Risk assessments are an important tool for JVs to understand their compliance risks better and for parent companies to monitor those risks and mitigation measures.
Some companies find it useful to consider risk in terms of the following four steps:
- Inherent/gross risk to JV (based mostly on the JV’s industry and geography).
- Mitigated/net risk to JV (based on the JV’s controls).
- Inherent risk to the parent company.
- Mitigated risk to the parent.
Ultimately, only the last one matters to the parent, but understanding the first three can be critical to assessing and controlling risk to the parent effectively.
The first two of these steps essentially involve traditional risk assessment. The third — the inherent risk the parent company faces –- is much less traditional in nature, and we recommend that you consider the following types of risk:
- Reputational impact, which can vary by the nature of the business, including risks arising from the possibility that the parent can be seen as controlling the JV, even where it doesn’t.
- Amount of investment.
- Strategic importance (e.g., is the subsidiary part of the parent’s supply or distribution chain?)
The outcome of this assessment guides the fourth step, both in terms of designing appropriate measures at the parent level (e.g., mitigating the strategic importance of a JV for high-risk entities) and those at the JV level (i.e., the second step).
With respect to the latter, a parent company might assist the JV with recommended action items, which can be general (e.g., senior management compliance and ethics training, due diligence on the JV’s third parties) or risk-area specific (e.g., safety, corruption, responsible sourcing).
Parents should also consider annual certifications from the JVs and following up with audits. Where a parent has a large number of JVs, technology can help manage these processes.
Parent companies should consider periodically training board members and seconded employees on key compliance and ethics issues, including regarding overall C&E processes and those risk areas that are of particular significance to the JV.
Where a parent company is assisting JVs with compliance, it is important that the individuals involved in this work (e.g., from the parent’s compliance, law or finance departments) have clearly defined responsibilities and (possibly) incentives.
Otherwise, their JV-related duties might be neglected in favor of their “day jobs.”