The Importance of a Risk Assessment
Sometimes people operate with blinders. I don’t mean to suggest that people deliberately put blinders on to ignore issues – they sort of just grow into a person’s personality.
John Lennon said its best – “Living is easy with eyes closed.”
The same applies to people who fail to listen. Whether deliberate or not, people avoid what they do not want to hear. There are numerous reasons for not listening.
In the relatively narrow field of anti-corruption compliance, it is interesting to see how many companies appear to be avoiding a very clear requirement – conducting a risk assessment as the foundation of a company’s compliance program.
The Justice Department and the SEC provided very useful guidance in November 2012 to the business community – an effective compliance program must be tailored to a risk assessment. In addition, DOJ and the SEC advised companies to update the risk assessment, as needed, to ensure that its compliance program is tailored to a current assessment of risks.
Companies need to take heed of those words. They are important. Instead, some companies want to live with their “eyes closed” and ignore the risk assessment requirement and jump ahead to implementing a compliance program, with all of the usual elements.
The danger of this approach is readily apparent. It inevitably leads to a misallocation of compliance resources. This problem is not catastrophic on its face; the compliance program will appear to be operating quite well and addressing what is perceived as potential compliance issues.
As the Wizard of Oz famously bellowed, “Pay no attention to the man behind the curtain!” The same rings true to the company that never conducted a risk assessment, implemented a compliance program, and marveled at its own creation.
The danger lies in a clear reality — the compliance program is not effectively addressing its risks. There will be large risks which are unattended and ignored in favor of smaller risks which may have overblown policies and procedures.
One important indication of a misalignment of resources is the resources, policies and procedures companies dedicate to gifts, meals, entertainment and travel expenses. Compliance officers love creating policies and procedures, forms and requirements, and never stop to ask the question – is this really appropriate?
While creating this elaborate system for monitoring gifts that pose little to no risk of bribery, the compliance officer has no clue what the business development and sales staff, or the company’s third-party agents, are doing in their interactions with foreign officials on a set of RFPs for multi-million dollar contracts.
The compliance officer is afraid to inject himself or herself into this risky interaction and ensure compliance. Instead, the compliance officer rationalizes to himself or herself that “training” the business development and sales staff (and possibly the third-party agents) is sufficient to address the risk in such interactions.
This is a very common scenario. Eventually this system breaks down when company sales staff, business development officers, and/or third-party agents are caught bribing foreign officials.
There may be many explanations for such conduct but one thing is for sure – the absence of a risk assessment was a major contributor to a failure to detect and prevent bribery.