In case you missed it, on April 30, 2019, the Department of Justice (DOJ) Criminal Division released a guidance document titled Evaluation of Corporate Compliance Programs (Guide). This release serves as an update to a prior version released in 2017 by the Fraud Section of the Criminal Division. As such, the revised version seeks to harmonize the Department’s guidance on these issues and provide context on how they are analyzed. Regarding the release of the Guide, Assistant Attorney General Brian A. Benczkowski stated, “Today’s guidance document is part of our broader efforts in training, hiring, and enforcement to help promote corporate behaviors that benefit the American public and ensure that prosecutors evaluate the effectiveness of compliance in a rigorous and transparent manner.”

The Guide is intended to assist prosecutors in making decisions when investigating, charging, and negotiating enforcement actions. The Criminal Division organizes their analysis, and the Guide, under three broad questions:

  1. Is the program well-designed?

  2. Is the program effectively implemented?

  3. Does the compliance program actually work in practice?

Is the Program Well-Designed?

The Guide states that the starting point of any evaluation of a company’s compliance program is an analysis of the company’s own risk assessment. In particular, a prosecutor should focus on how the company identified, assessed, and defined its own risk profile, and if the program devotes an appropriate amount of scrutiny and resources in accordance with the defined risks. The Guide notes, “Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.”[1]

Next, prosecutors should evaluate the policies and procedures used to address the identified risks and how these have been integrated into the organization through training and certification. In this context, the Guide specifically highlights training programs that utilize practical advice or case studies along with guidance on how to obtain ethics advice on a case-by-case basis. Furthermore, confidential reporting structures and a robust investigation process are a “hallmark of a well-designed compliance program.”[2] The Guide notes that the process should include proactive measures that create a workplace atmosphere that provides a defined process for the submission of complaints, protects whistleblowers, and dispels any fear of retaliation.

Finally, a well-designed compliance program should also have outward facing components to address third-party partners, agents, and consultants in addition to a comprehensive due diligence process to evaluate potential acquisition targets. The Guide directs prosecutors’ attention to the degree of oversight and ongoing monitoring applied to third parties and possible acquisition targets prior to consummating a transaction.

Is the Corporation’s Compliance Program Being Implemented Effectively?

In connection with the policies, procedures, and training discussed above, the senior and middle management must create and foster a culture of ethics and compliance. Prosecutors should evaluate the authority, autonomy, and stature of those charged with the day-to-day implementation of the compliance program. This assessment includes considerations such as if the company has assigned the necessary senior employees and resources, as well as providing these individuals the necessary access to carry out their functions. Finally, prosecutors should assess the penalties imposed for non-compliance and if they are applied consistently without regard to position or title within the company. The Guide notes that publicizing disciplinary actions internally can have an additional deterrent effect while making compliance a metric for advancement and management bonuses can help build the corporate culture.

Does the Corporation’s Compliance Program Work in Practice?

The Guide notes that the Principles of Federal Prosecution of Business Organizations require prosecutors to assess the adequacy and effectiveness of a compliance program at the time of the offense and at the time of the charging decision. In evaluating the program at the time of the offense, prosecutors should consider whether and how the misconduct was detected, what resources were in place to investigate the incident, and the nature and thoroughness of the company’s remedial efforts. The guide once again notes that the existence of misconduct does not necessarily indicate an ineffective compliance program. Instead, if the misconduct is identified and remediated or even self-reported, these factors could indicate that the compliance program was functioning effectively.

In evaluating the program at the time of the charging decision, effective compliance programs are subject to continuous improvement, periodic testing, and regular review to ensure that the compliance program is evolving with the company and addressing new risk areas. As discussed above, an investigation of misconduct indicates that a company is actively implementing its compliance program. Furthermore, the guide directs prosecutors to evaluate the extent to which insights gained from investigations are used to address the root causes of misconduct and implement remediation measures to prevent future misconduct.


As the Criminal Division stresses in the Guide, “the sample topics and questions [it provides] form neither a checklist nor a formula.”[3] In fact, when it comes to compliance, there is no one-size-fits-all approach. Nevertheless, the Guide provides helpful reminders, insights, and examples of indicators and practices the Criminal Division considers favorably when conducting their investigations and can serve as a useful resource to companies developing and/or assessing their compliance programs.