How To Evaluate Your Existing Compliance Program

May 11, 2021


Have you wondered whether your compliance program is sufficient to safeguard your business against potential penalties for non-compliance?

Taking the time to evaluate whether you have an effective compliance program can save you both money and time (and it may even improve your sleep).

Here, we offer you questions you may wish to ask yourself, as a business owner, to help determine whether your compliance program is effective.  These recommendations emanate from the top dog in enforcement – the U.S. Dept. of Justice (DOJ).

The DOJ updated their directives to their prosecutors a few months ago.   The evaluation methods used by the prosecutors, who issue those enormous penalties, are the same methods you can employ to make your own compliance program assessment.  These guidelines can be used to insure against the finding of violations from any enforcement agency – OSHA, state inspectors, FTC, DOL – not just the DOJ.  We have filtered through the questions to ease the process and help you focus on what matters most to you.  If you wish, you may read the entirety of the DOJ Guidance.  So, grab your favorite beverage and let’s review the following questions knowing that this is time well spent and all will be well:


  • Is the company’s compliance program well designed?
  • Is the program being applied earnestly and in good faith?  In other words, is the program adequately resourced and empowered to function effectively?
  • Does the corporation’s compliance program “work “in practice?
  • Does the compliance program devote appropriate attention and resources to high-risk events, even if it fails to prevent an infraction?
  • Does company management enforce the compliance program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives.  More specifically, has the company designed, implemented, reviewed, and revised its corporate compliance program or has it, instead, merely maintained a “paper program” that is neither genuinely implemented nor scrupulously followed?


  • What methodology has the company used to identify, analyze, and address the risks it faces?
  • What information or metrics has the company collected and used to help detect the type of misconduct in question?
  • How have the information or metrics informed the company’s compliance program?
  • Risk-Tailored Resource Allocation
  • Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas?


  • Is the risk assessment current and subject to periodic review?
  • Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions?
  • Has the periodic review led to updates in policies, procedures, and controls?
  • Do these updates account for risks discovered through misconduct or other problems with the compliance?


Does the company have a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior issues or from those of other companies operating in the same industry and/or geographical region?


Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process.

  1. Does the company have a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant Federal laws that is accessible and applicable to all company employees?
  2. Does the company have established policies and procedures that incorporate the culture of compliance into its day-to-day operations?


What is the company’s process for designing and implementing new policies and procedures and updating existing policies and procedures, and has that process changed over time?

Who has been involved in the design of policies and procedures?


What efforts has the company made to monitor and implement policies and procedures that reflect and deal with the spectrum of risks it faces, including changes to the legal and regulatory landscape?


  • How has the company communicated its policies and procedures to all employees and relevant third parties?
  • Have the policies and procedures been published in a searchable format for easy reference?
  • Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?


  1. Who has been responsible for integrating policies and procedures?
  2. Have they been rolled out in a way that ensures employees’ understanding of the policies?
  3. In what specific ways are compliance policies and procedures reinforced through the company’s internal control systems?


  • What, if any, guidance, and training has been provided to key gatekeepers in the control processes (e.g., those with approval authority)?
  • Do they know what misconduct to look for?
  • Do they know when and how to escalate concerns?


Another hallmark of a well-designed compliance program is appropriately tailored training and communications.

  • What steps have been taken by the company to ensure that policies and procedures have been integrated into the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners?
  • Has the company relayed information in a manner tailored to the audience’s size, sophistication, or subject matter expertise?

Some companies, for instance, give employees practical advice or case studies to address real-life scenarios, and/or guidance on how to obtain ethics advice on a case-by-case basis as needs arise. Other companies have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions.

  • Does the training adequately cover prior compliance incidents?
  • How the company measures the effectiveness of its training curriculum?


What training have employees in relevant control functions received?

Has the company provided tailored training for high-risk and control employees, including training that addresses risks in the area where the misconduct occurred?

Have supervisory employees received different or supplementary training?

What analysis has the company undertaken to determine who should be trained and on what subjects?


Has the training been offered in the form and language appropriate for the audience?

Is the training provided online or in person (or both), and what is the company’s rationale for its choice?

Has the training addressed lessons learned from prior compliance incidents?

Whether online or in person, is there a process by which employees can ask questions arising out of the trainings?

How has the company measured the effectiveness of the training?

Have employees been tested on what they have learned?

How has the company addressed employees who fail all or a portion of the testing?

Has the company evaluated the extent to which the training has an impact on employee behavior or operations?


What resources have been available to employees to provide guidance relating to compliance policies?

How has the company assessed whether its employees know when to seek advice and whether they would be willing to do so?


What has senior management done to let employees know the company’s position concerning misconduct?

What communications have there been generally when an employee is terminated or otherwise disciplined for failure to comply with the company’s policies, procedures, and controls (e.g., anonymized descriptions of the type of misconduct that leads to discipline)?

Now, this may take more than one cup of tea to fully digest.  Consider breaking this list down into assigned days for consideration.  And know that you have Regulatory Support Services on your team to assist you in any way that you determine would enhance your compliance program.  We offer the following services, among others:

– Complete OSHA inspection of physical facility and OSHA related records

– Comprehensive written report and corrective action plan

– Review of existing OSHA workplace safety policies

– Conduct annual bloodborne pathogen and hazard communication training

– Provide for Continuing Education Hours with the State Dental/Medical Board

– Abatement service, if needed

– Technical assistance and consultation services for OSHA matters

Contact us for further information about how to enhance your compliance plan: (804) 784-7347 or  We are here to help.

Comments are closed.

Call Now