In her recent speech at the Society of Corporate Compliance and Ethics 23rd Annual Compliance & Ethics Institute, Principal Deputy Assistant Attorney General Nicole M. Argentieri discussed the Evaluation of Corporate Compliance Programs (2024 ECCP). (A copy of her remarks can be found here.) Today, I want to consider her remarks and the 2024 ECCP on continuous improvement.
Continuous Improvement: A Foundational Pillar
The ability to adapt and evolve is at the heart of any successful compliance program. Deputy Attorney General Lanny Breuer said that in 2009, which is still true today. Continuous improvement ensures compliance programs remain agile and responsive to internal and external pressures. The DOJ’s 2024 ECCP clarified that there is no one-size-fits-all approach to compliance. Instead, companies must tailor their programs to reflect their specific risk profiles, industries, and operational footprints. The three key questions the DOJ asks when evaluating a company’s compliance program are pivotal:
- Is the program well-designed?
- Is it applied in good faith and adequately resourced?
- Does it work in practice?
The answers to these questions must evolve as the company grows, its risk environment changes and new technologies or regulatory frameworks emerge. In other words, continuous improvement should be ingrained in the DNA of the compliance function.
Focus on Emerging Risks and Technology
A critical aspect of the 2024 ECCP update is its emphasis on emerging risks, particularly those related to artificial intelligence (AI) and other disruptive technologies. The DOJ has clarified that prosecutors will closely examine how companies assess and mitigate risks associated with AI and technology-enabled schemes. In an age where AI is increasingly used in business operations, compliance professionals must ensure that their companies are leveraging these technologies ethically and implementing robust controls to monitor for potential misuse.
For instance, as AI systems are deployed in decision-making processes—such as approving financial transactions or conducting due diligence—companies must have mechanisms to validate AI-generated data’s accuracy and reliability. This includes periodic testing, ongoing monitoring, and ensuring that human oversight remains an integral part of the compliance process.
Moreover, continuous improvement in this area involves staying ahead of technological trends. Compliance professionals must regularly update risk assessments for new technological developments, ensuring their controls and policies remain relevant. The ability to proactively manage these emerging risks is a hallmark of a forward-thinking compliance program.
Encouraging a Speak-Up Culture
Another critical update to the ECCP addresses the importance of fostering a “speak-up” culture within organizations. The DOJ’s increased scrutiny of whistleblower protections underscores the need for companies to encourage internal reporting of misconduct without fear of retaliation. Compliance programs must be designed to detect wrongdoing and provide employees with the tools and confidence to report issues when they arise.
Continuous improvement in this area means regularly testing and refining internal reporting mechanisms. Companies should ask themselves: Are our employees aware of how to report misconduct? Do they trust the process? Are we doing enough to protect whistleblowers? The ECCP now explicitly evaluates whether companies have anti-retaliation policies and whether they promote a culture encouraging employees to come forward.
It is also worth noting that companies can earn significant benefits by prioritizing internal reporting. Under the DOJ’s whistleblower pilot program, companies that receive an internal report and then self-disclose misconduct to the DOJ within 120 days can qualify for a presumption of a declination of prosecution. This sends a powerful message that promoting a speak-up culture is the right thing to do and strategically advantageous.
Leveraging Data for Compliance Effectiveness
The 2024 ECCP also strongly emphasizes the role of data in compliance programs. Companies are expected to use data to identify misconduct and assess the effectiveness of their compliance programs. Compliance professionals must ensure adequate access to relevant data sources and the resources to analyze that data effectively.
Continuous improvement in data management involves regularly auditing the sources and quality of data used in the compliance program. Are compliance personnel receiving timely and relevant data? Are there gaps in data collection that could hinder the detection of misconduct? By addressing these questions and implementing the necessary improvements, companies can ensure that their compliance programs function efficiently.
The Power of Adaptation
One of the most insightful aspects of the 2024 ECCP is its focus on learning from past mistakes—whether those mistakes occurred within the company or elsewhere in the industry. The DOJ encourages companies to conduct thorough root cause analyses after incidents of misconduct, using those insights to inform and improve compliance policies and procedures
Incorporating lessons learned into a compliance program is key to continuous improvement. Companies should routinely review their own experiences and external enforcement actions to identify weaknesses and strengthen their controls. For example, a company that uncovers a gap in its third-party due diligence process should take immediate action to address it and prevent similar issues.
Compensation and Clawbacks: A Shift Toward Accountability
Finally, the DOJ’s Compensation Incentives and Clawbacks Pilot Program is another area where continuous improvement can drive compliance excellence. By aligning compensation structures with ethical behavior, companies can incentivize employees to prioritize compliance. The DOJ now requires that compensation systems include criteria for promoting compliance and deterring misconduct, and early indications suggest that this positively impacts corporate behavior.
Continuous improvement in this area means regularly assessing whether the metrics used to evaluate employee performance are aligned with compliance objectives. Companies should also ensure that their compensation structures provide clear consequences for misconduct, such as clawing back bonuses or withholding future compensation from culpable employees.
In 2024 and as we move to 2025, continuous improvement is not a luxury but a necessity. Compliance professionals must remain vigilant, regularly evaluating and updating their programs to address new risks, leverage emerging technologies, and promote a strong culture of ethics. The DOJ’s 2024 ECCP provides a roadmap for how companies can achieve these goals, but the responsibility ultimately falls on compliance professionals to ensure that their programs are well-designed and effective in practice.
As we progress, the key to success lies in our ability to embrace continuous improvement. We must make the necessary investments in compliance to prevent, detect, and remediate misconduct. By doing so, we protect our organizations from legal and financial risk and foster a corporate culture that values integrity and ethical leadership.