In the recently released 2024 Update to the Evaluation of Corporate Compliance Programs (2024 ECCP), the Department of Justice (DOJ) has brought new challenges and opportunities for compliance professionals. One of the most significant changes revolves around data access and the role data plays in an effective compliance program. In this blog post, we’ll explore the key takeaways from the updated guidance and what compliance professionals must do to meet these new expectations, especially when gaining and maintaining access to the right data. This is no longer just about best practices; it is now table stakes. Matt Kelly and I explored this question in this week’s Compliance into the Weeds edition.
Now More Than Ever
One of the most notable aspects of the DOJ’s 2024 update is its focus on data access for compliance professionals. The DOJ has made it clear that if you do not have sufficient access to data, you cannot adequately monitor compliance, detect issues, or remediate problems. Compliance officers are no longer given a pass when they say, “I didn’t have access to the data.”
How did we get here? Part of this shift can be attributed to companies that have demonstrated excellence in leveraging data to bolster their compliance programs. Through the heat of DOJ investigations, these businesses have proven that with the right data, compliance officers can detect misconduct more quickly and prevent violations altogether. At the same time, the DOJ recognizes that many companies still struggle to provide their compliance teams with the data they need to do their jobs effectively.
Data Access: From Best Practice to Table Stakes
In prior years, having a robust data analytics program for compliance was considered a gold standard. It was an aspirational goal that companies could work toward. However, as the DOJ has seen companies implement highly effective data programs, what was once a best practice is now table stakes. If your compliance program can’t access the right data in real-time or near-real-time, you’re not just behind the curve—you’re putting your organization at risk.
Compliance officers can now point to this updated guidance and tell senior management: “This isn’t optional anymore.” You need the resources, tools, and support to access and analyze data effectively. The DOJ’s guidance clarifies that if your company faces an investigation, the inability to access relevant data won’t just be an inconvenience; it will be seen as a compliance failure.
The Six Key Questions: A Roadmap for Data Access
The 2024 ECCP includes six specific questions related to data access, which serve as a roadmap for what compliance officers need to ask within their organizations. While a DOJ prosecutor may not ask all six in any given case, companies should be prepared to answer them all. We will break down how compliance professionals should approach each of these questions.
Does Compliance Have Sufficient Access to Data?
The first question asks whether compliance and control personnel have direct or indirect access to relevant data sources for timely and effective monitoring or testing. In other words, can the compliance team get the information they need when they need it?
This can be a major hurdle for many companies, especially those with complex IT ecosystems. If you’ve gone through multiple mergers and acquisitions, chances are you’re dealing with a variety of legacy systems that don’t “talk” to each other. Compliance officers might find themselves chasing down data from various silos across different business units, which can delay their ability to spot red flags.
What You Should Do
- Map out your data sources. Know where all relevant data resides, from ERP systems to HR software and procurement platforms.
- Identify bottlenecks. If your compliance team encounters roadblocks when accessing data, document those challenges and bring them to senior management.
- Collaborate with IT. Ensure that IT systems are integrated and compliance has the tools to pull and analyze data without delay.
Are There Impediments to Accessing Data?
The second question focuses on barriers preventing compliance from accessing data. These barriers could be structural, such as outdated or incompatible systems, or they could be cultural, such as senior management not prioritizing compliance’s data needs.
What You Should Do
- Address structural and cultural issues: If your company uses disparate systems, work with IT to create a data lake or central repository for key compliance data. Culturally, ensure that leadership understands the importance of compliance’s access to data and empowers the team accordingly.
Does Compliance Have the Tools to Analyze Data?
Once you can access the data, do you have the tools to analyze it effectively? This question goes beyond simply having access to the data—it’s about whether you have the analytics capabilities to make sense of it.
What You Should Do
- Invest in the right tools. Data access means nothing if you can’t analyze the information. Invest in data analytics platforms, allowing your compliance team to automate risk assessments, flag potential issues, and generate real-time reports.
- Train your team. Ensure that compliance personnel are trained on how to use these tools effectively. Analytics without insight is just noise.
Is Data Maintained Properly?
The fourth question concerns data maintenance. Is data stored securely, and is it accurate and reliable? The DOJ wants to ensure that companies don’t just pull data from disparate sources without validating its accuracy.
What You Should Do
- Validate your data. Work with IT to ensure that data is accurate and up-to-date. Compliance teams need to know that the information they are using is reliable.
- Establish data governance protocols. Set clear guidelines for data maintenance, including how data should be stored, accessed, and updated.
Is the Company Leveraging Data Analytics to Improve Compliance?
This question is at the heart of the DOJ’s updated guidance. It asks whether companies are using data analytics to create efficiencies in compliance operations and to measure the effectiveness of their compliance programs.
What You Should Do
- Integrate data analytics into your compliance program. Use data to identify risk patterns, monitor employee behavior, and assess the effectiveness of your compliance efforts.
- Review your analytics strategy regularly to ensure that you’re continually improving how you use data analytics to enhance your compliance program.
- How Precise is Your Data?
Finally, the DOJ asks about the precision of your data. This question goes beyond accuracy—it’s about whether you’re getting the right data at the right level of detail.
What You Should Do
- Refine your data collection efforts. Ensure you collect precise, relevant data that aligns with your compliance needs. Broad, imprecise data won’t help you detect or prevent misconduct.
Communicating the Importance of Data Access to Senior Management
One of the most important takeaways from the 2024 ECCP update is that compliance officers now have a concrete basis to advocate for better data access. This is no longer about wish lists or best practices—it’s a regulatory expectation. Compliance officers must have honest conversations with senior management and the board about the company’s current data capabilities and where improvements are needed.
Companies often invest in technology when a problem arises, only to pull back once the issue is resolved. This cycle leaves compliance teams under-resourced and needing help to keep pace with evolving risks. The 2024 ECCP gives compliance officers the leverage to push for sustained investments in data access and analytics.
The DOJ’s 2024 update to the Evaluation of Corporate Compliance Programs underscores the critical importance of data access and analytics for modern compliance programs. It is no longer enough to have policies in place; compliance officers need the right data at the right time and the tools to analyze it effectively. The questions posed by the DOJ should serve as a guide for structuring your data access strategy and ensuring that your compliance program is up to the task.
By taking proactive steps to improve data access and analytics, compliance professionals can meet regulatory expectations and build stronger, more resilient programs that can detect and prevent misconduct before it escalates into a serious issue.