What is the biggest reason companies miss the chance at a DOJ declination?
It is almost never a decision not to disclose, and it is rarely ignorance of the law. The most common reason a company loses the chance at a declination is internal speed: the report surfaces somewhere in the organization and then moves too slowly — stalling in an escalation chain, waiting on “one more fact” — so that by the time decision-makers can act, the window to self-disclose has narrowed or closed. The policy rewards companies that move quickly after a concern is raised. Most companies are not built to move quickly.
Picture how it usually goes. On a Tuesday, an employee reports a suspicious payment routed through an overseas consultant. On Wednesday, HR opens a case and routes it to the regional team. The following week, regional legal asks for more documentation. A few weeks after that, it’s raised with a business-unit leader, who wants to understand the commercial context before anyone “overreacts.” Outside counsel is mentioned. The matter is real, it is being handled, and everyone in the chain is acting reasonably.
And the clock has been running the entire time — from that first Tuesday. Not one of those steps looks like a mistake. Together, they are how a company that fully intends to do the right thing arrives at a decision too late to get the most out of it.
The declination is real. Earning it is an operations problem.
Under the Department of Justice’s current Corporate Enforcement Policy, a company that voluntarily self-discloses misconduct, fully cooperates, and remediates in a timely manner can — absent aggravating circumstances — have the DOJ decline to prosecute. That is a genuinely valuable outcome, and it is real: companies have earned it.
Almost everything written about the policy explains what the declination is and what the criteria are. Very little explains the harder question for the people who actually have to live it: if the reward is this clear, why will most companies that face disclosable misconduct still fail to position themselves for it?
The answer has very little to do with law and almost everything to do with how an organization handles information. Qualifying for a declination is not primarily a legal achievement — it is an operational one. And it is the operational part that quietly defeats well-intentioned companies.
Wanting one isn’t the problem. Most companies already have the process on paper.
It would be easy to assume companies miss declinations because they don’t want the scrutiny, or because no one knows the policy exists. The evidence cuts the other way. In one 2025 global benchmarking survey, roughly seven in ten organizations reported having a formal process specifically designed to identify and assess escalations for potential voluntary self-disclosure. The intent is there. The framework is there, on paper.
This sharpens the real question. If the will exists and the process exists, the failure isn’t about either. It’s about whether that process actually moves — whether a concern raised by an employee on a Tuesday reaches the people who can decide to disclose while there is still time to act. That is a question about plumbing, not principle. And plumbing is exactly what a policy on paper doesn’t guarantee.
How can a company that wants a declination lose one anyway
It rarely happens in a single bad decision. It happens as a chain of individually reasonable ones, each of which spends a little more time:
The report stalls in the escalation chain. A concern is raised — on a hotline, to a manager, to a regional team. It gets logged, routed, and handed sideways. Each person treats it as someone else’s call. No single handoff looks like a failure, and yet the report never reaches the people who could decide to disclose.
Governance bottlenecks slow it further. No one owns the question of whether this is a self-disclosure matter. It crosses regions, legal, the business unit, and compliance — and at the seams between them, it waits. A matter that belongs to everyone, in practice, belongs to no one.
Leadership waits for “just one more fact.” When it finally surfaces, the instinct is prudent and understandable: don’t act until the internal investigation is complete and the picture is certain. Here is the uncomfortable part — that instinct is, in almost every other context, the legally responsible one. Careful leaders are trained to gather the facts before they act. But the policy doesn’t reward certainty; it rewards timely disclosure, even before an investigation is finished. So the very caution that protects a company everywhere else quietly works against it here. Waiting for the full picture can cost the exact benefit the caution was meant to protect — and because it feels responsible the whole time, no one in the room recognizes it as the mistake it’s becoming.
Time becomes the enterprise risk. No one stole the months that passed. Manager, HR, regional legal, the business unit, compliance — each did something reasonable. Collectively, they consumed the company’s most valuable and least visible asset in this situation: time. By the time the decision is made, it may be too late.
The companies that earned declinations had one thing in common: their information moved
Look at the early declinations under the policy, and a pattern appears — not in the misconduct, but in the timing. In the first corporate declination under the new department-wide framework, the company’s disclosure stemmed from an internal investigation already underway. The issue had surfaced internally and was moving before the decision to disclose was made. Its internal reporting and escalation systems moved information quickly enough for leadership to act.
A second declination, in a national-security export-controls matter, makes the point even more directly — because the DOJ said it out loud. While crediting the company’s self-disclosure, the department also noted that sales had continued despite missed opportunities in which third parties had flagged potential issues, and it pointed to a lesson for everyone else: companies need escalation procedures that actually capture warnings from customers, suppliers, vendors, consultants, outside counsel, and auditors. That is the regulator naming the exact failure described above — warnings that arrive but don’t move.
The takeaway is not “self-disclose, and you’ll be fine.” It is that the companies positioned to benefit were the ones whose internal escalation surfaced the issue in time to act on it. Their plumbing worked. The declination is downstream of the plumbing.
Stop reading for a moment and picture the last significant ethics or compliance concern your organization received.
How many desks did it cross before it reached your General Counsel? How long did each step take? Could anyone in the company reconstruct that timeline today?
If the honest answer is “no one really knows,” then the risk isn’t only the underlying conduct. It’s that leadership would have no way of knowing how much time had already passed — or how much was left.
A question worth asking before you need the answer: when does your clock start?
There is a sharp version of this problem hiding in plain sight. Ask five people in your organization when the company’s window to act would begin, and you may get five different answers: when an employee first noticed the issue, when they told a manager, when the manager emailed HR, when a hotline complaint was filed, or when compliance opened an investigation.
Your standing depends on how quickly you act once the company is aware — and reasonable people inside the same company will disagree about when “aware” began. If the moment your clock starts is ambiguous internally, you cannot manage the time you have, because no one agrees on when it began. The most practical thing a leadership team can do is define, in writing, what counts as “day zero” for escalation — and who is responsible for knowing the clock is running from that point.
That single definition turns an abstract policy into something an organization can actually operate against.
What actually closes the gap
If the failure is operational, so is the fix. None of it is exotic; all of it is about speed and ownership rather than legal sophistication:
An escalation path that has a deadline. A serious report should reach senior leadership and counsel within days, not drift through regions and functions for months. Build the path, and time it.
A named owner who watches the clock. Someone whose explicit job is to recognize that a window may be running the moment a serious concern is received — not after.
A written “day zero” definition. Decide in advance what event starts the clock, so the most important date in any future matter isn’t argued about after the fact.
A self-disclosure decision framework, built cold. Decide how you will weigh whether and when to disclose before you are under a deadline with a deal or a quarter on the line. The decision is hard enough without having to make it for the first time in a crisis. And remember that speed only gets you in the door: a favorable outcome also depends on full cooperation, genuine remediation, and the facts of the underlying conduct — timing is necessary, not sufficient.
The hardest version of this is the one that feels responsible
The most dangerous case is not the one where a company decides to bury a problem. It is the company that means to handle it well — carefully, deliberately, with outside counsel and a thorough internal review over the next quarter — and runs out its own clock without realizing the clock was ever running. The plan looks prudent right up until the moment it turns out to have been too slow.
That is exactly the scenario we built our Executive Decision Lab, The Clock, around: a leadership team designs the careful, defensible plan, then discovers a report came in months ago and the window is closing in hours. It is a way to pressure-test, with your own leaders, whether your organization would recognize the clock in time — before a real matter forces the question.
Find out when your clock starts — before it’s running
Pressure-test your organization’s escalation and self-disclosure decision-making with The Clock, an Executive Decision Lab™ for boards, CEOs, General Counsel, and Chief Compliance Officers.
This article is for general information and discussion only and is not legal advice. The Department of Justice’s Corporate Enforcement Policy and its application are fact-specific and subject to change — consult qualified counsel about your organization’s specific obligations and any decision to self-disclose. © 2005–2026 Xcelus LLC.
Frequently Asked Questions
What is the biggest reason companies miss a DOJ declination?
Most often it is internal speed, not a decision against disclosing. A concern surfaces but moves too slowly through escalation and review, so the company can’t act in time to qualify. The policy rewards timely disclosure after a concern is raised, and many organizations are not built to move that quickly.
Do you have to finish an internal investigation before self-disclosing?
No. The DOJ’s policy contemplates timely self-disclosure even when an internal investigation is not yet complete. Waiting for “one more fact” or full certainty can actually cost the benefit that caution was meant to protect. Specific timing decisions should be made with qualified counsel.
How can a company position itself to actually earn a declination?
Treat it as an operations problem, not just a legal one: an escalation path with a deadline that gets serious reports to leadership in days, a named owner who watches the clock, a written definition of when the clock starts, and a self-disclosure decision framework built before a crisis rather than during one.
© 2005–2026 Xcelus LLC. All rights reserved. This content is for training and discussion only and is not legal advice; consult qualified counsel about your organization’s specific obligations.