Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Joseph Spinelli: Risk assessment best practices

The DOJ and SEC expect diverse functional areas of organizations to participate in compliance risk assessments. Among them are compliance, legal, internal audit, procurement, and finance. Human resources, marketing, and public relations also usually have a role.

The key is ensuring that whoever conducts the risk assessment understands the regulatory requirements and current industry best practices.

The risk assessment should seek to measure both inherent and residual risk. Once the risks are measured, the organization can then determine the adequacy of its mitigating controls.

The FCPA Guidance from the DOJ and SEC said risks to be addressed when conducting risk assessments should include:

Internal Risks: Deficiencies in employee knowledge of a company’s business profile and understanding of associated bribery and corruption risks, employee and third party training or skill sets, and ambiguity in the policy on gifts, entertainment and travel expenses.

For example, Kroll’s ABC report shows that a majority (52%) of compliance officers are not confident in their financial controls to catch potential books-and-records violations of the FCPA. The single biggest reason for worry is “poor reporting relationships or collaboration,” where finance department employees would know to bring concerns about possible improper payments to the compliance officer.

Country or External Risks: High levels of corruption highlighted by Transparency International on its Corruption Perceptions Index which lack transparent procurement and investment policies and a culture that doesn’t discipline offenders.

Transaction Risks: Charitable or political contributions, and practices in obtaining licenses and permits.

Foreign Official Risks: Foreign business partners located in high-risk jurisdictions.

A risk assessment should be conducted under attorney-client privilege. That’s the best way to protect against disclosure in the event of a criminal investigation or private litigation.

Within the privilege, risk assessment results are customarily reported to the legal and compliance departments. Legal and compliance may in turn report the results to management and the board or a committee of the board.

In the next post, I’ll discuss how risk assessments should be conducted to cover both the FCPA and U.K. Bribery Act.


Joseph Spinelli is a Senior Managing Director at Kroll. He was the first Inspector General for New York State and has enjoyed a career spanning more than 30 years in private and public service across many fields, including in FCPA, anti-bribery and corruption, monitorships and white collar investigations. He can be contacted here.

Share this post


1 Comment

  1. According my experience, the best practice to avoid bribery and corruption in several investment projects is to assess the risks from the bid stage or the first intention to do business with private or public customers.

Comments are closed for this article!