“This is interesting, but what am I supposed to do with, like, a million questions?”
- you, after reading the DOJ’s Evaluation of Corporate Compliance Programs.
Don’t worry. That’s what everyone is thinking.
Because while the DOJ's “Evaluation of Corporate Compliance Programs” gives you insight into how the Department of Justice will evaluate your program (with a lot of lawyerly caveats), it’s presented in a way that makes it difficult to operationalize.
That is, it’s organized around how the DOJ thinks—not how you would actually use it. And making the jump from “how the DOJ thinks” to “how we’ll use this” is a mammoth task.
We know, because we made a roadmap that does exactly that.
***HEY! May 1, 2019 Update: the DOJ updated this guidance at the end of April 2019. We're working on updating this roadmap to show the additional questions/changes added in this latest revision. In the interim, the link to the old version still works.***
Here's what we did.
We kept the DOJ’s original questions, but we reorganized them into a roadmap based on:
When you’d ask each question,
Who you’d probably task with answering it, and
How often you’d be likely to update your response.
You know, project planning stuff.
Because that's what the roadmap does: it re-sorts the DOJ's 11 subject-matter topics into practical categories so you can get value out of the DOJ's guidance—before you're sitting across from a prosecutor.
We've called those practical categories "Governance and Structure," "Program Operations," and "Incident Response."
Each category reflects a consistent approach to when you'll answer its questions, who will answer them, and how often you'll need to check in for an update.
They use the DOJ's original questions—they're just sorted by how you'll actually answer them.
Here's how it works.
Let's look at an easy example. This is a screenshot of the questions from the DOJ’s “Senior and Middle Management” topic:
It’s only 9 questions—so, easy. Right?
Sure. Until you go to use it.
Because you'll find that those questions will be answered by different people, at different points in time, and will be updated on different rhythms.
And you need to sort that out before you can, you know, answer them.
So, let's dig in.
First, let's take the questions we put into the "Governance and Structure" category.
Questions in this category get to how your program is set up and governed. The "when, who, how often" breaks down like this:
When: you'll answer these proactively. They're not tied to a specific compliance incident—you don't need to wait for the hotline to ring.
Who: you'll give these to a senior team member (like your Deputy CCO) engaged with high-level, program-wide issues like reporting lines, budget, compensation, and board oversight.
How often: you'll update your answers when things change—because the types of issues these questions tackle don't usually change very often, and you should know when they do.
Next, let's look at the questions that fall under the "Program Operations" category.
These questions are about day-to-day risk management stuff. The "when, who, how often" breaks down like this:
When: you'll answer these operations-focused questions proactively, just like the Governance and Structure questions.
Who: you'll give these to individual risk owners to complete on a risk-by-risk basis. Your program's operations will vary by risk—so you'll want to know how things work for each key risk you have.
How often: you'll do these on a regular rhythm as a health check. These questions get operational, and operations change fast. A time-based cadence helps make sure you don't miss something.
Finally, let's look at the most straightforward questions—the ones we've put under the "Incident Response" category:
These questions get at specific compliance issues your company has faced. The "when, who, how often" looks like this:
When: you'll answer these reactively, in response to specific compliance issues.
Who: you'll give these to the investigator and risk owner(s) relevant to the specific issue.
How often: you'll do these in response to significant cases—for example, cases you'd flag to your board in a quarterly meeting. (If that's more than a few a year, you might be over-reporting. Ask outside counsel for a refresher on board duties.)
If you looked at the pictures closely, you probably noticed there's overlap between the "Program Operations" and "Incident Response" categories.
That was deliberate. The DOJ's guidance contains about a half-dozen compound questions that can be answered partially proactively, partially reactively—so we listed them in both categories.
And that's it! The other DOJ topics shake out the same way.
It's simple—once you wade though the questions over and over until you figure out the common themes and practical implementation of them.
Which, yeah, is not so simple.
But hey, good news: we already did that for you.
How to get the roadmap.
Well, that depends on who you are.
You’ll get the editable roadmap:
And a workbook to help you get this done—including a template report, tips, and call-outs to other resources included in your subscription:
And a board deck to give your directors a heads-up that you’re on top of this—before one of them asks you about it.
And if you’re not a subscriber?
But you're still in luck.
Because we think the Evaluation of Corporate Compliance Programs is so important, we’re giving you a free version of our roadmap, too. Now, we reserve the make-it-your-own, editable stuff for our subscribers—but it'll still save you hours of painful project planning.
Go on—click the button below and grab it for yourself!