The DOJ’s new corporate enforcement policy has a headline promise — leniency for companies that self-disclose, cooperate and remediate — but CoreStream GRC’s Paul Cadwallader argues the more important signal is about timing. The policy, read alongside the Balt SAS resolution, suggests companies will increasingly be judged not just on whether they remediate but on how early they can surface problems and act before the facts are fully assembled.
In March, the US Department of Justice announced its first-ever department-wide corporate enforcement policy for criminal cases. The policy is meant to create more consistency across the department and to incentivize companies to voluntarily self-disclose misconduct, cooperate and timely remediate.
The most important thing about this policy is not the headline promise of leniency. It is what the policy reveals about timing. Together with the Balt SAS resolution announced days later, the DOJ is signaling that companies will be judged not only on whether they remediate but on how early they can surface problems, investigate them and act before the case is fully formed.
The DOJ is making something much clearer than many companies have been willing to admit: Remediation is no longer judged only at the closing dates, after outside counsel is engaged, the facts are neatly assembled and the organization is preparing for settlement. Under this policy, remediation is increasingly being judged earlier, by whether a company can detect misconduct, escalate it, investigate it and act while the facts are still developing. The policy explicitly says the DOJ encourages voluntary self-disclosure at the earliest possible time, even when a company has not yet completed an internal investigation, and it says disclosure must happen within a reasonably prompt time after the company becomes aware of the misconduct.
The most useful detail in the DOJ’s March 19 announcement of the Balt resolution was not simply that the company self-disclosed; it was when. The misconduct was identified during an internal investigation that was ongoing at the time of disclosure, the department said. In other words, the company did not wait for every fact to be fully mapped before deciding to come forward.
Historically, executive teams often waited until they had a fuller picture before deciding whether to escalate, disclose or intervene. This policy puts more weight on a different mindset: identifying a credible risk signal earlier, acting on it and being willing to make serious decisions before perfect information exists.
That should force an uncomfortable question inside a lot of organizations. Not, “Would we self-disclose if we found something serious?” but “Could we identify something serious early enough to still have that choice?”
It should also be stated here: This isn’t just the DOJ talking. The SEC’s FY2025 whistleblower report says the commission received an estimated 27,000 whistleblower tips in FY2025, though about 12,000 of those were attributable to two individuals. More importantly, the SEC says award percentages may be increased when claimants participate in internal compliance or reporting systems, and it reduced eight awards in FY2025 for unreasonable reporting delay.
DOJ’s compliance-program guidance now looks even more operational
This is where the DOJ’s “Evaluation of Corporate Compliance Programs” should become more than reference material for lawyers. It becomes a blueprint for what remediation readiness looks like before a matter blows up.
The DOJ tells prosecutors to assess whether the company has appropriate processes for the submission of complaints and for protecting whistleblowers. It also directs prosecutors to examine whether complaints are routed to proper personnel, whether investigations are completed in a timely and thorough way and whether appropriate follow-up and discipline occur. The guidance goes further, asking whether the company applies timing metrics to ensure responsiveness and whether it tests the effectiveness of hotline or reporting mechanisms by tracking a report from start to finish.
That last point is especially revealing. The DOJ is not interested in whether a hotline merely exists. It is interested in whether the mechanism actually works, whether it produces timely action and whether the company can show that reports become decisions, investigations, accountability and program change.
That has several implications.
Speed of escalation now matters more
A reporting channel is not effective simply because it receives complaints. It has to get the right issue to the right people at the right speed. If a serious allegation sits in fragmented inboxes, bounces between HR, legal, audit and compliance, or waits for a committee cycle before triage, the company may lose the timing advantage the DOJ policy is effectively rewarding.
Misconduct rarely appears through a single channel
Most serious issues do not arrive in one clean, labeled stream. Early warning signs can emerge through hotline reports, internal audit findings, HR grievances, control testing, third-party due diligence, transaction monitoring, policy attestations, manager concerns, compliance reviews or patterns in operational data. That matters because the DOJ’s own compliance guidance asks what information a company collects to detect misconduct, whether it has access to the data needed to identify potential wrongdoing or program weaknesses, and whether it can show that issues are being identified at the earliest possible stage. It also emphasizes continuous improvement, periodic testing, monitoring and auditing.
Ownership of investigations is no small detail
The guidance also asks who determines which complaints or red flags merit further investigation, who makes that determination and who conducts the investigation. Those are not technical process questions. They go to whether the company can move from signal to action without confusion over ownership. Many organizations have written protocols. Far fewer have genuinely clear decision rights. When a serious issue emerges, uncertainty over who owns intake, who can elevate it, who decides materiality and who can authorize next steps quickly becomes more than an administrative weakness. In an enforcement environment that places real value on early disclosure and prompt remedial action, it can shape the outcome.
Remediation is broader than closing the case
The DOJ also asks whether investigations are used to identify root causes, system vulnerabilities and accountability failures, including among supervisory managers and senior executives. That is a much broader conception of remediation than disciplining one wrongdoer and closing the file. Balt is instructive here, too. The DOJ did not simply note cooperation; it pointed to internal control improvements, training and changes to business relationships. That is what credible remediation looks like in practice: not just ending the incident but changing the conditions that allowed it.
Incentives are part of the enforcement picture
The DOJ asks how companies incentivize compliance and ethical behavior, what percentage of executive compensation is structured to encourage enduring ethical business objectives and whether bonuses or deferred compensation can be canceled or recouped. That is a serious challenge to programs that still treat ethics as messaging while leaving the real reward system untouched. If pay, promotion and management pressure all tilt toward performance at any cost, delay is often being built into the system long before the first report is filed.
