DOJ issues new guidance on compliance programs: Five steps you can and (and should) take right now — wherever you are

November 16, 2021

As a former trial attorney with the Department of Justice (DOJ’s) Fraud section, external counsel, and Fortune 500 chief compliance officer (CCO), I’ve had the opportunity to observe the evolution of DOJ’s perspective on compliance programs from many vantage points over the last two decades.

While in earlier years, prosecutors had varying levels of appreciation for effective compliance programs, today, prosecutors evaluating a company’s program as part of an enforcement action or settlement proceeding possess a greater understanding of what works — and what doesn’t — for companies.

Revised guidance just issued by the DOJ aims to sharpen that understanding in ways that are especially relevant right now, as companies navigate the human, economic and operational fallout of a global pandemic— with constrained resources, overstretched compliance teams, and employees struggling to maintain continuity working from their homes. 

While the new guidance is still centered on the same three fundamental questions — Is the compliance program “well-designed”?; Is it being applied “earnestly and in good faith”?; and, Does it work “in practice”? — it adopts a more practical approach that takes into account a company’s individual, real-world business circumstances. And it underscores that regulators will now be taking a longer view at the evolution of the compliance program — including periodic risk assessments and lessons learned, from time of offense all the way to resolution — instead of just at “a snapshot in time.”

If your program is underinvested, or staffed with part-time resources who have other demands on their time… if you haven’t revisited it because you’ve “never had a problem”… if you've allowed your acquisitions to continue to run compliance autonomously… or if you’ve done random assessments of your policies or procedures without documenting them — the updated guidance tells us that it may be time for a refresh. 

Where do you start? Here are five steps you can take right now to work smarter — while being better protected — no matter where you’re working from:  

1. Ask yourself: Is our program design purposeful?

The DOJ specifies that ensuring your program is “adequately resourced” is part and parcel of showing that it is being applied “earnestly and in good faith.” But what if, in the real world, your organization doesn’t have the personnel and resources to address every single element or scenario referenced in the guidance? The key is to focus on a risk-based approach — and target those transactions and operations that are higher-risk. In framing the importance of risk assessments, the revised guidance explicitly states that “prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.” 

It is more important than ever to be purposeful about the risks you chose to own as a central compliance function, and how you support the business who functions as a first line of defense for most compliance risks. And if your central compliance function isn’t operating as a second line of defense by supporting business owners in effectively executing their compliance responsibilities, then objectively testing and monitoring compliance performance, it’s probably ripe for a refresh.

2.  Engrain empowerment within the fabric of your company

In addition to ensuring that it is “adequately resourced,” the new guidance also directs prosecutors to ask whether the compliance program is “empowered to function effectively.” Empowering the chief compliance officer and compliance department goes beyond devoting significant resources and personnel to the program. It must be ingrained within your operations — part of the company’s muscle. If the only involvement the CCO has is an annual briefing to the audit committee, that’s not considered “empowerment.” 

Simply going through the motions, without escalating issues or taking necessary action, could spell danger. 

A fit-for-purpose compliance program is not stagnant in its strategy or its priorities: it “lives and breathes” — recognizing the risks, while remaining agile to quickly pivot and align to an evolving operating and regulatory landscape. This also speaks to the DOJ’s focus on compliance programs’ meeting the company’s real-world risks, which will differ across businesses and industries. And, the guidance stresses, it must be supported by a culture of ethics and compliance “at all levels of the company.”

3.  Leverage your data intelligently

A new section, “Data Resources and Access,” asks whether compliance and control personnel have sufficient access (direct or indirect) to relevant sources of data to allow for timely and effective monitoring and testing of policies, controls, and transactions — and whether the company has addressed any impediments that might limit access to that data (for example, due to foreign data protection restrictions). This data should inform the scope of a risk assessment that determines how — and if — you should adjust policies, procedures, other guidance and communications based on what you learn. 

Leveraging data to identify and monitor risks has been a DOJ focus since its updated guidance of 2019, and this year those expectations have intensified. But here’s the good news: Investing in technology to support monitoring activities and data mining can help scale the impact of your compliance program without requiring significant near-term investment in personnel. And there’s plenty of room for better utilization: According to PwC’s recent Global Economic Crime and Fraud Survey, fewer than 3 in 10 US executives are using and finding value in techniques like data visualization and dashboards to combat fraud and corruption. What’s more, 1 in 7 have no plans to use data like this in the future. 

The time to look at how you can use data effectively is now — we all have room for improvement. 

4. Check your third-party hygiene — throughout the lifespan of the relationship

The 2020 Guidance also spotlights third-party compliance management. While the DOJ still views a strong due diligence program as a critical part of a compliance program, it’s now looking beyond due diligence and considering what companies do to manage risks throughout the engagement with the third party. By evaluating the ongoing engagement of a third party, compliance can help the business better evaluate the ROI with respect to that third party. For example, you can use data analysis and other technologies to assess risk against commercial KPIs — and re-confirm that the service provided by the third party aligns with your justification for engaging it.

5. Start where you are — even if it’s small

Operating under new demands, including remote working, may be here to stay — at least for the foreseeable future: 27% of US CFOs believe it will take six or more months to begin returning to “business as usual” (whatever that may be). The shutdown has in fact shown many companies that they can work remotely better than they ever expected — and we’ve heard from many compliance leaders that those extra hours in the day have had them thinking about how to enhance their existing initiatives. 

That said, many, if not most, companies are still handling compliance the way they’ve always done it. If you are among that group, think about this: If you were called by the DOJ to explain your resourcing and structural choices today, would you be able to back up your rationale? Could you demonstrate that your program has evolved with the risk? 

If you haven’t updated your compliance program in five years, now is the time. Consider that just a few short months ago, 56% of US business leaders said they had been a victim of fraud. One thing we know from experience is that in times of crisis, fraud often climbs — when pressures on people, companies and the economy are greatest. Use any bandwidth you have today to look at the effectiveness of your program. 

Keep it real… and keep at it.

We are all thinking daily about how to be agile in this crisis. We don’t know what the future holds, or how long we will be operating in this “abnormal” environment. Last Monday’s revised guidance shows that the DOJ — whose staff is working from home, too — is also thinking this way.

Programs, policies (and teams) need to be able to flex over time. That’s why continually refreshing your compliance is so critical. If there’s one takeaway from the new DOJ guidance, it’s that a compliance program must be credible and grounded not only in your company’s unique circumstances, but also in the ever-evolving ecosystems of risk and available technology. It must adapt to “lessons learned.”

But to me, the guidance points to an even more important point: The time for CCOs to fully own their role as essential strategic advisors to the business is now. Every business decision, every business partner hired, every merger or acquisition, must be considered through a strategic lens. That is the true meaning of empowerment.


Check out other related risk management insights

Cyber-ready — today and for tomorrow

Learn more

2022 Global Digital Trust Insights

Learn more

One bank's quest for bringing its risk modeling enhancements in-house

How reducing reliance on third-party vendors brought more speed and confidence in risk model management

Learn more

Explore our products

Stay ready for new risks and remain compliant with products and technologies designed by industry experts — and built for your needs. Our consultants are here to help you keep your business protected and prepared so you can focus on what’s next.

Learn more