No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Compliance

The DOJ is Getting Smarter: The Revised Evaluation Criteria

What You Need to Know About the Updated Guidance

by Win Swenson
July 6, 2020
in Compliance, Featured
workers pushing cubes, bested by worker pushing ball; concept of working smarter

It took a while, but the U.S. Department of Justice is getting ever smarter about analyzing compliance programs. Compliance Systems Legal Group Partner Win Swenson describes this historical trend, explains why it is happening and highlights important takeaways from the DOJ’s recently revised criteria.

In 1995, four years after promulgation of the Organizational Sentencing Guidelines – the first law or government policy to provide credit for corporate compliance programs – Senator Edward M. Kennedy addressed a large audience of government policymakers, private lawyers and compliance professionals. Kennedy, a chief sponsor of the law that created the Sentencing Commission, followed the Guidelines closely, and he had a concern:

“Unless prosecutors … have the expertise to assess compliance program effectiveness, there is a risk that companies without substantial programs will get a free ride, and those with strong programs will not get the credit they deserve.”[1]

Kennedy was early in raising this concern, and he was right. Not only was compliance a new area of endeavor in 1995, but federal prosecutors had historically lacked real-word corporate experience and therefore an understanding of the environments in which compliance programs operate.

Some years later, I was asked to provide a training session on compliance credit under the Guidelines to federal prosecutors at the National Advocacy Center in Columbia, South Carolina. At the start of the session, I asked how many of the Assistant United States Attorneys in attendance had spent part of their professional life inside a corporation. In an audience of about 80, three hands went up.

And so here is the truth: while federal prosecutors typically are highly capable lawyers, they seldom come to the table with firsthand knowledge about managing a business.

In the 2000s, the concern that prosecutors lacked expertise to evaluate compliance programs became even more relevant as prosecutors increasingly used deferred and non-prosecution agreements to resolve cases, largely cutting out federal judges who would otherwise be applying the Guidelines and sorting out credit for compliance programs in a more traditional, and public, adversarial setting.

By 1999, the DOJ formally adopted a policy that compliance programs should play a role in prosecutorial decision-making, but it still took until 2015 for the Department of Justice to acquire relevant compliance expertise; it did so with the hiring of a DOJ consultant, Hui Chen, a lawyer with strong corporate compliance experience.

Hui led the effort to issue the DOJ’s first Evaluation of Corporate Compliance Programs criteria in May 2017, but she left the Department a few months later and there have been two additional iterations of the evaluation criteria in the three years since, in April 2019 and June 2020.

Free Download: DOJ’s 2020 Updated Guidance; a whitepaper by Tom Fox – CCI Exclusive

These later iterations show increased sophistication about the nuances of effective compliance programs, and the interesting thing is that they were developed without the benefit of a replacement for Hui Chen – that is, without a designated expert on compliance inside the DOJ.

So how is the Department’s knowledge of compliance growing? In a world obsessed with innovations in artificial intelligence, we may forget that there is a human analog: The Department, and the SEC along with it, are being regularly schooled on effective programs by reviewing the presentations of companies coming before them to resolve FCPA and other alleged legal violations.

Companies that have had compliance issues of this kind, and before deferred and non-prosecutions are finalized, typically do their utmost to ensure their programs are state-of-the-art.  At stake if their programs fail to impress the government are the possibility of having a monitor imposed and almost certainly higher penalties; so, for months, while their cases are pending, these companies enhance their programs and work on their pitch to the government to show how well their programs work.

What the government gets out of this is a continuing education about the smartest innovations in compliance.

Putting details aside for the moment, that should be the biggest takeaway from the DOJ’s recently revised evaluation criteria – an understanding that the bar is truly going up; any company that wants insurance that its compliance program will be favorably viewed by the government, should the occasion ever arise, should be paying very close attention to evolving best practices. Because the DOJ is.

Compliance programs are, of course, a holistic sum of their parts. There is no one thing to concentrate on. However, turning to the details, here are some areas that get emphasis in the updated, ever “smarter” evaluation criteria:

Policies

This area seems clearly to have been derived from companies coming to the DOJ with state-of-the-art, increasingly digital programs. It is no longer enough to merely have policies; the DOJ criteria now state they should be “published in a searchable format for easy reference,” and the “company [should] track access to various policies and procedures to understand what policies are attracting more attention from relevant employees.”

Training

Also reflecting evolving best practices, the DOJ criteria now recognize that long-form, learn now, but apply later training may be less effective than “shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate … functions.” Elsewhere, the criteria emphasize that training – even if online – should allow trainees to ask questions, be assessed for impact on behavior and also have more targeted versions applicable to personnel in control functions.

Risk Assessment

The evaluation criteria return again and again to the theme that risk assessment is key, must be ongoing – not merely a “snapshot” – and that it must rely on a regular flow of “operational data and information across functions.”  Companies are well-advised to take this guidance to mean, among other things, that risk assessment should be granularized as much as possible, taking into account differences by business units and geographies when it comes to things like gifts and hospitality spending, third-party sales agent commissions and charitable donations.

Read: DOJ’s Risk Assessment Expectations In the New DOJ Guidance – By Jeffrey Kaplan for CCI

Monitoring and Data Analytics

The DOJ’s focus on ongoing risk assessment can also be thought of as continuous monitoring informed by strong data. The evaluation criteria state, for example:

  • “Data Resources and Access – Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions? Do any impediments exist that limit access to relevant sources of data, and if so, what is the company doing to address the impediments?”
  • “Third-Party Management – Does the company engage in risk management of third parties throughout the lifespan of the relationship, or primarily during the onboarding process?”
  • “Effectiveness of the Reporting Mechanism – … Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it?”

Incentives and Discipline

For the first time, the 2020 DOJ criteria ask: “Does the compliance function monitor its investigations and resulting discipline to ensure consistency?” This signals that compliance should have a seat at the table when disciplinary decisions are being made – which we have found to be a good, but not always applied, practice.

Tone in the Middle

Although receiving less new discussion than other areas, the evaluation criteria do double down on the idea that while tone at the top is critical, a culture of ethics and compliance must be established at “all levels of the company,” which means “from the middle” as well as the top. And the criteria ask, “have supervisory employees received different or supplementary training?”

Senator Kennedy raised an important concern in 1995. Twenty-five years later, it is evident that the DOJ and other governmental entities are increasingly able to distinguish “companies without substantial programs” from those with “strong” ones. As intended by the Guidelines’ original “carrot and stick” philosophy, this is good news for companies that work hard to get it right – and not-so-good news for companies that do not.


[1] Keynote Address by Senator Edward M. Kennedy, Proceedings of the Second Symposium on Crime and Punishment in the United States, “Corporate Crime in America: Strengthening the Good Citizen Corporation,” U.S. Sentencing Commission (September 7-8. 1995).


Tags: Data AnalyticsDOJMonitoringRisk AssessmentTraining
Previous Post

Why Do We Believe What We Believe?

Next Post

Getting Your Systems Battle-Ready for the LIBOR Transition

Win Swenson

Win Swenson

Win Swenson is a Partner at Compliance Systems Legal Group (CSLG), a law firm practicing exclusively in the areas of corporate governance, compliance and ethics. Win served as Deputy General Counsel at the U.S. Sentencing Commission from 1990 to 1996, leading the unit that developed the federal sentencing guidelines for organizations and establishing the principal model for corporate compliance/ethics programs used in the U.S. He later served on the Sentencing Commission’s advisory group that made recommendations leading to guideline amendments in 2004. He also previously led the compliance/ethics consulting practice of KPMG LLP in the U.S., has assisted organizations on a broad range of matters relating to compliance/ethics program management and evaluation, served as Counsel to the Senate Judiciary Committee (Senator Edward M. Kennedy’s staff) and was in private law practice with Kaye Scholer Fierman Hays and Handler in Washington, D.C. In addition to his work with public companies, Win has been retained directly by the U.S. Department of Justice to evaluate the compliance program of a publicly traded company that the government was deciding whether to charge criminally. He also has served on the faculty at the Department of Justice’s National Advocacy Center, where he has provided training to federal prosecutors on how to evaluate compliance programs.

Related Posts

doj sign front

Assessing the Business Risks of the Trump Administration’s ‘Total Elimination’ Strategy

by José Cortina and Jennifer Christian
May 20, 2025

As cartels increasingly participate in mainstream economic activities, traditional due diligence practices become inadequate to address new material support risks

check engine light

What Gets Measured Gets Managed, but What Actually Matters in Compliance?

by Keshonda Walker
May 16, 2025

Looking beyond standard measurements to identify the quiet signals that help compliance teams address issues before they become crises

Ethiciti Neuroscience Compliance Training

Neuroscience of Compliance Training

by Corporate Compliance Insights
May 14, 2025

Is your compliance training working with your employees' brains or against them? Whitepaper Neuroscience-Driven Training Techniques What’s in this whitepaper...

hidden value abstract

CCO Insights: How to Articulate the True Value of Your Compliance Program

by Kenneth Koch and Phillip Ostwalt
May 14, 2025

Benefits of robust programs aren’t always obvious, but buy-in remains critical

Next Post
man in suit with blue boxing gloves

Getting Your Systems Battle-Ready for the LIBOR Transition

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights