingly, among other things, the Guidelines instruct prosecutors faced with a potential violation of the law by an organization to consider whether the company’s process for designing and implementing new policies and procedures—and fine-tuning existing policies and procedures—is both consistent and susceptible to evolution over time. Organizations must also consider the functions involved in policy and procedure development and whether key operational components of the organization (“business units”) have been consulted prior to their issuance.
The Guidelines further emphasize the obligation of a corporation to ensure that its policies and procedures have changed over time in response to both internal changes (e.g., expansion into new business areas, acquisition and merger activity) and external obligations and expectations (especially those pertaining to the use of emerging technology). The most recent revisions to the Guidelines issued in September 2024 now emphasize that companies are required to consider both lessons learned from the corporation’s own prior compliance issues and from other companies operating in similar industries/geographies when undertaking policy revisions and updates. Such revisions must also account for “emerging risks” related to the adoption of “new technologies.”
Moreover, the Guidelines require organizations to make their policies and procedures available on the broadest possible basis to “all employees and relevant third parties,” including an organization's foreign subsidiaries (translated into local languages) to maximize comprehension and retention. Such policies should also be published in a manner that prioritizes ease of access and searchability, with the company being able to demonstrate (through reliance on statistical evidence) that its employees actually resort to those policies when faced with a compliance question. Finally, the Guidelines stipulate that such policies and procedures be woven into the very fabric of the organization’s activities by those in positions of authority by communicating those policies to its employees and ensuring that they are reinforced in the context of internal controls. Relatedly, the Guidelines insist that particular guidance and training be furnished to those considered “gatekeepers” in relevant control processes such as those with approval authority or certification responsibilities. This training includes detection of relevant misconduct within their domain of responsibility, and the escalation of concerns pertaining to potential violations up the corporate hierarchy.
(c) Training and communication
Training and communication are other constituent components of assessing—again from a prosecutorial perspective—whether the organization’s compliance program is “well designed.” In that vein, prosecutors are charged with a wholesale assessment of whether the organization has ensured that its policies and procedures have been integrated into the organization’s commercial activities, through “periodic training and certification for all directors, officers, relevant employees, and where appropriate, agents and business partners.” Just as important as the scope of the training, however, is its content. Accordingly, the Guidelines underscore that training be risk-based with employees in “relevant control functions,” in high-risk first-line roles, and with supervisory responsibilities receiving more advanced training than others commensurate with the organization’s current risk profile. Notably, the Guidelines place considerable emphasis on the “form, content and effectiveness” of training provided by companies to employees and third parties by insisting, among other things, that the training be provided in a form and language appropriate for the audience; that the training address lessons learned from the organization’s own prior compliance incidents and failures as well as compliance issues faced by other companies operating in the same industry and/or geographical region; that the training facilitate interaction between the employees being trained and the actual trainer in the form of questions; and that the organization assess the extent to which the educational initiative in question has impacted employee behavior and operations. Finally, the Guidelines specify that senior management should commit to disseminating as much information as possible about substantiated misconduct in the form of anonymized descriptions and provide access to supplemental resources concerning the scope and content of compliance program policies.
(d) Confidential reporting structure and investigation process
A well-designed compliance program also includes a robust confidential reporting structure by which employees may anonymously and/or confidentially report allegations concerning a breach of the company’s code of conduct and/or corporate policies, as well violations of the law and regulations. In that sense, the Guidance makes it clear that “[c]onfidential reporting mechanisms are highly probative of whether a company has established corporate governance mechanisms that can effectively detect and prevent misconduct” (emphasis added). In addition to the mere existence of a functional anonymous and/or confidential reporting hotline, the Guidelines mandate that such confidential hotlines be widely publicized such that rank-and-file employees know where, when, and how to utilize the hotline to give voice to concerns. To encourage reporting, the Guidelines further require that the company adopt an appropriate anti-retaliation policy, as well as other protocols that broadly incentivize reports of potential misconduct and discourage others from mistreating would-be whistleblowers. Furthermore, the Guidelines stipulate that the hotline be staffed by qualified personnel capable of ensuring that investigations into potential misconduct are properly scoped, independently and objectively conducted, and thoroughly documented. The Guidelines also require organizations to apply “timing metrics” to ensure responsiveness to the complainant’s concerns as well as a mechanism for monitoring investigation outcomes and ensuring accountability in response to investigatory findings. A final prong of the confidential reporting structure and investigation component is the insistence by the DOJ that the reporting and investigation mechanisms be properly funded and that the company collect, analyze, and utilize information gleaned from actual reports and/or findings to detect patterns of misconduct and other red flags or compliance program deficiencies. This final requirement speaks to the need for organizations lacking the means to conduct their own internal investigations to allocate sufficient funds to outsource such investigations either to competent counsel or others with experience in handling complex corporate matters.
(e) Third party management
While often overlooked, a company’s third-party risk management (“TPRM”) practices are part and parcel of a well-designed compliance program. As the data consistently reveals, the utilization of third parties by organization is one of the primary mechanisms by which companies attempt to conceal a host of illegal activities—including, but not limited to, violations of the U.S. Foreign Corrupt Practices Act (“FCPA”), 15 U.S.C. §§ 78dd-1, et seq. that criminalizes quid pro quo behavior in relation to foreign government officials. Given the that overwhelming majority of enforcement actions involving FCPA violations implicate third parties (e.g., intermediaries and other agents used to facilitate bribery), the Guidelines are clear that organizations are expected to apply risk-based due diligence to the management of all third party relationships that may vary based on the size of the company, the particular transaction in question, the third party involved, and the geographic location of the actual or contemplated business activity.
Importantly, the Guidelines insist that the company’s TPRM practices align to the nature and level of the total enterprise risk identified by the company and integrated into relevant procurement and vendor management processes. Appropriate controls must also be utilized in the form of the existence of sufficient business rationales for the use of all third parties with whom an organization engages and accompanying contractual terms that describe—in detail—the services to be provided and the exact payment to be made. Finally, companies are charged with both the analysis of incentive and compensation structures for third parties against known compliance risks and for “real actions and consequences” in dealings with third parties that violate contractual obligations and/or engage in suspected malfeasance. In connection with the latter requirement, the Guidelines emphasize the role that due diligence plays in enabling an organization to make informed decisions about whether to engage a particular third party. As a consequence of that due diligence, organizations should ensure that third parties that are either terminated for cause or fail to pass muster are tracked to ensure that those parties are not engaged by the organization in the future.
(f) Mergers and acquisitions (M&A)
Last but not least, the Guidelines account for merger and acquisition activity in relation to a well-designed compliance program. This includes due diligence of all acquisition targets, as well as a definitive timeline for the orderly integration of the acquired entity into the company’s existing compliance program framework. In this vein, the Guidelines emphasize that comprehensive pre-acquisition due diligence enables the acquiring company to evaluate each target’s value more accurately and negotiate for the costs of any misconduct to be borne by the target. Conversely, the Guidelines emphasize that “flawed or incomplete due diligence” whether conducted pre- or post-acquisition, can and will allow unidentified misconduct to continue post-acquisition, giving rise to legal liability on the part of the acquiring entity.
The September 2024 revisions to the Guidelines underscore the need for a company to adhere to a formal process when implementing or integrating a compliance program on a post-transaction basis. Accordingly, the revised Guidelines ask whether the acquiring company has a process in place to ensure effective compliance oversight of the target; whether the acquiring company has accounted for the activities of the target in its broader risk assessment activities; and whether the acquiring company timely conducts post-acquisition audits to identify potential compliance issues.
(2) Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
While a well-designed program is the cornerstone of an effective compliance program, the DOJ Guidelines highlight the fact that even a well-designed program can fail in practice to the extent “implementation is lax, under-resourced, or otherwise ineffective.” Accordingly, the Guidelines instruct prosecutors confronted with potential corporate malfeasance to evaluate whether the compliance program exists on paper only or in actual practice. In a similar vein, the Guidelines require prosecutors to evaluate whether an organization has sufficient resources in the form of human capital to audit, document, analyze, and utilize the results of an organization’s compliance efforts. Finally, the Guidelines call for a holistic evaluation of whether the corporation’s employees are informed about the compliance program and convinced of senior leadership commitment to the principles of ethics and compliance.
(a) Senior and middle management commitment
Earnest and consistent application of compliance program principles is heavily contingent on management commitment to the values espoused by the organization in its code of conduct and in its operational activities. To that end, the Guidelines place considerable emphasis on top company leaders being responsible for cultivating a “culture of ethics and compliance” based on clearly articulated standards conveyed to company personnel in unambiguous terms, and adherence to the standards by managers at all levels on a consistent basis. Among other things, the Guidelines ask organizations to assess how senior leaders, through their “words and actions” encourage or discourage compliance; what actions such leaders have taken to demonstrate leadership in the company’s broader compliance efforts; whether those leaders have modeled proper behavior to subordinate employees; if such managers have compromised company values by tolerating greater compliance risks in relentless pursuit of profit; and whether any managers have acted to “encourage” employees to violate legal or ethical norms to achieve a business objective or impede compliance personnel from the conduct of their daily responsibilities. Notably, the unwavering commitment to a culture of compliance must be shared by senior leadership and middle-management level stakeholders throughout the organization. Moreover, the Guidelines encourage organizations to consider whether the board of directors itself—the highest authority within the organization—has sufficient compliance expertise available in the form of periodic updates from auditors and compliance and ethics professionals that will operate to accurately apprise the board of the panoply of risks faced by the organization in question.
(b) Autonomy and resources
A second component of a compliance program implemented earnestly is a commitment by the organization itself to equip the compliance function to succeed by providing it with autonomy, sufficient resources, and authority to carry out its designated functions. The element of authority includes direct access to the board of directors on matters of grave concern to the compliance function, unimpeded by corporate hierarchies. While the DOJ notes that resources will vary depending on the size of the organization in question, the same general framework applies to evaluating whether the compliance function is empowered to play an active role in an operational context.
To that end, the Guidelines call for prosecutors to consider: (a) the structure of the program (where the compliance function is housed and to whom the compliance function reports; (b) the seniority and stature of the compliance function in relation to other business units (including compensation commensurate with the function’s responsibilities, and a stature sufficient to prevent the organization from undertaking illegal or unethical activities; (c) experience and qualifications on the part of compliance personnel and competency to handle more advanced assignments, as well as continuous training; (d) funding and resource sufficiency that permits the compliance function to “effectively audit, document, analyze, and act on the results of compliance efforts”; (e) access by compliance personnel to relevant sources of data to allow for timely and effective monitoring/testing of policies, controls and transactions; and (f) autonomy with respect to direct reporting lines to the board of directors or the audit committee thereof. Additionally, to the extent either a portion or totality of the compliance function of an organization is outsourced for financial or other reasons, the Guidelines further call on prosecutors to assess why the function has been outsourced, who is responsible for oversight of the outsourced activity, and whether the outsourced process has been appropriately evaluated for effectiveness.
Revisions made in September 2024 to the Guidelines further call on prosecutors to comparatively assess whether the “assets, resources, and technology” available to the compliance function are comparable to those available elsewhere in the organization. To that end, prosecutors are called on to evaluate whether the company’s resource allocation efforts are proportional, or whether they are ‘imbalanced’ and thus facially deficient.
(c) Compensation structures and consequence management
The third and final prong of an adequately resourced and sufficiently empowered compliance program is the extent to which the organization both incentivizes and disincentivizes particular behavior by, among other things, publicizing information concerning relevant disciplinary actions where appropriate and possible, to highlight the company’s zero-tolerance approach for intentional and knowing violations of the company’s values or the law. It further includes the design and implementation of compensation structures that foster a culture of compliance. Under the most recent revisions to the Guidelines in March 2023, the design of compensation systems—and the ability of a company to defer or escrow compensation tied to conduct consistent with company ethics and values or clawback pecuniary incentives derived from illegal conduct—is an integral part of a prosecutor’s assessment of whether the program is truly effective. To that end, the Guidelines delineate a myriad of factors that prosecutors should consider that indicative of a compliant culture, including consideration of who takes part in disciplinary decisions and how transparent the company has been within the design and implementation of the disciplinary process; what types of disciplinary measures are employed and whether the company has a process in place to recoup compensation that would not have been achieved but for the misconduct of an employee; whether disciplinary measures, incentives and disincentives have been applied consistently, across the organization’s geographies, operating units, and various levels; if the company has considered the impact of financial rewards or other incentives as a means of encouraging compliance; whether the organization has adopted effective consequence management practices sufficient to compare substantiation rates for similar reports of wrongdoing across the company; and crucially, whether the organization routinely engages in root cause analysis into areas where certain conduct is comparatively over or under reported. At their core, the Guidelines require organizations to consider how the organization overall has sought to enforce breaches of compliance standards or penalize ethical lapses through the withholding or recoupment of compensation on account of compliance-related activities.
(3) Does the corporation’s compliance program work in practice?
The final question posed by the DOJ Guidelines focuses squarely on the effectiveness of the compliance program both at the time of the initial misconduct in question and at the time of the charging decision. This requirement reflects a commitment on the part of the DOJ to significantly penalize only corporations whose behavior has remained unchanged since the initial misconduct occurred and was subsequently discovered either by the organization or in connection with a DOJ investigation. To carry out this examination, the Guidelines broadly instruct prosecutors to considering the following elements:
(a) Continuous improvement, periodic testing and review
In recognition that a “hallmark” of an effective compliance program is its capacity to evolve and improve over time, prosecutors are instructed to reward efforts to promote improvement and sustainability by corporations in connection with enforcement actions to the extent those corporations have demonstrated appropriate receptivity to addressing the root cause of the compliance failure at issue. Among other things, prosecutors are instructed to consider whether, for instance, the internal audit function of the organization was responsible for identifying issues germane to the underlying misconduct and whether, as a result of those audits, the organization took any remedial action. Similarly, the Guidelines ask prosecutors to consider whether the company has reviewed and audited its compliance program in the area relating to the misconduct and what results were ultimately reported and/or actions taken in response to the audit findings. Additionally, consideration of how often the company has updated its risk assessment and reviewed its compliance policies, procedures, and practices, is a relevant factor in determining if the organization qualifies for any form of prosecutorial leniency. The Guidelines further ask prosecutors to assess how the company approaches the measurement of its compliance culture, through for instance, its hiring and incentive structures and whether the company has elicited the input of rank-and-file employees with respect to their perception of management’s overall commitment to ethics and compliance. Finally, the Guidelines ask prosecutors to evaluate the company’s capacity for improvement based on actual data concerning compliance program deficiencies, with companies being rewarded for the ability to “proactively” identity potential misconduct at the earliest possible stage.
(b) Investigation of misconduct
As the Guidelines emphasize, an additional attribute of an effective compliance program is the existence of a “well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents.” Under the Guidelines, organizations are required to ensure that such investigations are: (1) properly scoped by qualified and trained personnel; (2) used to identify root causes, system vulnerabilities, and accountability lapses; and (3) structured in a manner that preserves the independence of the investigators while ensuring that they are appropriately compensated for their contributions and/or disciplined for their own misconduct.
A more recent addition to investigatory prong of the effectiveness element is the DOJ’s emphasis on ephemeral messaging applications and the ubiquitous use of personal devices commonly utilized by corporate employees to orchestrate, plan, execute and conceal their misconduct. In the context of the March 2023 revisions, the DOJ made it clear that organizations have a responsibility to identify, report, investigate, and remediate potential misconduct involving such messaging applications—even when those applications are utilized by an employee on a personal electronic device. Accordingly, the Guidelines instruct organizations to utilize policies and procedures governing the use of personal devices, communications platforms, and messaging applications for business-related purposes. This includes a focus on: (a) what electronic communication channels are authorized by the organization for employee utilization in connection with the conduct of business and to what extent the organization requires employees to manage and preserve business-related communications; (b) what policies and procedures exist to ensure that communications and other data is preserved from devices that are replaced; (c) whether the company in question has adopted a “bring your own device” (“BYOD”) policy that permits organizational access to, inspection and retention of relevant information stored on such devices; (d) what consequences the organization has chosen to impose on employees who refuse to allow the company to access relevant communications.
(c) Analysis and remediation of any underlying misconduct
Finally, the Guidelines broadly instruct prosecutors to consider the efforts an organization has taken to rectify compliance program deficiencies and/or address the root cause of compliance failures in recognition of the seriousness of the misconduct at issue, acceptance of responsibility by the corporation for that misconduct, and adoption of remedial measures designed to reduce the likelihood of recurrence. Under the aegis of root cause analysis, organizations are encouraged to identify why a compliance failure occurred and if any systemic issues were identified. Prosecutors are also obliged to consider the existence of prior weaknesses and whether policies or procedures that would have prevented the misconduct from occurring in the first instance were ultimately adopted by the organization as a remedial measure. Moreover, to the extent that payment processes were deficient or circumvented in connection with the misconduct, the Guidelines call on prosecutors to consider whether those processes were improved consistent with the organization’s commitment to remedial action. The same general principle applies to vendors, to the extent that the issue identified involved vendors or other contractual counterparties with whom the organization conducts business. Prosecutors must also consider whether the organization was confronted with prior opportunities to detect and address the malfeasance in question whether by audit, internal report, or otherwise. The final dimensions of the analysis and remediation prong focus squarely on identifying the specific changes the company has made to reduce the risk that the same or substantially similar issues will arise in the future, including concrete identification of the root cause of the failure in conjunction with a “missed opportunity analysis.” In the same context, the Guidelines call for consideration of what disciplinary actions the company itself took in response to the misconduct and whether such actions were timely. This includes supervisory discipline (where appropriate) of those responsible for, or contributing to, the misconduct of their subordinates. Finally, the Guidelines call on prosecutors to examine the totality of the company’s disciplinary history record related to the same types of misconduct at issue to ensure that the company is consistent in its approach. Whether or not the company has actually availed itself of recoupment or clawback provision is also a relevant factor in ascertaining whether the offending organization qualifies for leniency.