The DOJ and SEC expect diverse functional areas of organizations to participate in compliance risk assessments. Among them are compliance, legal, internal audit, procurement, and finance. Human resources, marketing, and public relations also usually have a role.
The key is ensuring that whoever conducts the risk assessment understands the regulatory requirements and current industry best practices.
The risk assessment should seek to measure both inherent and residual risk. Once the risks are measured, the organization can then determine the adequacy of its mitigating controls.
The FCPA Guidance from the DOJ and SEC said risks to be addressed when conducting risk assessments should include:
Internal Risks: Deficiencies in employee knowledge of a company’s business profile and understanding of associated bribery and corruption risks, employee and third party training or skill sets, and ambiguity in the policy on gifts, entertainment and travel expenses.
For example, Kroll’s ABC report shows that a majority (52%) of compliance officers are not confident in their financial controls to catch potential books-and-records violations of the FCPA. The single biggest reason for worry is “poor reporting relationships or collaboration,” where finance department employees would know to bring concerns about possible improper payments to the compliance officer.
Country or External Risks: High levels of corruption highlighted by Transparency International on its Corruption Perceptions Index which lack transparent procurement and investment policies and a culture that doesn’t discipline offenders.
Transaction Risks: Charitable or political contributions, and practices in obtaining licenses and permits.
Foreign Official Risks: Foreign business partners located in high-risk jurisdictions.
A risk assessment should be conducted under attorney-client privilege. That’s the best way to protect against disclosure in the event of a criminal investigation or private litigation.
Within the privilege, risk assessment results are customarily reported to the legal and compliance departments. Legal and compliance may in turn report the results to management and the board or a committee of the board.
In the next post, I’ll discuss how risk assessments should be conducted to cover both the FCPA and U.K. Bribery Act.
Joseph Spinelli is a Senior Managing Director at Kroll. He was the first Inspector General for New York State and has enjoyed a career spanning more than 30 years in private and public service across many fields, including in FCPA, anti-bribery and corruption, monitorships and white collar investigations. He can be contacted here.