The U.S. Department of Justice (DOJ) guidance on corporate compliance includes an important time component instructing prosecutors to consider the effectiveness of a compliance program not only when misconduct occurred, but when making charging decisions and upon resolving a case, notes Jennifer L. Evans, JD, office managing partner with the Polsinelli law firm in Denver.

The guidance illustrates DOJ’s expectation that effective compliance programs will evolve over time based on the legal risks in a company’s general business operations and during transactions and business change when risks may increase, she says.

Evans notes that the DOJ’s Criminal Division instructs prosecutors to ask three questions when evaluating a corporate compliance program:

• Is the corporation’s compliance program well-designed?

• Is the compliance program being implemented effectively?

• Does the compliance program work in practice?

These elements are not new, she notes, but the guidance should help companies evaluate their compliance effectiveness. Evans provides the following summary of major takeaways from the new guidance:

• Risk assessments are critical. The government expects an effective compliance program to uniquely respond to compliance risks in a company’s operations. Not all similar companies will have the same risk profile, and risk assessments should occur on regular basis.

Four factors are of particular importance. Increased risk when starting a new line of business is a primary concern, along with mergers and acquisitions (M&A). With M&A, companies must consider the compliance of target companies with a plan to fix if needed. Working with third-party managers and vendors also is important. Arrangements must be carefully structured and have significant compliance oversight to protect a company from permitting or encouraging a violation of law through someone else. Risk assessments should be completed for new activities and repeated on a regular basis for ongoing business lines, with the risk assessments changing over time based on results.

• Measure results, and respond. The government expects effective compliance programs to respond to risk assessments and changed business environments by testing and measuring results. Routine evaluations should lead to measurable results of compliance with company requirements and the law. Without the ability to report identification, investigation, and remediation of compliance issues, a company cannot adjust its compliance program to address its key risks, and the government will not view the compliance program as effective.

• Effective compliance programs are dynamic. The government expects an effective compliance program to change over time in response to changed risks, business practices, and markets. In addition to regularly scheduled reports, audits, and risk assessments, the compliance program should respond and fine-tune requirements based on those inputs and external changes in the business environment. When budgeting time and economic resources for compliance, there should be capacity for both ongoing oversight and unexpected issues that may arise. An effective compliance program today, unchanged, will not be an effective compliance plan tomorrow.

William H. Maruca, JD, partner with the law firm of Fox Rothschild in Pittsburgh, also notes that a well-designed program should cover risk assessment, policies and procedures, training and communications, confidential reporting structure and investigation process, third-party management, and M&A.

A well-designed compliance program should apply risk-based due diligence to its third-party relationships, Maruca says. That should include risk-based and integrated processes, appropriate controls, management of relationships, and real actions and consequences.


• Jennifer L. Evans, JD, Office Managing Partner, Polsinelli, Denver. Phone: (303) 583-8211. Email:

• William H. Maruca, JD, Partner, Fox Rothschild, Pittsburgh. Phone: (412) 394-5575. Email: