A Call to Arms: Conduct a Risk Assessment
The FCPA Guidance includes some important reminders for compliance practitioners. Most significantly, DOJ and SEC want companies to reinvigorate their risk assessment process.
In the absence of an effective risk assessment, companies are likely to allocate compliance resources without proper regard for specific risks. Such a deficiency will permeate every element of a compliance program. As a result, companies will develop “paper” compliance programs which lack any tailoring to risks.
A company’s compliance structure is designed to analyze and rank risks. It is a fundamental operation of a compliance program. Without some ranking of risks, companies cannot develop a relative response to significant risks.
The FCPA Guidance points this out in its discussion of the importance of an “effective” compliance program. Initially, the FCPA Guidance cites the frequency in which it confronts “paper” compliance programs – meaning a compliance program which is written down but is not carried out.
In determining whether a compliance program is “effective,” the FCPA Guidance cites the importance of companies conducting a risk assessment and then tailoring its program to respond to relative risks. Companies often spend too much time focusing on specific expense situations (e.g. gifts, meals, entertainment) to the detriment of due diligence of third parties or other specific risks.
The FCPA Guidance cites an important example of the skewing of priorities – a company which devotes significant time to expense review and ignores significant risks created by a potential $50 million contract with a foreign government. This inappropriate response to relative risks is common in today’s compliance environment.
Part of this trend is the result of structural deficiencies – compliance officers are not given full authority over a compliance program, and instead have to carve out areas of authority from issues from company lawyers. A company should adopt a prospective expense policy, set certain levels for approvals, and establish a protocol. It is not necessary to hand wring over such expenses unless they are keyed to a separate and significant risk (e.g. medical conference sponsorships for drug and medical device companies).
If a chief compliance officer has its own C-level spot in the corporate hierchy, along with a corporate compliance committee at the board level, this problem of misallocation is unlikely to occur.
DOJ and SEC have gone on record with an important warning to companies. Do not expect to receive full credit for a compliance program if it is not keyed to a risk assessment.
The FCPA Guidance holds out an important carrot for compliance – if you have an “effective” compliance program, you will receive significant credit, and even may earn a pass for a violation. This is an important policy and one which should cause companies to redouble their compliance efforts.