Skip to content.

This article was originally published on the Compliance Kristy Blog.


The recent update to the Department of Justice’s Evaluation of Corporate Compliance Program guidance (ECCP) has stirred up quite a ruckus.

In case you missed it…

This is the second in our series describing what to do in response to the updated ECCP. The first post is about what to do now with risk assessments. It can be found HERE.

What to do now

The policy and procedure-related updates to the ECCP are a bit peculiar, Nevertheless, we ignore them at our peril. Luckily, they aren’t terribly onerous (unlike, say, their expectations with relation to artificial intelligence, but that’s a different blog). Here’s our top five list of what to do now.

1. Create a process to update policies based on lessons learned

How many times have you read the same fact pattern in a big enforcement action? Or seen the same policy violation in your internal investigations? Too many to count?

The DOJ is sick of seeing the same misconduct over and over again. And who can blame them?

To help them and yourselves, the DOJ has inserted new language in the ECCP asking if the program includes “a process for updating policies and procedures to reflect lessons learned either from the company’s own prior issues of those from other companies operating in the same industry and/or geographic location.”

How to:

The answer depends on the strictness of your policy governance structure. If you have a formal policy on policies, you may be able to add a sentence or section on updating compliance policies when the company’s internal issues or external enforcement actions illuminate a need.

If you can’t change your policy on policies, you can always write a procedure for updating compliance policies and include this requirement.

If you don’t have a strict policy structure, you can write a policy or procedure on compliance policy updates that includes this consideration.

2. Create a process to update policies based on emerging risk

Those of you who read the blog on what to do with risk assessments will recognize the DOJ’s new focus on emerging risk. They’ve taken it a step further and included the question, “Is there a process for updating policies and procedures to address emerging risks…?” in the ECCP.

Notice that they didn’t ask whether the policies are written to anticipate emerging risks. Rather, they’ve asked if there is a process for updating policies to address emerging risk.

How to:

Take that policy-on-policy section on updating policies and include another sentence requiring the updating of compliance policies in response to emerging risk.

Alternatively, take that procedure you just wrote on policy updating, and include a sentence or two on updating policies in light of emerging risk.

3. Create a process to update policies based on technological changes

We’re in the third of the “do you have a process to update your policies…” series of questions in the new DOJ guidance. This sentence asks us whether we have a process for updating policies and procedures to address emerging risks relating to the use of new technologies specifically.

How to:

Luckily, this “how to” is easy to do, now that we’ve already either updated our policy on policies or created a new procedure document for updating compliance-related policies and procedures.

Add a sentence or two on updating policies in response to technological changes and new technologies employed by the company.

The truth is, you probably already update your compliance-related policies when new technologies come into place. The important thing to do per the DOJ is to document that process.

4. Survey employees on their policy access know-how

A policy is worthless if no one knows it exists or how to access it. That’s probably why the DOJ included the new question, “How does the company confirm that employees know how to access relevant policies?”.

Interestingly, the DOJ didn’t ask us to confirm whether employees understand policies, but rather, if we have a process to confirm employees know how to access them.

How to:

How do you confirm if employees know how to access relevant polices? You ask them.

This is a great opportunity to refresh your ethical cultural survey to include a question confirming whether employees feel confident in finding policies.

You could also create a pulse survey or include a question at the end of your eLearning modules asking if people know where to find policies related to the training topic.

5. Update your M&A integration playbook to incorporate policy integration

The DOJ included a whole new paragraph about post-M&A compliance program integration. When it comes to policies and procedures, prosecutors are instructed to ask, “What is the company’s process for implementing and/or integrating a compliance program post-transaction?” then, “How are compliance policies and procedures organized?”

How to:

Take your M&A playbook and add a sentence requiring that policy and procedure planning be included in M&A post-integration planning.

Updating or replacing newly merged/acquired company policies with the new owner’s policies should be a priority. Having a plan to do that is critical.

In the end, these are easy changes to make, but prioritizing your time to make them can be difficult. It’s worth it to do so, because if you ever have the dreaded knock on the door, you’ll be prepared.


Up-to-date and easily-accessible policies and procedures are essential – and also help to keep your organization operating in compliance with the law and your company’s standards.

If you’re still struggling with keeping them organized, distributed and attested to, we can help. NAVEX Policy & Procedure Management is designed to keep your company compliant, and your workforce informed.

Ready to learn more? We thought so, click the link below for more info.

Let's get started!