The U.S. Department of Justice (DOJ) recently released its 2024 updates to the Evaluation of Corporate Compliance Programs Guidance. These updates introduce several important changes to the guidance, and reflect the evolving attitudes of regulators, government agencies and standards setters around the globe to key elements of compliance programs. These include the role of compliance in assessing the risks of emerging technologies such as artificial intelligence (AI), the importance of having a speak-up culture, whether compliance teams have sufficient access to data, the need for adequate resources in compliance programs, and the role of senior management and the board.
Although the DOJ’s guidance is primarily intended for prosecutors, it has long been considered a valuable resource for organizations that want to benchmark the quality of their compliance programs against expectations. In addition, in the event of an enforcement action, it helps companies understand how their program might be judged by the DOJ. Effective programs often receive more favorable resolutions, including reduced fines.
In its 2024 updated guidance, the DOJ highlights five key areas for attention:1. Assessing Risks for Emerging Technologies
Compliance teams now have a critical role to play in helping their organizations – and in particular senior management and the board – better understand the potential risks associated with emerging technologies, such as artificial intelligence (AI). It’s important to note that the DOJ addresses both the use of AI in the business and within compliance processes in the update.
The DOJ guidance asks several thought-provoking questions, such as:
- How does the company assess the potential impact of new technologies, such as artificial intelligence, on its ability to comply with criminal laws?
- What is the company’s approach to governance regarding the use of new technologies such as AI in its commercial business and within its compliance program?
- To the extent that the company uses AI and similar technologies in its business or as part of its compliance program, are there established controls in place to monitor and ensure its trustworthiness, reliability, and compliance with applicable laws and the company’s code of conduct?
To be able to answer these questions, compliance teams need to understand how emerging technologies are being used within the organization, perform risk assessments, develop a risk profile, and build policies and processes that will help mitigate the identified risks. Moreover, compliance teams need to ensure they can articulate how these emerging technologies are being deployed in compliance software.
2. Fostering a Speak-Up Culture
The DOJ has recently been ramping up its support for whistleblowing, with its Pilot Program on Voluntary Self-Disclosure for Individuals launched in April 2024 and the Corporate Whistleblower Awards Pilot Program created in August 2024. In this new guidance, the DOJ reinforces the need for companies to promote a strong speak-up culture where employees feel empowered to report misconduct without fear of retaliation. Now, the DOJ will look at whether organizations encourage whistleblowing or stifle it with practices that discourage reporting. The guidance challenges companies to evaluate their speak-up culture, employees’ awareness of reporting channels — internal and external, their ability to prevent retaliation, and how they treat employees who report misconduct.
To meet the expectations of the guidance, compliance teams should ensure that their whistleblowing program is adequately resourced with both the technology and the expertise required to be effective. Compliance should also consider how to actively nurture a culture that does not retaliate on employees who speak up. Instead, the business, senior management, and the board should demonstrate that they value the insights into potential risks that speaking up can deliver.
3. Data Use and Compliance
Regulators, governments, and standards organizations worldwide are placing increasing emphasis on how data and technology can empower compliance teams to better meet obligations and detect misconduct more effectively. The DOJ’s recent revisions reflect this trend, emphasizing the importance of how compliance teams utilize data to ensure their programs are functioning optimally—commonly known as a compliance audit.
The expectation is clear: compliance teams must have access to sufficient data to monitor and test organizational policies, controls, and transactions effectively. The DOJ guidance encourages companies to leverage data analytics tools to streamline compliance operations and evaluate program effectiveness.
A key focus of the DOJ guidance is on establishing strong data foundations—ensuring proper access to high-quality data is critical in compliance processes. This includes robust data governance practices to manage data quality, ensuring that metrics such as accuracy, precision, and recall in data analytics are reliable and actionable.
To meet these expectations, compliance teams should evaluate the best systems and processes to support this effort. Consolidating compliance-related data into a single, centralized repository simplifies adherence to updated guidelines on data access and accuracy. Such a platform allows teams to maintain consistent data quality, automate tracking, and streamline audits. Standardized metrics further ensure a uniform approach to evaluating data accuracy and effectiveness across compliance initiatives. Additionally, a centralized system fosters better collaboration among stakeholders, ensuring timely and efficient access to critical data.
4. Resource Allocation to Compliance Functions
The DOJ is closely examining whether companies are dedicating adequate resources and technology to their compliance programs. For example, the guidance instructs examiners to assess if there's an imbalance between the resources and technology used to drive market opportunities versus those allocated to detecting and mitigating risks. It also underscores the importance of having a compliance team with the right expertise, seniority, and direct access to the board or audit committee.
These considerations are crucial. Compliance teams often face an unfair fight, expected to manage an ever-expanding scope of risks without the necessary resources to do so effectively.
This puts compliance teams at a disadvantage, as they are tasked with meeting regulatory obligations and addressing emerging risks, such as AI, without sufficient technology and staffing. The DOJ is making it clear that they expect a more balanced distribution of resources between business growth and compliance efforts. This updated guidance provides under-resourced compliance teams a strong platform to advocate for greater investment in both talent and tools.
5. The role of senior management and the board
The update also speaks of the importance of having senior management and a board who are directly involved in the creation and fostering of a strong culture of compliance and ethics. The guidance talks about a “shared commitment” to compliance. It also asks what actions senior leaders and middle-management stakeholders – such as the business and operational managers, finance, procurement, legal, and human resources – have taken to demonstrate their commitment to compliance or compliance team members.
Although compliance professionals are usually responsible for implementing the DOJ guidance, the updated guidance signals the DOJ’s expectation that senior management is accountable for compliance and ethics, so that compliance objectives are embedded into the core of the business strategy.
For compliance teams, this element of the update can help them reinforce their role within the organization and advocate for a more deeply embedded compliance culture. Having the right “tone at the top” as well as transmission of compliance and ethics goals down through the organization is very important in enabling companies to meet regulatory expectations and to protect themselves from legal and reputational risks.
A more proactive, data-driven approach to compliance
Overall, the DOJ’s recent guidance is consistent with previous updates, including a continued shift toward a more proactive, data-driven approach to compliance, risk management, and employee empowerment. Underpinning these trends is the implicit need for data and technology resources that are capable of supporting processes such as whistleblowing, as well as capturing and analyzing compliance and risk management data. The technology also needs to be able to deliver compliance insights that can help the organization maintain a strong compliance and ethics culture, through informed decision-making across the enterprise, from the board down to the business.
