Practical Advice on Risk and Compliance Program Assessments
Sometimes the compliance industry makes things harder than they really need to be. As a result, Chief Compliance Officers are left to modify and transform practices and tools to fit the real world. I understand why CCOs do that – they are under extraordinary pressure and need to accomplish tasks without adequate resources.
In my practice, I always apply this philosophy. I am not out to make things complex and harder just to demonstrate that I can do so. Rather, I am always looking for ways to make tools and develop strategies that promote ethics and compliance, documentation, advice of counsel, and other means to protect the company from potential harm and promote ethics as a bottom-line contributor to the profitability of a company.
One area where companies can apply this philosophy is the risk assessment process. I know this is contrary to my business incentives but the method for conducting risk assessments needs to be reexamined and should never be cost-prohibitive. If you are spending more than $100k on a risk assessment, you are wasting money.
Too many people commission a high-cost risk assessment, only to receive a fancy, color-coded report that tells them what they already know. That is a waste of time and money.
A risk assessment does not have to be confusing, complex or expensive – but listening to others giving advice in the compliance space you would think that complexity equals quality. That simply is not true.
For some companies, such as very large companies with a multi-level operating structure that face risks from a wide range of sources, a risk assessment must naturally be complex to address the full scope of risks facing the company. For most companies, that approach is unwieldy, consumes unnecessary resources and produces results that may or may not be that helpful.
The risk assessment process, by definition, can be easily transformed into a more comprehensive and helpful process. I agree that the foundation of every ethics and compliance program must be a risk assessment.
The DOJ and SEC made very clear that making compliance decisions based on risks is key. From the US FCPA Resource Guide (2012), pg 59:
“DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area.”
If a company can demonstrate an “effective” compliance program, which is one that is tailored to the specific risks identified in a risk assessment, the company will have a much better shot at arguing for a declination or a significantly reduced penalty should the company be involved in an FCPA enforcement action.
As the government describes, the purpose of a risk assessment is not to make sure that your compliance program is addressing every single risk facing your company, it is to allow you to efficiently allocate scare compliance resources to address the greatest risks facing your company. Identifying the top risks for your company allows you to avoid wasting resources on areas that are, for whatever reason, just not that important.
When looking at various risk assessment approaches I have been constantly disappointed. If you are going to go to the trouble of conducting a risk assessment, at a minimum, you need to broaden the inquiry – not only are you going to examine the risks, but you have to evaluate the ethics and compliance program and the mitigation of that risk. To the extent there are gaps, you then need to identify ethics and compliance program refinements to reduce those gaps.
My philosophy is simple – if you are looking under the hood and fixing your car, do more than just identify the problems, fix the problems as well. (BTW, I am not a car mechanic, never have been and never will). It takes time and effort to review the risks, and it is a good idea to assess your own program at the same time. In the end you will come out with a more relevant and helpful report.
A risk assessment should never be cost prohibitive. With that in mind, I focus on putting together a simple, systematic approach to measuring risks. The process is initiated by gathering basic sources of information via a comprehensive questionnaire (that should be completed by appropriate managers or employees), using electronic surveys to gather “real” feedback, and interviews of managers responsible for implementing compliance policies and procedures. The questions asked are focused on identifying sources of risk.
While I’m partial to my approach, the truth is with commitment and focus anyone can do this. Do not be fooled by all the rhetoric out there. Risk assessments are too important to ignore and can be accomplished in a way that fits into your budget.
The Volkov Law Group provides practical solutions for companies to design, implement and manage ethics and compliance programs. Our practice is focused on providing solutions that work in reality and that will meet or exceed the expectations of prosecutors, regulators, investors and other stakeholders. Contract Mike Volkov at [email protected] or Lauren Connell at [email protected] for more information on The Volkov Law Group’s practical approach to conducting a risk and compliance program assessment.
Great information and tips about risk assessments. Like you said, it is important to broaden the inquiry because you have to evaluate the ethics and compliance program and the mitigation of that risk. Thanks for sharing!