A New Approach to Compliance: “Informed” Risk and Resource Allocation
The compliance field has had an incredible five years. From backwater offices and responsibilities, CCOs are now taking a seat at senior management tables to provide important risk-based assessments and policies to enhance ethics and compliance and avoid government investigations and shareholder lawsuits.
The compliance field is at an important point. Compliance professionals have to deliver. Compliance officers need to develop effective strategies and tools. Too often, CCOs are relyong on existing strategies and ystems without considering alternative and new innovative approaches.
Given my background as a federal prosecutor, I favor a new approach which is based on “informed” risk analysis. The Justice Department and SEC Guidance on the Foreign Corrupt Practices Act was a starting point for a new approach. DOJ and SEC urged companies to allocate resources based on risk-based analysis. That makes sense and derives from basic cost-benefit analysis. Resources should be allocated based on need and return from investment.
A new and important step needs to be built into compliance – what are the true “risks” a company faces. Once the risk is further defined, compliance programs can be tailored to the risk based on a cost-benefit analysis.
“Informed” ethics and compliance is based on a refined analysis and assessment of risk as well as the response to the risk through the allocation of resources. I know this sounds overly complex on paper but in practice it is not very complex. It requires the merging of two perspectives – a former prosecutor who can assess the risk of investigation and prosecution, as well as appropriate protections against government action. This approach would add an important layer of analysis and response. Existing programs may be tailored to reflect this new approach. An “informed” risk system would not replace an entire compliance program but would be a much needed refinement to existing compliance programs.
Not all legal or code of conduct violations are equal. A CCO has to examine risks based on likelihood of investigation and prosecution. For example, export “violations” differ in magnitude depending on a number of factors, including nature of violation (e.g. country sanction violated), extent of violation, intent of actors, and detection of violation (e.g. government, whistleblower or voluntary disclosure).
Former prosecutors have a good sense of how prosecutors think and act. They bring an important perspective to every compliance calculation – dedicating additional resources for monitoring hotlines may not be needed if the trade-off is to reduce resources to reviewing potential third-parties, or conducting antitrust compliance audits in highly-concentrated industries and markets.
Building from this analysis, federal prosecutors also know what kinds of evidence can help a company to protect itself from possible federal prosecutions. Documentation programs have to be built with this kind of perspective so that a company can minimize the risk of government investigation and prosecution.
With this perspective, CCOs can accurately assess risks and allocate resources in response to these risks. The FCPA Guidance provided only a rough suggestion on this principle; it is up to compliance professionals to take this process and build new approaches.