One of the most powerful episodes in risk assessment history is the story of the Maginot Line, which the French military had deployed after WWI to prevail in any future trench warfare against the Germans. The latter, however, had other plans and so were able to outflank the former in WWII, with catastrophic consequences. Is there a danger that compliance professionals could face a “Maginot Line” problem in how they assess risk in their respective companies?
To begin, there is no question where the risk assessment action is these days. We are indeed currently going through what might be considered a golden age of anti-bribery anti-corruption (ABAC) risk assessment. This emphasis should be no surprise, for a variety of reasons.
- The U.S. Department of Justice’s Criminal Division has – over the past few years – issued several iterations of an important compliance program evaluation manual (Evaluation of Corporate Compliance Programs) which places considerable emphasis on conducting ABAC risk assessments.
- There have been many ABAC enforcement activities for more than a decade, with no good reason to believe that it will abate any time soon. This is another major driver of ABAC risk assessment.
- Compliance program failures can be prosecuted without provable acts of bribery, heightening the need for sound programs generally and risk assessment in particular.
- Many ABAC risks are “local” – not only geographically but also in terms of product/service lines and various functions within a company. This further enhances the need for ABAC risk assessment.
This is a lot to deal with, and so it is not surprising that assessing other types of risks is not a great priority at some other companies. But ignoring other risks can be dangerously shortsighted.
- Antitrust is another area where Justice has issued compliance program evaluation standards, and routinely brings costly enforcement actions yet – as best I can tell – there is much less risk assessment here than with ABAC.
- Conflicts of interest (COIs) is also an oft-neglected area when it comes to risk assessment. So is insider trading.
However, it is important to note that not all risk assessments are the same size and shape. For example, insider trading assessment may focus largely on the volatility of a company’s stock, the number of employees and others who have access to insider information, and the efficacy of compliance training/other communications. COI assessment may turn – at least in part – on cultural factors in the geographies where a company operates, the efficacy of procurement controls, and the utilization of disclosure mechanisms. Antitrust risk assessment will depend partly on a market analysis of where/how/with whom the company does business and the efficacy of antitrust auditing and monitoring in high-risk areas.
While this sounds like a lot of work, it can be much less so where the company has already conducted some risk-related activities that can be modified for inclusion in the assessment. For instance, review of disclosure records can sometimes go a long way in creating a COI risk assessment. And while the risk area of fraud can cover a great amount of ground (e.g., concerning financial reporting, product safety), much of that may have already been addressed by other compliance measures.
Finally, where does one begin? One possibility is with a needs analysis for a risk assessment. While that sounds like a lot of work, it can actually save time by focusing compliance efforts only where they are reasonably necessary. At the same time, assessing needs can help avoid a Maginot Line type debacle.
Mr. Kaplan – Thank-you for your post. I hope you won’t mind if I post a comment not about the subject or conclusion of your post, but rather about your lead-in regarding the Maginot Line. Prof. Ernest May, in his excellent 2001 book “Strange Victory”, makes a good argument that the Maginot Line worked exactly as the French had intended it to work – i.e., it deterred the Germans from attacking through the areas where the Line was established. The fact that the Germans were so successful in attacking through other areas was not, argues Prof. May, because of a misplaced reliance on the Maginot Line; it was because of other failures in the French bureaucracy. – John Connor
Thanks for the information, John
Jeff – You make a good point. So often I see people commenting on the “DOJ” guidance and evaluation questions on compliance programs, without any reference to the point that the guides are only those of the Criminal Division. Both the Antitrust Division and the Environmental and Natural Resources Division also have guides, but these typically are not referenced. Bribery seems to have eclipsed other risks.
Without question, corruption is a significant risk and for those operating internationally they should be committed to the fight against bribery. But there are other risks that need to be addressed as well. For example, the scope of antitrust risk has expanded to include hiring and pay practices; the Antitrust Division just brought its first criminal case in that area. So even a company that does not think it has competition issues still has employees and can still get involved in illegal cartel conduct.
If you read the Wall Street Journal regularly it is clear that companies face more than just bribery risk. The risk assessment should be broad enough to address the full range of compliance risks.
Comments are closed for this article!