How to Use the DOJ’s ECCP to Build (or Fix) Your Compliance Program

When it comes to ethics and compliance programs, “good enough” is anything but. From record-breaking FCPA settlements to sweeping investigations across industries, the DOJ has made it clear: If your compliance program can’t withstand scrutiny, your company is vulnerable — legally, financially and reputationally.

The “Evaluation of Corporate Compliance Programs” (ECCP) is the DOJ’s playbook for evaluating corporate ethics and compliance programs. But it’s not just a tool for prosecutors. For E&C leaders, it’s a roadmap for building a modern, risk-aligned and effective program — and a shield against enforcement actions when things go wrong.

Whether you’re updating an existing compliance program or building one from scratch, the ECCP can be your best tool for avoiding fines, earning leniency in enforcement actions and, most importantly, protecting your organization from real harm.

Let’s explore how you can use it as a proactive tool to future-proof your compliance program.

Why the ECCP matters

The DOJ’s “Evaluation of Corporate Compliance Programs” is a guidance document that outlines how prosecutors assess whether a company’s compliance program is effective. It plays a key role in determining whether a company is prosecuted — or granted leniency — in the event of corporate misconduct.

You don’t have to be a global giant to land in the DOJ’s crosshairs, either. In recent years, companies of all sizes — including Brazilian airline GOL and California beauty brand e.l.f. Cosmetics — have found themselves under DOJ scrutiny. These cases underscore a clear message: every company, regardless of size, needs a strong compliance program.

Using the ECCP as a self-assessment tool

At its core, the ECCP is structured around three deceptively simple questions:

1. Is your compliance program well-designed?
2. Is it being applied earnestly and in good faith?
3. Does it work in practice?

Let’s walk through each one and how to tackle them:

1. Is your program well-designed?

This is the foundation of any effective ethics and compliance program. A well-designed program isn’t a generic, off-the-shelf solution — it’s carefully crafted to reflect the specific risks, structure and operations of your organization. The DOJ has made clear that it expects companies to tailor their programs to their unique risk profile, industry and workforce — not simply replicate what another company is doing.

So, what does good design look like?

• Risk assessments that are specific, ongoing and dynamic. Your compliance efforts should be grounded in a deep understanding of where the greatest risks lie. This includes evaluating your industry, geographic footprint, supply chain, third-party relationships and prior misconduct (if applicable).
• Clear, updated policies that are easy to find and understand. Every employee should be able to navigate your code of conduct and other issue-specific company policies like sexual harassment and anti-retaliation. Use plain language, real-world examples, and remember culturally relevant adaptations when operating globally.
• Compliance training that’s relevant to employees’ roles, interactive and regularly updated. Ethena’s in-house production studio builds custom courses with this exact purpose in mind.
• Confidential reporting channels with clear investigation protocols. Ethics hotlines, web portals, mobile apps — the more accessible, the better. But just as important as the channel is what happens next: Are investigation protocols standardized and well-documented? Regulators will want to see a track record of prompt, impartial investigations and responsive remediation when warranted.

Use your compliance training data to flag trends and tailor improvements. For example, if learners are consistently missing questions in a certain area, it might point to a policy gap or risk hotspot.

2. Is your program being applied in good faith?

It’s not enough to have a great compliance program on paper. Regulators want to see that it’s truly being used, championed and integrated into the daily operations of the organization. This is where many companies stumble: A beautifully crafted code of conduct or a state-of-the-art training platform won’t matter if the program isn’t actively supported and enforced.

Applying a program “in good faith” means the organization is doing more than checking boxes. It involves making a genuine effort to embed ethics and compliance in how business gets done. That includes:

• Tone at the top: Leadership must visibly and vocally champion the compliance program. When executives reference ethical behavior in all-hands meetings, tie it to performance metrics and model it through ethical decision-making, it signals to employees that compliance isn’t optional — or superficial.
• Independence and resources: The compliance function should have the autonomy to operate without interference and the budget and tools it needs to be effective. This includes access to data and decision-makers and the ability to raise concerns directly to the board or audit committee when necessary.
• Consistent enforcement: Ethical standards must apply to everyone. If a high-performing executive escapes accountability for a policy violation, it undermines the program’s credibility. The DOJ explicitly looks for documentation of disciplinary actions taken across roles and ranks to ensure fairness and follow-through.

Too often, compliance falters in this implementation stage. Programs that lack visible leadership support, proper funding or real consequences for bad behavior quickly become what the DOJ calls “paper programs” — frameworks that exist in theory but are ignored in practice.

A well-written policy might keep regulators interested, but a well-executed program is what earns their trust.

3. Does your program actually work?

This is where theory meets practice. It’s one thing to design a comprehensive E&C program and say all the right things; it’s another to prove that your efforts are producing real, measurable outcomes. This third pillar of the ECCP is arguably the most critical, because it tests whether your compliance program is functioning effectively in the real world.

It’s important to note that the DOJ isn’t expecting perfection. Instead, the department looking for evidence that your program can detect misconduct, respond to it and evolve in response to changing risks.

• Monitor effectiveness through data. Are employees completing training? Are they retaining the material? Are reports being filed and followed up on promptly? Culture surveys, training analytics, case management trends and even test-out rates can all provide valuable insight into what’s working and where improvement is needed.
• Audit and test regularly. Conducting periodic audits, especially in high-risk areas, helps ensure policies are being followed. The DOJ also encourages companies to test internal systems proactively. For example, you might simulate a reporting scenario to test how your hotline, triage protocols and investigation processes function in real time.
• Investigate incidents promptly and learn from them. Ensure every concern raised is taken seriously, investigated thoroughly and addressed appropriately. These investigations should feed back into your risk assessments, training updates and policy revisions. If one team has repeated violations, it may signal a leadership gap or unclear expectations — both of which should be addressed at the root.
• Adapt and evolve over time. Compliance is not a static discipline. New regulations, shifting enforcement priorities, internal growth and emerging risks (like AI, data privacy or hybrid work policies) require ongoing adaptation. Your program should include a built-in process for regular policy reviews, training updates and process improvements.

In the end, the program that works is one that builds trust, both internally and externally. Employees feel confident raising concerns. Managers know how to respond. And when things go wrong (as they inevitably will), your organization has the processes and cultural foundation to respond with integrity.

That’s what regulators want to see — and it’s what a truly effective compliance program delivers.

The bottom line

When you use the ECCP as more than just a regulatory reference, you build something more durable: a workplace grounded in trust, transparency and ethical decision-making.

An effective compliance program isn’t just a shield against prosecution. It’s a strategic asset that fosters a speak-up culture, earns stakeholder confidence and enables sustainable growth. It tells regulators that you’re serious about accountability. It shows employees that their concerns matter. And it proves to investors and customers that ethics aren’t just part of your brand.

For more best practices, including a simple checklist for staying aligned with the ECCP, download our playbook, “Aligning Your E&C Program with DOJ Guidelines.”

Build a better E&C program with Ethena

Ethena’s compliance training platform is designed to keep you aligned with the ECCP and compliant with SOX, SOC II and more. From a modular training library of 150-plus customizable courses to our built-in ethics hotline, case manager and phishing simulator, we help you meet — and exceed — compliance expectations.

Ready to see how your program stacks up? Book a demo with our team and explore how Ethena can help bring the ECCP to life in your organization.