The new guidance is divided into eleven sections or topics, each of which includes a list of pointed sample questions. The eleven topics are as follows:

1. Analysis and Remediation of Underlying Misconduct
2. Senior and Middle Management
3. Autonomy and Resources
4. Policies and Procedures
5. Risk Assessment
6. Training and Communications
7. Confidential Reporting and Investigation
8. Incentives and Disciplinary Measures
9. Continuous Improvement, Periodic Testing and Review
10. Third Party Management
11. Mergers and Acquisitions

The guidance notes that the topics and questions listed do not form a checklist and that they "may not all be relevant, and others may be more salient given the particular facts at issue."

The DOJ’s focus remains on classic considerations—(1) the compliance program’s structure, (2) the effectiveness of its implementation, and (3) whether the organization has a genuine culture of compliance. Specifically, the guidance includes sample questions designed to reveal whether the program is organized in a way that allows the compliance functions to operate autonomously but with direct reporting lines to the top of the organization, as well as whether the unique risks and operations of the corporation were assessed and considered when creating the program. To determine whether the program is being implemented appropriately and effectively, the guidance asks about how the corporation gathers and evaluates information from its “reporting mechanisms” and investigative processes, the corporation’s processes for the development of new policies and procedures, and the frequency and consistency of disciplinary actions taken. To assess the corporation’s culture of compliance, the DOJ considers the tone at the top—how senior leadership acts as a role model for appropriate behavior and its “commitment to compliance” and remediation—and the “stature” of the compliance program and compliance personnel within the organization, including compliance personnel salaries and rank and the resources the corporation invests in its compliance functions. Additionally, the guidance gives significant attention to how a corporation manages its relationships with third parties, including risks posed by working with third parties and how the corporation monitors third parties’ activities and “incentivize[s] compliance and ethical behavior by third parties.”

The overall tone is that the DOJ expects a compliance program to strive for continual improvement and to demonstrate a daily mindset that is self-critical rather than self-satisfied. This is especially pertinent in the aftermath of a compliance breakdown—the context in which DOJ program evaluations always take place—when root cause analysis and control remediation is front and center. But the unmistakable message is that questions like “What gaps are we missing?” and “How can we improve our training and controls?” should be at the top of the compliance officer’s agenda not only when misconduct has been discovered, but also beforehand, when all seems well.

While the topics and sample questions draw from existing guidance and will be no surprise to anyone who has been following DOJ’s public statements about compliance programs, the new guidance does provide companies with a useful measuring stick for assessing their existing compliance programs and making adjustments as needed. The guidance will also serve as an important resource for companies under investigation and their counsel when they are preparing compliance-related presentations or written submissions to the DOJ. 

1. The guidance can be accessed here: https://www.justice.gov/criminal-fraud/page/file/937501/download.

2. Prior guidance appears in the United States Attorney’s Manual, the United States Sentencing Guidelines, Fraud Section corporate resolution agreements, A Resource Guide to the U.S. Foreign Corrupt Practices Act, Good Practice Guidance on Internal Controls, Ethics, and Compliance adopted by the Organization for Economic Co-operation and Development, and the Anti-Corruption Ethics and Compliance Handbook for Business.

[View source.]