The U.S. Department of Justice (DOJ) has once again updated its guidelines for evaluating corporate compliance programs, with new changes introduced in September 2024. These updates build on the March 2023 version and reflect a deeper focus on emerging risks, particularly those posed by advancements in technology like artificial intelligence. Let’s take a closer look at what’s changed and why these updates matter for companies striving to maintain strong compliance practices.
The DOJ’s revised guidance has placed a much stronger emphasis on managing risks associated with emerging technologies. AI, in particular, is highlighted as an area of concern. Businesses are now expected to actively assess how these technologies impact their risk landscape and ensure their AI systems comply with legal and ethical standards.
The update signals a shift in how prosecutors will scrutinize companies’ adoption of technology. It’s not enough to simply integrate new tools, either, as businesses must now demonstrate that they’ve accounted for AI-related risks, both in their day-to-day operations and within their broader compliance frameworks.
Key Consideration: Companies should review their technology oversight processes to confirm they’ve properly accounted for AI risks and established safeguards that meet regulatory standards.
The new guidance doesn’t stop at technology risk; it goes further, requiring businesses to show how they govern and manage their AI systems. There’s a clear expectation for human oversight in AI-related decision-making. This means businesses must define boundaries between automated systems and human input, with the goal of ensuring ethical use and avoiding decisions that could lead to compliance issues.
This is a significant shift in expectations. Organizations now need to prove not just that AI systems are technically sound but also that the ethical implications of their use have been carefully considered and controlled.
Key Consideration: If your organization is using AI, you’ll definitely want to make sure that the lines of accountability are clearly drawn and that controls are in place to avoid compliance risks.
Risk management remains central to the DOJ’s expectations, but the September 2024 update pushes companies to be much more proactive. No longer is it sufficient to rely on periodic risk assessments. The updated guidance calls for continuous evaluation of risks, especially in areas where market conditions, regulations, or technology might create new vulnerabilities.
Organizations are expected to continuously reassess and adjust their compliance programs in response to both internal and external changes. The shift towards real-time risk monitoring reflects the DOJ’s intent for companies to be nimbler and more responsive in addressing potential issues before they escalate.
Key Consideration: The best approach to risk management is necessary to stay ahead of compliance challenges. Regular, real-time reviews of operational risks should become a standard practice.
Confidential reporting mechanisms and whistleblower protections have long been part of the DOJ’s compliance framework, but the 2024 updates emphasize the importance of strengthening these areas. The guidance pushes businesses to evaluate whether employees feel genuinely safe reporting potential violations and whether the organization encourages reporting.
Testing the effectiveness of whistleblower programs is also now a core expectation, as is ensuring that employees are fully aware of the protections in place against retaliation.
Key Consideration: Make sure your whistleblower program is not just a checkbox but a fully supported initiative that employees trust and use without fear of retribution.
The DOJ now expects companies to take a more structured approach to learning from past compliance failures. While the 2023 guidance highlighted the need to reflect on lessons learned, the September 2024 update requires businesses to have a formal process for tracking and implementing those lessons in future risk assessments and compliance strategies.
This means that companies need to document their internal compliance missteps and look externally at industry-wide challenges, incorporating those lessons into their programs. Prosecutors will be looking for clear evidence that past issues have informed current risk management practices.
Key Consideration: Develop a formal mechanism for tracking and integrating lessons learned into your compliance and risk management programs.
The DOJ’s latest guidance emphasizes that compliance should no longer exist in a vacuum. It needs to be fully integrated into broader enterprise risk management efforts. Compliance risks should be managed alongside other business risks, such as financial or operational vulnerabilities, creating a holistic view of the company’s overall risk exposure.
This integration makes certain that compliance is not treated as an isolated function but as a vital component of the company’s overall strategy for managing risks.
Key Consideration: Align compliance efforts with your organization’s broader risk management strategies to ensure a cohesive approach to mitigating risks.
The final key update from the DOJ’s September 2024 guidance is the focus on more targeted and effective compliance training. The DOJ now highly encourages businesses to go beyond generic, one-size-fits-all training programs. Instead, organizations are being pushed to tailor training toward different employee roles and ensure it’s relevant to their specific responsibilities.
Companies are also expected to track how well their employees engage with training programs and whether the training is having a measurable impact on their behavior.
Key Consideration: Review your training programs to ensure they are relevant and effective in driving legitimate change in employee behavior.
The September 2024 DOJ updates represent a committed shift towards proactive and forward-thinking compliance management. From addressing the risks posed by AI to strengthening whistleblower protections and integrating compliance with enterprise risk management, these changes push businesses to take a more comprehensive and adaptable approach to compliance. Companies that align their practices with these updates will not only be better positioned to avoid regulatory scrutiny but also foster an authentic culture of integrity across their organizations.
Are you ready to set up a trial of VComply and automate your compliance process?
