What the DOJ Actually Looks for in a Compliance Program (And Why Most Fail)
A compliance program that satisfies an internal audit is not the same as one that satisfies a federal inquiry.
Most corporate compliance programs are built to be defensible in theory. They have a code of conduct. They have a hotline. They have annual training completions logged in an LMS and a compliance officer who reports somewhere into the organizational structure. On paper, the boxes are checked.
The Department of Justice doesn't evaluate compliance programs on paper. It evaluates them under conditions designed to determine whether the program actually works — whether it would have detected the conduct at issue, whether it was adequately resourced to do so, and whether the culture of the organization supported its operation or quietly undermined it.
The gap between a program designed to check boxes and one designed to survive that scrutiny is where most corporate compliance failures live. Understanding what the DOJ is actually looking for — as laid out in its Evaluation of Corporate Compliance Programs guidance and demonstrated through a decade of enforcement actions — is the starting point for closing it.
"The DOJ's central question is not whether a compliance program exists. It is whether it would have worked."
The Three Questions the DOJ Is Asking
The DOJ's ECCP guidance frames the evaluation of any compliance program around three core questions. They are worth understanding precisely, because they define the standard against which every element of a program will be measured if it comes under scrutiny.
The first is whether the compliance program was well-designed. This goes beyond the existence of policies and procedures to ask whether those policies were tailored to the actual risk profile of the business — the specific markets it operates in, the third parties it depends on, the transactions it executes, and the regulatory environments it navigates. A generic program applied uniformly to a multinational operating in high-corruption jurisdictions through local intermediaries is not well-designed. It is a liability dressed up as a control.
The second is whether the program was applied earnestly and in good faith — or whether it existed primarily as a paper exercise. The DOJ looks hard at the distance between what a program says and what the organization actually does: whether the compliance function has genuine authority and resources, whether senior leadership treats compliance as a business priority or a burden, and whether the training and communication that the program mandates actually reaches the people in the organization who face the highest-risk situations.
The third — and frequently the most revealing — is whether the program actually works in practice. When an issue arose, did the program detect it? When a report was made, was it taken seriously and investigated rigorously? When the investigation found something, was appropriate action taken? A program that looked good on paper but consistently failed at these moments of operational reality will not receive credit in a DOJ inquiry, regardless of how thorough the documentation appears.
Where Most Programs Fall Short
Risk Assessment Is Generic or Outdated
The foundation of any effective compliance program is a risk assessment that accurately reflects where the organization's actual exposure lies. In practice, most corporate risk assessments are conducted infrequently, rely heavily on self-reporting by the business units being assessed, and produce outputs that describe the business as it was several years ago rather than as it operates today.
A risk assessment that doesn't capture a new market entry, a significant change in the third-party intermediary landscape, or a shift in the regulatory environment governing a key product line is not a risk assessment — it is a historical document. The DOJ will ask when it was last updated and whether the risks it identified reflect the organization's current operations. The answer to both questions matters.
Third-Party Due Diligence Is Superficial
The most common pathway for corporate compliance liability runs through third parties: the agent who facilitated the market entry, the distributor who managed the government relationship, the consultant whose fees were structured in ways that created regulatory exposure. Most corporate third-party programs screen against sanctions lists and conduct a basic internet search. That is not due diligence — it is the minimum threshold below which a program cannot credibly claim to have tried.
Effective third-party compliance requires risk-tiered diligence that is proportionate to the commercial significance and risk profile of each relationship: deeper investigation for intermediaries who interact with government officials, operate in high-corruption jurisdictions, or manage relationships that are commercially critical and poorly documented. That investigation needs to reach beyond databases into the primary sources — the human intelligence that tells you how business is actually conducted in the relevant market.
The Program Hasn't Been Stress-Tested
A compliance program that has never been independently reviewed is a compliance program whose weaknesses are unknown. Most programs are audited internally, by functions that have an institutional interest in a favorable finding. The DOJ applies a different standard: it subjects programs to the same scrutiny they would face in a government inquiry, evaluates them against current ECCP standards, and identifies the gaps that an enforcement context would expose.
The organizations that perform best in DOJ inquiries are those that have already run that review themselves — that have identified their weaknesses under conditions of genuine independence, remediated them, and documented both the findings and the response. That posture, demonstrated through the record, is what program credit in a resolution looks like.
|
What a DOJ-Standard Compliance Review Evaluates
|
The organizations that treat compliance program review as an internal exercise — conducted by the people responsible for the program, against standards they have defined themselves — are consistently the ones who face the most difficult conversations when a government inquiry begins. The standard that matters is not the one the organization sets for itself. It is the one the DOJ brings to the door.
Building a program against that standard, before it is tested under those conditions, is both the right risk management decision and — under the DOJ's own framework — the one most likely to result in meaningful credit if something goes wrong.