It’s always an exciting time when the DOJ reveals changes in its expectations by updating its Evaluation of Corporate Compliance Program (ECCP) guidance. We’ve waited three years for this iteration, and it does not disappoint!
This is Part II of our top ten takeaways. If you missed Part I, fear not – it can be found HERE. In that blog, we provide a short history of the ECCP, talk about why we love it, and go over the first 5 takeaways and practical actions.
Five Takeaways and Practical Actions
No. 1: There’s a New Focus on Prevention
Sometimes it’s the little things that draw attention instead of the big ones.
The DOJ inserted the word “prevent” twice in the new guidance. In the first substantive section, they added, “Prosecutors should consider whether the program is appropriately designed to detect and prevent the particular types of misconduct most likely to occur…”
They also added it later, in the section on third-party management. “In sum, a company’s third-party management practices are a factor that prosecutors should assess to determine whether a compliance program is in fact able to detect and prevent the particular type of misconduct most likely to occur in a particular corporation’s line of business.”
What to Do Now?
Update your documentation to highlight preventative actions.
The DOJ loves documentation, so update yours to use the word “prevent” and “prevention.” Training, communications, risk assessment mitigation plans, and metrics can all be useful in preventing misconduct.
Be sure to balance the focus on detecting and responding to misconduct with preventative measures.
No. 2: Publicize the Company’s Disciplinary Actions
You may have raised the issue of publicizing the company’s disciplinary actions against misconduct before but heard a big fat NO.
Legal tends to hate the idea of sharing investigations into misconduct and disciplinary outcomes. It can be hard to get traction, despite the fact sharing these stories proves the company’s commitment to taking compliance violations seriously more than anything else.
The DOJ changed the sentence on publicizing disciplinary action from “some companies have found that publicizing disciplinary actions internally, where appropriate and possible, which can have a valuable deterrent effect,” to “Prosecutors may consider whether the companies have publicized disciplinary actions internally, where appropriate and possible, which can have a valuable deterrent effect.”
This is a palpable change. The publicizing of internal actions is now a consideration in whether mitigating credit is given. Woah.
What to Do Now?
Go to leadership to advocate for the publicizing of disciplinary actions. Include some caveats to show your common sense.
Specifically:
➡️ You won’t name names
➡️ You’ll respect privacy by aggregating multiple actions into one story, or, alternatively setting the issue in a location separate from the one in which it happened
➡️ You’ll run the pieces by Legal for sign-off before they go out to the employee population.
People love a good scandal. Sharing the company’s commitment to compliance and ethics is critical in building trust in the speak-up system.

No. 3: Get those Compliance Champions in Place
For the first time, the DOJ included mention of Compliance Champions in the ECCP.
Specifically, “Prosecutors should examine whether a company has made working on compliance a means of career advancement, offered opportunities for managers and employees to serve as a compliance champion or made compliance a significant metric for management bonuses.”
Compliance Champion programs are enormously helpful to a company. They are a way to expand the human resources available to the program and to make inroads into the organization that wouldn’t be possible otherwise.
What to Do Now?
If you don’t have a Compliance Champion program in place, it’s time to start. We’ve written a series of blogs and a checklist to get you started. See HERE and HERE. Begin by identifying people who would be amenable to the position and sketch out what a program would look like.
If you already have a program in place, see if you can zhuzh it up with a fun and educational event this year.
No. 4: Get to the Root Cause of Misconduct and Track Disciplinary Action
The new sections of the ECCP guidance are rife with references to establishing the root causes of misconduct and documenting them. The new guidance also emphasizes tracking the disciplinary action coming out of misconduct to ensure consistency.
For instance, a new sentence reads, “Prosecutors may also consider whether a company is tracking data relating to disciplinary actions to measure effectiveness of the investigation and consequence management functions.” Another tells prosecutors to consider, “What metrics does the company apply to ensure consistency of disciplinary measures across all geographies, operating units, and levels of the organization?”
As to tracking and measuring, one more of many examples reads, “Has the company undertaken a root cause analysis into areas where certain conduct is comparatively over or under-reported?”
What to Do Now?
If you’re using software to manage your investigations, call your customer service representative to help you to evaluate whether there are reporting and tracking features you aren’t using.
You need complete data to perform the monitoring, so if HR isn’t already using your investigation software to enter root cause analysis and disciplinary action, ask them to do so.
Within your case management system (even if it is an Excel sheet on a SharePoint), add a mandatory field for root cause analysis for all substantiated or partially substantiated cases.
Audit the case management system annually to ensure that the required information is being entered and to ensure discipline is consistent throughout the company.
No. 5: Add Clawback Language into Policies and Contracts
Perhaps the most dominant theme in the updated ECCP guidance relates to the clawing back of executive compensation if misconduct is found. This is a HOTLY debated idea that may require much discussion to gain traction.
The DOJ is adamant. For instance, prosecutors are told to ask, “Does the company have policies or procedures in place to recoup compensation that would not have been achieved but for misconduct attributable directly or indirectly to the executive or employee?”
“Are the terms of bonus or deferred compensation subject to cancellation or recoupment, to the extent available under applicable law, in the event that non-compliant or unethical behavior is exposed before the award was issued? Does the company have a policy for recouping compensation that has been paid where there has been misconduct?”
Personally, I think this is the biggest ask from the DOJ. After all, how many executives think, “You know what would be great? Writing into my contract that I can have my big bonus clawed back if I am found to have misbehaved…”
What to Do Now?
If clawback language isn’t in your contracts and policies, the time to advocate is now. In this case, you’re most likely to be successful if you request that the Board of Directors make clawback language in contracts mandatory. With the Board’s mandate, you are much more likely to be successful.
Regarding this issue, it is often easier to draft a policy first, then present it to executive leadership and/or the Board so they can work from something concrete. That way, they can object to certain language as opposed to throwing away the entire idea of clawbacks before you can make the case fully.

Let’s Get Going
Once again, the DOJ has raised its expectations, and done so in writing. It is critical that we respond with vigor to these new pieces of guidance.
The truth is the likelihood of any individual compliance officer ending up before a prosecutor defending the company is slim. However, that shouldn’t stop us from making the changes that would keep us in the good graces of the DOJ if they ever came knocking.
More importantly, if we keep our program evolving to match prosecutorial expectations, we’ll have a best-in-class program to be proud of.