DOJ Standards for Compliance & Ethics Programs
Photo - D. Smith
[Originally Posted 11 March 2026]
Yesterday, the Department of Justice (DOJ) released its minimum standards for a corporate compliance & ethics program.
This presents an immediate Strategic Planning opportunity to: (a) perform a gap analysis to determine whether your current policies, procedures, practices, and management systems align with this new DOJ policy; (b) perform a SWOT analysis to determine Strengths, Weaknesses, Opportunities, and Threats in relation to the DOJ policy; (c) to establish 2026 goals to address any gaps and the SWOT output; and (d) recalibrate your 2026 Strategic Plan accordingly.
Here are some of the key compliance & ethics program criteria from the new DOJ policy:
1. Voluntary Self-Disclosure of potential wrongdoing at the earliest possible time, even when a company has not yet completed an internal investigation, if it chooses to conduct one. It is important to note that these disclosures relate to conduct where the company had no preexisting obligation to disclose the misconduct. The DOJ expectation is timely and transparent disclosure.
2. Timely and Appropriate Remediation must be based on Root Cause Analysis and Risk Management. Here is what that might look like: A shared Enterprise Risk Management system being used to make business, operational, compliance monitoring, and audit focus decisions with the risk management system frequently updated by data. Company procedures and compliance training should be aligned with the risk management system. The company should perform gap analysis to determine whether compliance risks are addressed in policies, procedures, controls, and training. The company should conduct root cause analysis of non-compliance events (audits, investigations, gap analysis, etc.) in an aligned manner.
3. The DOJ may decline to prosecute a company for criminal conduct if “There are no aggravating circumstances related to the nature and seriousness of the offense, egregiousness or pervasiveness of the misconduct within the company, severity of harm caused by the misconduct, or corporate recidivism, specifically, a criminal adjudication or resolution either within the last five years or otherwise based on similar misconduct by the entity engaged in the current misconduct.” The DOJ elsewhere defines “Recidivism” as “the tendency of a convicted criminal to relapse into criminal behavior, resulting in re-arrest, reconviction, or return to incarceration. It represents a "falling back" into illegal acts after experiencing sanctions or rehabilitation, often used to measure the effectiveness of criminal justice.” AI can be a useful tool in identifying past enforcement actions against the company. Past noncompliance may warrant more robust compliance approaches.
The DOJ policy includes a helpful flow chart for interpreting its Corporate Enforcement and Voluntary Self Disclosure Policy (CEP).
