Update to the DOJ evaluation of corporate compliance programs 

In September 2024, the U.S. Department of Justice (DOJ) released an updated version of its “Evaluation of Corporate Compliance Programs” (ECCP), a critical document that guides prosecutors in assessing the effectiveness of corporate compliance programs. This update reflects the DOJ’s evolving approach to corporate governance and compliance, emphasizing a more nuanced and individualized evaluation of each company’s compliance efforts. This summary aims to provide a general summary of the ECCP to serve as a reference tool, as well as highlight key updates and what it means for businesses striving to maintain robust compliance programs. 

Is the company’s compliance program well designed? 

The DOJ emphasizes that a well-designed compliance program starts with a thorough risk assessment tailored to the company’s specific operations and industry. This includes continuous updates to address emerging risks, such as the use of artificial intelligence (AI) and other new technologies. Effective compliance programs also have comprehensive policies and procedures that are clearly communicated and integrated into daily operations – not just filed away into a repository. Training programs should be tailored to the needs of different functional areas, focusing on high-risk areas, with regular evaluations of training effectiveness. An efficient reporting mechanism for misconduct, including anonymous channels and anti-retaliation policies, is essential. Additionally, risk-based due diligence on third-party relationships and comprehensive due diligence during mergers and acquisitions (M&A) are critical to ensure compliance standards are upheld throughout the supply chain and during corporate transactions. 

Is the company’s compliance program adequately resourced and empowered to function effectively? 

A strong compliance culture starts with a commitment from senior and middle management, whose actions and communications set the tone for the entire organization. Compliance personnel must have sufficient authority, resources and autonomy to perform their duties effectively, including adequate staffing, access to data and independence from management. Incentives for compliance and disincentives for non-compliance are essential for empowering others to engage in a culture of compliance. This includes clear consequence management procedures and consistent application of disciplinary measures. The DOJ also highlights the importance of aligning compensation structures with compliance objectives to promote ethical behavior. 

Does the company’s compliance program work in practice? 

An effective compliance program must continuously evolve. This involves regular updates to risk assessments, policies and procedures based on lessons learned and emerging risks, such as AI. Internal audits and control testing are essential for ensuring the program’s effectiveness. A well-functioning mechanism for investigating misconduct is crucial, including appropriately scoped investigations by qualified personnel, thorough documentation and timely response to findings. Conducting a root cause analysis of misconduct and implementing timely remediation measures are key to preventing recurrence. This includes addressing systemic issues, improving controls and holding individuals accountable for their actions. 

Applying the updated guidance 

Following this updated guidance, life sciences companies may consider the following:  

• Revisit findings from your recent risk assessment or conduct a new assessment if significant time has passed: Ensure that emerging risks and callouts from the DOJ (e.g., AI, post-merger compliance program implementation, incentive compensation, speak up culture) have been incorporated and, if identified, have been appropriately mitigated.  
• Revise governance documentation: Policies, procedures and job aides should be revised to ensure alignment with new guidance and emerging risks. 
• Leverage data analytics: Consider data dashboards to allow for continuous monitoring and improvement. Where data access is limited, work towards building partnerships with the business to ensure access to necessary data.   

The DOJ’s updated guidelines highlight the importance of a holistic and dynamic approach to compliance. Companies must design, implement and continuously improve their compliance programs to address evolving risks and regulatory expectations. By fostering a culture of compliance and leveraging new technologies, businesses can mitigate risks and enhance their operational integrity. A well-run compliance program is a strategic asset that can drive organizations to meet their business objectives.