What the DOJ’s Updated Corporate Enforcement Policy Actually Says About Policy Management

When the Department of Justice published its updated Corporate Enforcement Policy [1], most of the public attention focused on the policy’s broader posture toward corporate cooperation and self-reporting. The implications for individual elements of a compliance program received less coverage. But for compliance leaders, one section of the updated guidance has the potential to reshape how programs are built and evaluated for the next decade: the section on policies and procedures.

The shift in that section is subtle in language and significant in implication. The DOJ is no longer asking whether policies exist. It is asking whether the program built around them is effective.

For most organizations, this is a new question — and most are not prepared to answer it.

The Three Dimensions

The DOJ’s Evaluation of Corporate Compliance Programs framework [2] assesses three dimensions in sequence: design, implementation, and effectiveness in practice.

Design asks whether the program is well-constructed for the specific risks the organization faces. For policy management, design questions include whether policies are written for the audience that needs to follow them, whether they are organized in a way that makes them locatable, and whether the program is structured so that policies can be revised as conditions change.

Implementation asks whether the design operates as intended. For policy management: is the policy review cadence actually being followed? Are revisions being routed to the right approvers in a reasonable timeframe? Is policy distribution reaching the people it is supposed to reach?

Effectiveness asks whether the program produces the results it is supposed to produce. For policy management: do employees actually receive policies? Can they find them? Do they understand them? Do they follow them? And can the organization demonstrate all of this with evidence that would satisfy a third-party reviewer?

The first two dimensions are familiar territory. The third is where most programs fall short.

The Specific Questions Compliance Should Be Ready For

The DOJ’s evaluation framework includes specific questions compliance teams should be prepared to answer [2]. Among them: how has the company designed its compliance program to ensure that policies, procedures, and standards of conduct are accessible and applicable to the relevant audience? How has the company communicated its policies and procedures to all employees and relevant third parties? Has the company evaluated the extent to which employees and third parties have understood the policies? What is the company’s process for reviewing and updating policies and procedures? Are there mechanisms to ensure employee understanding of the policies?

Each of these questions has a specific implication. "Accessible and applicable to the relevant audience" implies that policies are reaching the right people in a form they can use — not buried in a payroll system or scattered across intranets. "Communicated to all employees" implies a tracking system that can prove distribution. "Evaluated the extent to which employees have understood" implies measurement of comprehension, not just acknowledgment. "Process for reviewing and updating" implies a structured workflow with documented cadence. "Mechanisms to ensure employee understanding" implies a layer of the program that goes beyond a checkbox.

A program that cannot produce evidence for each of these questions is not, in the DOJ’s framework, an effective program.

Where Programs Fall Short

Across recorded conversations with compliance leaders evaluating their own programs against this standard, three gaps appear repeatedly.

The first is the comprehension gap. Programs that distribute policies and capture acknowledgments do not, in most cases, verify understanding. The DOJ’s question is "do employees understand?" — not "did employees click acknowledge?" A program that cannot demonstrate comprehension is missing a dimension the framework explicitly examines.

The second is the accessibility gap. The DOJ’s question about whether policies are "accessible and applicable to the relevant audience" assumes that an employee who needs a policy can find it. In practice, the "five random employees" test — asking five randomly selected employees to find a specific current policy — fails in most organizations. Policies live in places employees do not think to look, in formats they cannot navigate, in versions that may not be current.

The third is the evidence gap. The DOJ’s framework is, in the end, an evidence framework. Programs are evaluated on what they can produce. A program that can describe its workflow in narrative form but cannot produce timestamped, tamper-proof records to support the narrative is not a defensible program. Programs that maintain evidence in disconnected systems — emails in one place, acknowledgments in a spreadsheet, version history in a folder — are programs that, in an enforcement situation, will struggle to demonstrate effectiveness.

Why the Shift Is Happening Now

Three forces are converging to make this an unavoidable change.

First, regulatory expectations have hardened. Beyond the DOJ, the European Union’s Artificial Intelligence Act [3], the Securities and Exchange Commission’s cybersecurity disclosure rules [4], and the proliferation of state-level privacy laws [5] all impose obligations that require demonstrable communication and training — not just documentation.

Second, board-level scrutiny has intensified. Audit committees increasingly ask compliance leaders, "How do we know our policies are actually working?" Teams that can only answer "we distributed them" are losing credibility quickly.

Third, the available technology has caught up. The reason checkbox attestation was the standard for so long was that capturing comprehension at scale was operationally impossible. That is no longer true. AI-generated comprehension assessments can be produced from policy content in seconds, distributed in structured waves, and scored automatically — making real effectiveness measurement a practical option rather than an aspirational one.

What Defensible Looks Like

A program built for the new effectiveness standard does five things visibly.

It documents the current state of every active policy in one location — including current version, owner, effective date, review cadence, and revision history.

It distributes policies through a system that targets the right audience automatically — not through ad hoc email distribution lists that nobody maintains.

It captures evidence of comprehension, not just receipt — through quiz-based attestation, structured acknowledgment forms, or other mechanisms that verify understanding.

It maintains an immutable audit trail — every action on every policy, timestamped, attributed, and tamper-proof.

It connects policies to the rest of the compliance program — so that when an investigation references a policy violation or a risk assessment identifies an exposure, the connection is automatic rather than manual.

These are not exotic capabilities. They are the operational architecture of a program that can answer the questions the DOJ is now asking.

The Stakes

Compliance program effectiveness is not a theoretical exercise. In an enforcement situation, the DOJ uses its evaluation framework to determine cooperation credit, penalty reductions, and ongoing monitoring requirements. Programs that demonstrate effectiveness receive measurably better outcomes. Programs that cannot do so face penalties that often dwarf the cost of building the program correctly in the first place.

For compliance leaders, the practical implication is straightforward. The bar has moved. The standard for an effective policy program is now higher than it was, and the gap between programs that can demonstrate effectiveness and those that cannot is widening.

The compliance teams quietly building toward the new standard — through dedicated platforms, structured workflows, comprehension verification, and connected evidence — will look very different to a regulator three years from now than the teams still operating on the old definition.

Sources and References

[1] Corporate Enforcement and Voluntary Self-Disclosure Policy. U.S. Department of Justice, Criminal Division. Available at: https://www.justice.gov/criminal/corporate-enforcement

[2] Evaluation of Corporate Compliance Programs. U.S. Department of Justice, Criminal Division. Available at: https://www.justice.gov/criminal/criminal-fraud/page/file/937501

[3] Regulation (EU) 2024/1689 (Artificial Intelligence Act). European Union, Official Journal. Available at: https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng

[4] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Final Rule). U.S. Securities and Exchange Commission. Available at: https://www.sec.gov/files/rules/final/2023/33-11216.pdf

[5] US State Privacy Legislation Tracker. International Association of Privacy Professionals (IAPP). Available at: https://iapp.org/resources/article/us-state-privacy-legislation-tracker/