DOJ Compliance Program Evaluation Criteria 2025: How Prosecutors Actually Assess Whether Your Program Works
The DOJ compliance program evaluation criteria can feel like a moving target. Every few years, the Department of Justice updates its guidance. Prosecutors get new tools. And compliance teams scramble to figure out what “effective” actually means this time around.
Here’s the thing: the DOJ’s evaluation framework isn’t a mystery. It’s a published document. But reading it and knowing how prosecutors apply it are two very different things.
This guide breaks down each major area of the DOJ’s evaluation criteria. More importantly, it shows you what prosecutors look for in practice — and where most programs fall short.
TL;DR — Key Takeaways
- The DOJ evaluates compliance programs across three core questions: Is it well designed? Is it applied earnestly? Does it work in practice?
- Prosecutors look for evidence, not policies. Documentation, data, and case outcomes matter more than written procedures.
- Reporting culture is a critical factor. Low reporting rates signal fear, not compliance.
- Risk assessments must be current, targeted, and connected to real program changes.
- Remediation and continuous improvement separate “paper programs” from effective ones.
- The 2024 DOJ Corporate Enforcement Policy update raised the bar on several fronts, especially around data access and program resourcing.
Why the DOJ Compliance Program Evaluation Criteria Matter Now
Let’s start with the stakes.
When the DOJ investigates corporate misconduct, prosecutors must answer one question: Did the company have an effective compliance program at the time of the offense?
Their answer directly affects whether your organization faces criminal charges, the size of any fine, and whether you get credit for cooperation. In some cases, an effective program means the DOJ declines prosecution entirely.
The 2024 DOJ Corporate Enforcement Policy update reinforced this. Companies with strong programs can earn presumption of a declination — even when misconduct occurred. But “strong” has a specific meaning. Prosecutors use the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) as their rubric.
That rubric has three pillars. Let’s walk through each one.
Pillar 1: Is Your Compliance Program Well Designed?
This is where most compliance teams focus their energy. And it’s where the DOJ starts, too. But “well designed” goes far beyond having a code of conduct on your website.
Risk Assessment as the Foundation
Prosecutors want to see that your program is built on a current, thorough risk assessment. Not one from three years ago. Not a generic template. A living document that reflects your actual business risks.
The DOJ compliance program evaluation criteria specifically ask:
- What methodology did you use to identify and prioritize risks?
- How often do you update your risk assessment?
- Does the assessment inform resource allocation, training, and controls?
Here’s where many programs stumble. They run a risk assessment once, file it away, and never connect it to program decisions. Prosecutors see right through that.
An effective risk assessment drives everything downstream. It tells you where to focus your disclosure campaigns, which business units need closer monitoring, and where your reporting channels should be promoted most heavily.
Completion rates matter, too. If only 40% of your stakeholders respond to a risk assessment survey, you’re making decisions based on incomplete data. Modern approaches — like magic link distribution and targeted campaigns — can push completion rates to 80-90%, giving you a much fuller picture of your risk landscape.
Policies and Procedures
Prosecutors don’t just check whether policies exist. They ask whether employees can actually find them, understand them, and apply them.
Key questions include:
- Are policies written in plain language?
- Are they accessible through a centralized hub?
- Do they cover the specific risks identified in your assessment?
- How do you communicate policy changes?
A centralized ethics portal — one branded to your organization and housing all policies, reporting forms, and executive messaging — demonstrates that you’ve made compliance accessible. It shows prosecutors that employees don’t have to hunt for the right form or the right phone number.
Reporting Mechanisms and Speak-Up Culture
This is one of the most scrutinized areas under the DOJ compliance program evaluation criteria. Prosecutors want evidence that employees feel safe reporting concerns.
They look at:
- Multiple reporting channels: Hotline, web forms, in-person options, and more.
- Anonymity protections: Can reporters stay anonymous if they choose?
- Reporting volume: Are people actually using these channels?
- Identified caller rates: Do reporters trust the system enough to share their identity?
Low reporting rates are a red flag. They suggest employees either don’t know about reporting channels or don’t trust them. Neither is a good look during a DOJ evaluation.
Industry data shows that most organizations see 1-2 reports per 100 employees annually. Organizations with strong speak-up cultures — where the hotline experience is supportive, thorough, and human — see significantly higher rates. Some reach 3.6 reports per 100 employees.
Identified caller rates tell an even deeper story. When roughly 75% of callers willingly share their identity, it signals genuine trust in the process. That metric alone can shift how prosecutors view your program.
The quality of your intake process matters, too. Prosecutors may review actual hotline reports. A six-minute scripted call that captures bare-minimum facts looks very different from a 14-15 minute conversation that uses behavioral science to draw out relevant details. The depth of your reports reflects the depth of your commitment.
Pillar 2: Is Your Compliance Program Applied Earnestly?
Design is necessary but not sufficient. The DOJ wants to know if your program has teeth.
Commitment by Senior and Middle Management
Prosecutors look at whether leadership walks the talk. This includes:
- Does the board receive regular compliance reports?
- Does the CCO have direct access to the board?
- Are compliance metrics part of leadership discussions?
- Has leadership ever overridden compliance recommendations? If so, why?
Middle management matters just as much. Supervisors who dismiss ethics concerns or discourage reporting can undermine even the best-designed program. The DOJ specifically asks about “tone in the middle” — not just tone at the top.
Autonomy and Resources
Here’s a question that catches many organizations off guard: Does your compliance function have enough resources and authority to do its job?
The DOJ evaluates:
- Budget relative to company size and risk profile
- Staffing levels
- Access to data across the organization
- Authority to investigate and recommend discipline
The 2024 enforcement policy update placed extra emphasis on data access. Prosecutors now ask whether compliance teams can get the data they need — without going through layers of approval. If your compliance team has to beg IT or legal for basic reporting data, that’s a problem.
This is where operational tools matter. A case management system that pulls in reports from every channel — hotline calls, web submissions, disclosures, interviews — into a single view gives compliance teams the data access prosecutors expect. It also creates the documentation trail that proves you’re taking reports seriously.
Consistent Discipline and Incentives
Prosecutors check whether your organization applies consequences evenly. A program that disciplines junior employees but gives executives a pass isn’t effective. It’s theater.
They look for:
- Documented disciplinary actions tied to compliance violations
- Consistency across levels and departments
- Incentive structures that reward ethical behavior
- Clawback provisions or bonus adjustments for misconduct
Tracking remediation through structured corrective action plans — complete with root cause analysis, policy revisions, and training requirements — shows prosecutors that you don’t just close cases. You fix the underlying problems.
Pillar 3: Does Your Compliance Program Work in Practice?
This is where the DOJ compliance program evaluation criteria get most demanding. Prosecutors aren’t just asking what your program looks like on paper. They want outcomes.
Continuous Improvement and Periodic Testing
The DOJ expects your program to evolve. Static programs are, by definition, ineffective — because risks change.
Prosecutors ask:
- How has your program changed in the last few years?
- What triggered those changes?
- Do you track metrics and use them to improve?
- Have you conducted a gap analysis recently?
Analytics play a central role here. If you can show prosecutors a dashboard that tracks reporting trends, case resolution times, disclosure completion rates, and risk assessment results over time, you’re demonstrating continuous improvement with data — not just words.
Role-based dashboards that let different stakeholders see relevant metrics also show program maturity. Your board sees strategic trends. Your investigators see case workload. Your CCO sees the full picture. That kind of structured data access is exactly what the DOJ looks for.
Investigation Quality and Response
When misconduct is reported, how does your organization respond? This is where many programs fail the DOJ’s test.
Prosecutors evaluate:
- Timeliness: How quickly do investigations begin after a report?
- Thoroughness: Do investigators follow leads, interview witnesses, and document findings?
- Independence: Are investigations free from interference by implicated parties?
- Outcomes: Do investigations lead to real consequences and program changes?
A centralized case management system is critical here. It creates an immutable record of every step — from initial report through investigation, findings, and remediation. That audit trail is exactly what prosecutors review.
Choosing the right case management platform can make or break your ability to demonstrate investigation quality. Look for systems that aggregate all intake channels, support structured workflows, and produce defensible documentation.
Third-Party Management
The DOJ also looks at how you manage risk from vendors, contractors, and business partners. This includes:
- Due diligence before onboarding third parties
- Ongoing monitoring and screening
- Contractual compliance requirements
- Auditing of high-risk relationships
For healthcare organizations, this extends to credentialing and exclusion screening. Employing or contracting with an excluded individual can trigger False Claims Act liability. Automated screening against government exclusion lists — OIG LEIE, SAM, OFAC, and state Medicaid exclusion databases — is a baseline expectation.
The stakes are high enough that some screening solutions back their accuracy with financial guarantees. That kind of confidence signals to prosecutors (and to your board) that you’re taking third-party risk seriously.
Common Gaps That Prosecutors Exploit
After reviewing hundreds of DOJ enforcement actions and settlement agreements, certain patterns emerge. Here are the gaps that most often undermine compliance programs during evaluation:
1. The “Paper Program” Problem
You have policies. You have a code of conduct. You even have a hotline number on a poster in the breakroom. But there’s no evidence anyone uses these tools — or that leadership cares about the results.
Fix it: Track and report on program activity. Reporting volume, case closure rates, risk assessment completion, disclosure participation — these metrics prove your program is alive.
2. Disconnected Data
Your hotline data lives in one system. Disclosures live in another. Risk assessments are in a spreadsheet. Investigations are tracked via email. When prosecutors ask for a complete picture, you can’t provide one.
Fix it: Centralize your compliance data. A 360-degree view of all E&C activity — reports, disclosures, investigations, risk assessments — in one platform eliminates data silos and gives you the single source of truth prosecutors expect.
3. Stale Risk Assessments
Your last risk assessment was two years ago. Your business has changed significantly since then. Prosecutors will ask why your program didn’t keep pace.
Fix it: Run risk assessments at least annually. Use targeted distribution based on roles and business units. Connect results directly to program priorities.
4. Weak Reporting Culture
Few reports come in. Most are anonymous. Callers describe negative experiences. These signals tell prosecutors your employees don’t trust the system.
Fix it: Invest in the quality of your reporting experience. Live, trained specialists who conduct thorough, empathetic interviews drive higher trust, higher identification rates, and richer reports.
5. No Remediation Tracking
You investigate issues but can’t show what changed as a result. Prosecutors see this as a cycle of repeated failures.
Fix it: Build structured remediation plans after every significant investigation. Track corrective actions, policy changes, and training requirements. Close the loop — and document that you did.
How the DOJ Compliance Program Evaluation Criteria Connect to Your Daily Work
It’s easy to think of the DOJ’s framework as something you worry about only when trouble hits. But the smartest compliance teams use it as an ongoing operational guide.
Here’s a practical way to think about it:
| DOJ Question | What It Means Day-to-Day |
|---|---|
| Is the program well designed? | Run current risk assessments. Keep policies accessible. Maintain strong reporting channels. |
| Is it applied earnestly? | Secure leadership support. Get adequate budget and data access. Apply discipline consistently. |
| Does it work? | Track metrics. Improve continuously. Investigate thoroughly. Manage third-party risk. |
Every tool you choose, every process you build, and every report you generate should connect back to one of these three questions.
What’s Changed Recently — And What to Watch
The DOJ’s evaluation criteria aren’t static. Recent updates have placed greater emphasis on:
- Data access for compliance teams: Can your team get the information it needs without gatekeepers?
- Compensation structures: Are compliance metrics tied to executive compensation?
- Use of personal devices and messaging apps: Can your organization monitor and preserve communications on platforms like WhatsApp or Signal?
- Speed of detection and response: How quickly does your organization identify and act on potential misconduct?
Healthcare organizations face additional scrutiny. The JCAHO 2025 monthly credential monitoring mandate adds another layer of ongoing verification that intersects with DOJ expectations around third-party management and continuous monitoring.
Stay current. Review the ECCP annually. Map your program against its questions. And document everything.
Conclusion: Build for Prosecutors, Run for Your People
The DOJ compliance program evaluation criteria aren’t just a legal checklist. They’re a blueprint for a program that actually protects your organization and your people.
When you build a program that meets these standards, you get more than DOJ credit. You get a culture where people speak up. You get data that drives better decisions. You get investigations that find the truth. And you get leadership that understands why compliance matters.
That’s the real payoff — not just surviving an investigation, but building something worth defending.
FAQ: DOJ Compliance Program Evaluation Criteria
What document outlines the DOJ compliance program evaluation criteria?
The DOJ publishes the Evaluation of Corporate Compliance Programs (ECCP). This guidance document is used by prosecutors in the Criminal Division’s Fraud Section to assess whether a company’s compliance program is effective. It’s updated periodically, with the most recent substantive revisions reflecting increased focus on data access, compensation incentives, and messaging platform oversight.
How often should we review our program against the DOJ’s criteria?
At least annually. Many compliance leaders conduct a formal gap analysis against the ECCP every year and a lighter quarterly check on key metrics like reporting volume, case resolution times, and risk assessment completion. Any major regulatory change or enforcement action in your industry should also trigger a review.
Does the DOJ require specific technology or software?
No. The DOJ doesn’t mandate any particular tool or vendor. However, prosecutors evaluate whether your program has adequate resources — including technology — to function effectively. A centralized case management system, reliable reporting channels, and analytics capabilities are practical necessities for meeting the criteria, even if they’re not explicitly required.
Can a good compliance program prevent criminal charges?
Yes. Under the DOJ’s Corporate Enforcement Policy, a company with an effective compliance program at the time of the offense may receive a presumption of declination — meaning prosecutors presume they should not bring charges. This isn’t guaranteed, but it’s a powerful incentive to invest in program effectiveness.
What’s the most common reason programs fail the DOJ’s evaluation?
Lack of evidence. Many organizations have reasonable policies and procedures but can’t demonstrate that they’re followed, measured, or improved over time. Documentation gaps, disconnected data systems, and low reporting rates are the most frequent weaknesses prosecutors identify.
Want to see how your compliance program stacks up against the DOJ’s evaluation criteria? Ethico helps organizations build programs that don’t just check boxes — they produce the data, documentation, and reporting culture that prosecutors look for. Explore how it works.