The DOJ wants your compliance training to focus on prevention. What does that look like?

3 minute read

The DOJ wants your compliance training to focus on prevention. What does that look like?

March 23, 2021 3:00:00 AM CDT / by Ricardo Pellafone

You’ve read the interview about what Department of Justice prosecutors look for in compliance training, and you know that they want to see a focus on prevention.

That is, you don’t do one set of substantive things for “defensibility” and another for “prevention;” they’re the same thing, because a substantive focus on prevention is defensible—and recordkeeping for the sake of recordkeeping isn’t.

Fair enough. But what does that look like in practice? That’s what we’ll unpack in this post.

Haven’t read our interview with the Department of Justice’s former compliance counsel expert yet?

Get it here


Overview: focus on root cause, not abstract risk.

Here’s the basic idea: “Prevention” means focusing your compliance training on the behaviors most likely to get you in trouble, not broad education on abstract risks. You want to work backwards from what would be a root cause of an investigation—something a businessperson did—not forwards from some abstract legal framework like “anti-corruption” or “privacy.”

Here’s the key quote from the interview:

Quote from Hui Chen Interview Q&A 12: "What does that focus on prevention look like in practice?"

That is, if you end up in front of a prosecutor, it is because someone did something that put you there: they approved a third-party invoice with shady expenses, they promised someone something they shouldn’t have during a deal, etc. Focusing on prevention means identifying that stuff, prioritizing it, and then training on it, not just dumping legal information on employees and hoping they figure it out.

The problem is that this is the exact opposite of how most companies do compliance “training”—and I’m using scare quotes because what they’re doing isn’t really “training” at all—it doesn’t tell anyone how to do anything, just gives them information on abstract concepts. So, let’s give a little more clarity on what to do (and not do), starting with what to avoid.


What not to do: educate on abstract concepts.

Again, the common (and wrong) approach to compliance training is to identify your legal risks, give employees information on those risks, and hope they figure it out. It looks like this diagram from Question 15 in the interview:

Flow chart of approach of compliance training by focusing on risks (not advised)

The basic problem here is that training happens too early. The company hasn’t understood the risk well enough to figure out what people do that could get them in trouble, and they basically are asking regular employees to do all that work.

Which they don’t and won’t, because that’s not their job—figuring out how these abstract risks apply to specific things people do is a lawyer's or compliance professional’s skill set and job. The company just needs its salespeople to sell compliantly, and getting them to do that is what the government is looking for. Another quote from the interview:

Hui Chen interview answer 13: "The goal is to train people to do those things correctly, not try to make them experts on the law...."

And another one:

Hui Chen interview answer 15: "Prosecutors want to see employees being trained on how to do their jobs compliantly, not educated on legal topics."

OK, so the government is not asking you to dump a bunch of school-style courses on everyone in an effort to make them mini-compliance officers. Good. What do you do instead?


What to do: integrate into process, then train on process.

Basically, you figure out what you want people to do, then you tell them how to do it. You might otherwise know this as “training,” because that’s what real training actually is in virtually every realm of your life.

Here’s another quote from the interview to illustrate:

Hui Chen interview answer 16: "Compliance is about behavior, so I'm not sure why you would be training on something that doesn't tie to behavior."

Practically, that means your training looks like this diagram:

Flow chart of approach of compliance training by focusing on application of risk to job (advised)

Now, the good news is that you should already know what this stuff is because you discovered it in your risk assessment. That is, if you think you need to train people on anti-corruption, it’s because your risk assessment identified things your business does that are prone to corruption risk. Those are the things you train on, not the abstract concept of “anti-corruption."

Put otherwise, it’s not that this is that much more conceptual work, it’s just integrating the parts of a compliance program together with a focus on actually preventing misconduct.

Of course, this can seem like a ton of work. But we asked that too:

Hui Chen interview Q&A 14: "You do it by prioritizing the riskiest things and then moving on to the next-riskiest and so on."

In short, you prioritize things, make a plan, and execute. Just like every other part of your business does when trying to do big things.

And for a head start, you can join Compliance Design Club. It’ll let you pick and choose from hundreds of training tools and resources, including process-focused resources for sales, HR, legal, finance, and more—all easily customizable, brandable, and quickly deployed. Go here to see some samples and learn more.

Broadcat mascot peeking through door of the Clubhouse with sign that says, "Join the Club!"Join the Club!


Ricardo Pellafone

Written by

Ricardo Pellafone

As Broadcat’s Founder and CEO, Ricardo is responsible for setting and obsessively refining Broadcat’s core methodology, approach, and vision of practical, useful compliance.