How savvy is your compliance program? Part 1

internet security and data protection concept, blockchain and cybersecurity
The updated release of the DOJs “evaluation of Corporate Compliance Program” can be seen as a reminder. In a good way – because a lot of Corporate Compliance Program implementation goals are currently postponed due to the actual.
The updated release of the DOJs evaluation of Corporate Compliance Program” can be seen as a reminder. In a good way – because a lot of Corporate Compliance Program implementation goals are currently postponed due to the actual. Not judging whether this is a good or bad behaviour but outlining, that certain risks of postponing this business protecting actions are rising and the importance of compliance savviness needs to be addressed.  

Professional Judgement for Compliance programs 

Each business is different and so the individual risk landscape – from which the compliance program is sourced with information – vary. Therefore, it is important to recognize each company’s risk profile and the implemented actions taken to manage the risks. Taken the specific situation of evaluating a corporate compliance program during a criminal investigation – also here are no rigid formula available to be applied for assessing the effectiveness of the corporate compliance program. Considering various factors that might impacting its compliance program the assessment will take place.  

Included factors, but not limited to, are  

  • the company’s size,  
  • industry,  
  • geographic footprint,  
  • regulatory landscape,  
  • and other factors,  
  • both internal and external  

to the company’s operations.  

It is given, that there are common questions asked by the regulators while making an individualized determination and the newly published Justice Manual states, that there are three “fundamental questions” a prosecutor should ask. 

The three fundamental questions … 

…every Board of Directors needs to answer. Not only a prosecutor should ask these three fundamental questions during the assessment of a corporate compliance program but also the Board of Directors. At the time when the regulators ask, it is – most of the time – already too late.  

Bringing up the following “three fundamental questions” to the table on Board level, is crucial: 

  1. “Is the corporation’s compliance program welldesigned?“ 
  2. “Is the program being applied earnestly and in goodfaith?“In other words, is the program adequately resourced and empowered to function effectively?  
  3. “Does the corporation’s compliance programwork“ inpractice? 

Becoming more specific for the above mentioned three questions, the manual provides additional guidance. We all know that these samples – topics and questions – are not to be understood as comprehensive checklist. Depending on different criterias the assessment will be done.  

But for an internal reflection and challenge I would like to share the insights with you. Please be aware that it is also possible to have some of the topics allocated to more than one question only.

Question No. 1: Is the Corporation’s Compliance Program Well Designed?  

The “critical factors in evaluating any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct.” JM 9-28.800*.

Accordingly, prosecutors should examine “the comprehensiveness of the compliance program,” JM 9-28.800, ensuring that there is not only a clear message that misconduct is not tolerated, but also policies and procedures – from appropriate assignments of responsibility, to training programs, to systems of incentives and discipline – that ensure the compliance program is well-integrated into the company’s operations and workforce.” 

Already with this first question I assume that additional questions should come up for the responsible by reflecting internally.  

The listed topics for the first question in the manual are: 

a) Risk Assessment 

b) Policies and Procedures 

c) Training and Communications 

d) Confidential Reporting Structure and Investigation Process 

e) Third Party Management 

f) Mergers and Acquisitions 

Questions No. 2: Is the Corporation’s Compliance Program Adequately Resourced and Empowered to Function Effectively? 

A well-designed compliance program does not help anyone if the implementation is not properly done, resources are missing due to understaffing or inefficient workflows and processes are in place.  

The prosecutors will check whether it is only a fake corporate compliance program existing on the website or paper or really  

a) “implemented, reviewed, and revised, as appropriate, in an effective manner.” JM 9-28.800.

The prosecutor should determine 

b) “whether the corporation has provided for a staff sufficient to audit, document, analyse, and utilize the results of the corporation’s compliance efforts.” JM 9-28.800.  

c) “whether the corporation’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it.” JM 9-28.800; see also JM 9-47.120(2)(c) (criteria for an effective compliance program include “[t]he company’s culture of compliance, including awareness among employees that any criminal conduct, including the conduct underlying the investigation, will not be tolerated”). 

The listed topics for the second question in the manual are: 

a) Commitment by Senior and Middle Management 

b) Autonomy and Resources 

c) Incentives and Disciplinary Measures 

Question No. 3Does the Corporation’s Compliance Program Work in Practice? 

The prosecutors must assess whether a company’s compliance program was effective at the time of the misconduct but as a Board Member we have to respond to that question as part of our responsibility. Prospectively. 

The listed topics for the third question in the manual are: 

a) Continuous Improvement, Periodic Testing, and Review 

b) Investigation of Misconduct 

c) Analysis and Remediation of Any Underlying Misconduct

Identifying the gaps of the existing Corporate Compliance Program 

Having the above mentioned three fundamental questions outlined and the relevant topics allocated, a first guidance for an internal gap analysis is given. Taking actions in these specific field of vulnerability safes the organization a lot of resources in the future – financially and reputational wise.  

Also, during the actual pandemic, we recommend all our clients to keep track with the implementation, review, update, and improvements of their actual Corporate Compliance Program.  

Corporate Compliance is one of the key competitive advantages and it is definitively not worth to give that strategic anchor away. 

“Please do not wait for the regulator telling you what you must do!”

It is our responsibility to protect our business, our teams, clients, and partners. 



*JM 9-28.000 Principles of Federal Prosecution of Business Organizations, Justice Manual (“JM”), available at

Receive the latest news

Subscribe To Our Monthly Newsletter

Get notified about new articles