Welcome to Day 4 of 30 Days to a Better Compliance Program. Today we tackle risk assessments. One cannot really say enough about risk assessments in the context of anti-corruption programs. The FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.

What Should You Assess?

What risks should you assess? There are a number of ways you can slice and dice your basic inquiry. The FCPA Guidance states, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” Another way is to break the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Industry-Sector Risk, (4) Transaction Risk and (5) Third-Party Risk.

How Should You Assess Your Risks?

Risk assessments can be performed in a variety of ways. You can use some basic tools such as personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices. Another level might be a deeper dive into high risk countries, high risk business areas an more detailed review of your third party representatives.

How do You Evaluate a Risk Assessment?

Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan. You should prepare a risk matrix detailing the specific risks you can relative remediation requirements identified and relevant mitigating controls.

 Three Key Takeaways

  1. Assess the risks relevant to your company.
  2. Document your risk assessment protocol and results.
  3. The evaluation of your risks and remediation therefrom. 

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.