Stay Cool, Compliance Pros: Tackling the DOJ’s Latest ECCP with Confidence

Oh no, not again! The sky is falling…

In September, the US Department of Justice (DOJ) updated its "Evaluation of Corporate Compliance Programs" (ECCP) document, sparking concern among compliance professionals about integrating it into their program. Meanwhile, law firms and consultants are eager to help businesses navigate the new questions, controls, and structures needed to stay in line.

But before you panic, let me offer three words of advice: Relax and breathe.

I actually love when regulators update compliance expectations. While some feel the DOJ raises the bar with each ECCP release, I see it as a chance to gain clarity. Our world is constantly changing, and compliance must evolve with it. The ECCP is not a checklist of everything you must do—it’s a guide to what matters.

I spent over a decade building SAP’s compliance program through multiple DOJ and SEC investigations, working with hundreds of amazing colleagues across the company’s first, second and third lines of defense. Trust me, the ECCP isn't about ticking every box, but showing a good-faith effort to address key elements.

So, what should you do now? In the coming months, I’ll break down each section of the ECCP and highlight where you’ll get the most value. Prosecutors understand companies must prioritize their resources, and your compliance program is no exception.?

If you’re not under a regulatory investigation, below you’ll find out how to make the most of the ECCP.? (If you are under regulatory scrutiny, your first priority is working with outside legal counsel.? Reach out to me for a sanity check about reasonability of counsel’s expectations, and building an impactful and reasonable journey to appease the regulators.)

Top Tips for Tackling the ECCP:

1. Find a distraction-free time to read and review. Set aside about four hours, especially as you’ll need to craft a related “response” for your own records.
2. Follow the structure. The document is very well-organized. Create your own summary for each section based on your company’s current state.
3. Use color coding when reviewing: Green for areas where you're in good shape.? (For example, under (IIB) Structure, your compliance department reports to the CEO or CFO, with a dotted line to the Audit Committee.) ?Yellow for work in progress. Red for areas that may need attention.
4. In your “response” document, highlight your strengths first. Start by summarizing your "green" areas—these are your wins!
5. Don’t panic over the yellow and red. Not everything needs immediate action, if at all. The ECCP stresses risk assessment as a key basis for a compliance management system, and that should be your approach to review of the ECCP document too—focus on real risks that matter to your business.
6. Prioritize with key stakeholders. Collaborate with your Risk Management, Internal Audit, and Legal teams to vet and prioritize the most important yellow/red items.? Engage business leaders too—they might have better solutions or will need to align on risks.
7. Create a parking lot for yellow/red items that may need to be revisited in the future.
8. Present your plan. Use this assessment to develop a strategic roadmap and share it with your Audit and/or Compliance Committee.

By following these steps, you’ll turn the DOJ’s latest update into a valuable tool for building a strong, future-proof compliance roadmap.