On Monday September 23rd, at the Society of Corporate Compliance and Ethics' conference, the room was hushed. The bombshell dropped. People breathlessly called their bosses. It had happened again. The Department of Justice (DOJ) published its update to the Evaluation of Corporate Compliance Programs guidance (ECCP).
For anyone new to the profession, understand that this update, which happens every 12-18 months, is always an event. Much ink is spilled reviewing, analyzing, prophesizing, and hyperventilating over the meaning of every deleted or added word.
This year's update
This year's update is rich with nuance and newness. In some years, changes have been minimal or more focused on deletion than expansion.
2024 is all about expanding the guidelines and inserting high-pressure expectations on compliance officers and compliance programs.
Let's start with risk assessments
The new ECCP sections are focused heavily on risk assessment. There's good reason for this – a risk assessment is the fundamental bedrock upon which a program should be created. Afterall, you can't implement an effective "risk-based approach" without identifying that which is causing the risk.
Here's what to do now in response to the new ECCP guidance.
1. Perform a technology audit
The updated DOJ guidance uses the word "technology" or a variation thereof 22 times in 22 substantive pages – 17 of which are new in the update. That doesn't even account for the focus on artificial intelligence (AI) as a subset of technology.
To be able to perform all of the actions the DOJ thinks you should be able to do, you'll need a baseline of knowledge you probably don't have. You need to know which systems are operating where and what data they are processing.
How to:
Completing a technology audit sounds overwhelming, but hopefully, your friends in IT, Procurement, and Privacy can help. A sophisticated IT department should have a list of programs operating at the company. Procurement may be able to use billing codes to help you to identify software and the software's internal owners. And Privacy may have data maps showing the flow of personal data between systems.
If all else fails, you can always email the heads of the business units and functions to find out which systems they are using.
What should your audit show you? At its core, you want a list of the major systems used at the company detailing:
- Name
- Internal Owner
- What it does for the company
- Whether it uses AI (and how)
- What, if any, personal data is processed
Keep it simple. Make an Excel file with these five columns and don't use complete sentences. You'll be able to start seeing which systems can create risk and which can mitigate it.
2. Add technology as a category or consideration in your risk assessment
The DOJ knows technology can be risky, and it wants to make sure you know that too. You can score a quick win by adding technology as a category or written consideration in your risk assessment.
How to:
Most compliance risk assessments are broken out into regulatory areas, such as bribery, trade compliance, data privacy, retaliation, etc. You can add technology as a consideration to these specific areas, tying the technology being used to the risk escalation or mitigation, or you can add a whole separate category called technology.
Open up your technology audit. Look at each program and consider how compliance-related risk increases or decreases because that technology. Then consider the impact something going wrong might have. Document your findings. Boom – you've added technology to your risk assessment.
3. Add AI use as a sub-set to the technology review in your risk assessment
There's no denying that the DOJ is excited and concerned about the use of AI. In fact, they've added whole paragraphs dedicated to it in the ECCP.
You'll want to call out AI separately from the total technology risk assessment, even though AI is, in fact, technology.
The DOJ guidance focuses both on (1) use of AI by the company and its employees, and (2) the use of AI by the compliance department or to monitor compliance.
How to:
Go to your technology audit out. Go to the internal owner of every system using AI and find out how it is being used in detail at the company.
At the company
Look at each system that uses AI in the company and consider whether its use increases or decreases the likelihood of compliance-related issues. Then consider the impact something going wrong might have. Document your findings. Make a mitigation plan where required.
For Compliance
Typically, the use of AI by the compliance program or within compliance-related software will be mitigating a compliance-related risk. For instance, if your policy management system has an AI assisted search function, then the risk of people not knowing or being able to find a specific policy diminishes.
Include an analysis of how AI is mitigating specific risks in those sections of the risk assessment.
4. Use the Words "emerging risks" in your risk assessment
The DOJ added an entire paragraph on reviewing and understanding emerging risks. That makes sense, as we should always be anticipating risk to be able to plan for mitigation.
How to:
It's likely you're already considering emerging risks in your risk assessment. But let's clock an easy win by adding the words "Emerging Risks" into your risk assessment documentation.
Within the new section of the ECCP, "emerging risk" mostly refers to technological and AI-related risk. But emerging risk relates to all kinds of problems from new/proposed laws to geo-political instability.
5. Document both your methodology and approach
The new guidance focuses not just on whether you complete your risk assessment, but also on your approach and documentation.
How to:
In one of the odder insertions, the DOJ included a specific instruction to include "specific factors that mitigate the company's risk," and to identify "features" that reduce risk exposure. You should also identify whether the company employs a reactive or proactive approach to risk management.
One of the most re-written sections of the ECCP relates to employing a risk-based approach to the program as an outcome of the risk assessment. You will want to ensure you document that the outcome of the risk assessment influences the allocation of resources with "greater scrutiny applied to greater areas of risk."
What next?
We're back to the beginning of the journey of evolving our compliance programs to meet the DOJ's most recent requirements and areas of focus.
Receiving an ever-escalating series of quasi-instructions from the government about their (high) expectations can be uncomfortable. However, it's a good reminder that as business evolves, so too must our compliance programs.
While it sometimes doesn't feel this way, the government is squarely on the Compliance Officers side. This updated guidance can help us to improve our risk assessments and get the resources we need in response.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.