Unpacking the DOJ's ECCP: Part 1 - Risk Assessments

A few weeks ago, I promised to dive into the U.S. Department of Justice’s September 2024 update to its Evaluation of Corporate Compliance Programs (ECCP). Today, we kick off that journey.

While I won’t and can’t be dispensing legal advice, I’ll share practical tips drawn from years of experience in compliance. In each article, we’ll cover:

• Key takeaways from the ECCP.
• Common pitfalls to avoid.
• My top five actionable suggestions.

Let’s start with the foundation of any compliance program: Risk Assessments.

Why Risk Assessments Matter

The ECCP emphasizes that a prosecutor’s first step in evaluating a company’s compliance program is understanding its risk profile. In the DOJ’s words:

“The starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, including specific factors that mitigate the company’s risk, and the degree to which the program devotes appropriate scrutiny and resources to the remaining spectrum of risks.”

In plain terms: Does your compliance team have a clear grasp of the risks facing your business? And just as importantly, are those risks being managed effectively?

Here are my Top 5 Tips for building and maintaining a robust compliance risk assessment process:

1. Build Strategic Partnerships

Collaborate with your risk management function and the business. Together, identify, document, and address compliance risks regularly. This isn’t a one-time exercise; it’s an ongoing partnership.

2. Align with Audit

Work closely with your audit team to understand which risks are well-mitigated and tested. Identify gaps that need attention—or, where necessary, accept those risks.

3. Prioritize Wisely

Focus your limited resources where the risks exceed your company’s risk appetite. Document lower-priority risks and revisit them periodically. As much as we’d love to solve every problem, we need to allocate time, money, and people effectively.

4. Evaluate Effectiveness

The DOJ expects the company/internal audit to assess the design and effectiveness of your risk management methodology. This provides confidence that your approach is sound and defensible.

5. Think Big—and Small

Don’t stop at enterprise or departmental assessments. Evaluate individual topics—like a new partner incentive model or holiday gift policy—from a compliance risk lens. Time and time again, breaking risks down by considering their likelihood and impact has helped compliance professionals focus.

Pitfall to Avoid

One critical misstep is a poor relationship with risk management or audit. Without a robust partnership among these areas, a compliance department’s efforts will falter. If this is an area for improvement at your company, make strengthening these connections your top priority.

Where to Focus Your Attention

To identify risks, start by looking everywhere—but zero in on areas exceeding your company’s risk appetite. If the appetite for compliance risks feels misaligned, escalate the concern with risk management and your Risk/Audit Committee.

The ECCP also highlights specific areas to prioritize:

• Location of operations
• Industry sectors
• Market competitiveness
• Regulatory landscape
• Potential clients and business partners
• Transactions with foreign governments
• Payments to foreign officials
• Use of third parties
• Gifts, travel, and entertainment expenses
• Charitable and political donations
• Emerging technologies (including AI)

Final Thoughts

Risk management is the backbone of effective compliance. Once you make it a core part of your daily thinking, the rest becomes second nature.

What challenges have you faced in implementing risk assessments at your organization? I’d love to hear your thoughts and experiences—drop them in the comments below.

Stay tuned for the next article in this series, where we’ll dive into Policies and Procedures, Training & Communications.