One of the most powerful episodes in risk assessment history is the story of the Maginot Line, which the French military had deployed after WWI to prevail in any future trench warfare against the Germans. The latter, however, had other plans and so were able to outflank the former in WWII, with catastrophic consequences. Is there a danger that compliance professionals could face a “Maginot Line” problem in how they assess risk in their respective companies?
To begin, there is no question where the risk assessment action is these days. We are indeed currently going through what might be considered a golden age of anti-bribery anti-corruption (ABAC) risk assessment. This emphasis should be no surprise, for a variety of reasons.
- The U.S. Department of Justice’s Criminal Division has – over the past few years – issued several iterations of an important compliance program evaluation manual (Evaluation of Corporate Compliance Programs) which places considerable emphasis on conducting ABAC risk assessments.
- There have been many ABAC enforcement activities for more than a decade, with no good reason to believe that it will abate any time soon. This is another major driver of ABAC risk assessment.
- Compliance program failures can be prosecuted without provable acts of bribery, heightening the need for sound programs generally and risk assessment in particular.
- Many ABAC risks are “local” – not only geographically but also in terms of product/service lines and various functions within a company. This further enhances the need for ABAC risk assessment.
This is a lot to deal with, and so it is not surprising that assessing other types of risks is not a great priority at some other companies. But ignoring other risks can be dangerously shortsighted.
- Antitrust is another area where Justice has issued compliance program evaluation standards, and routinely brings costly enforcement actions yet – as best I can tell – there is much less risk assessment here than with ABAC.
- Conflicts of interest (COIs) is also an oft-neglected area when it comes to risk assessment. So is insider trading.
However, it is important to note that not all risk assessments are the same size and shape. For example, insider trading assessment may focus largely on the volatility of a company’s stock, the number of employees and others who have access to insider information, and the efficacy of compliance training/other communications. COI assessment may turn – at least in part – on cultural factors in the geographies where a company operates, the efficacy of procurement controls, and the utilization of disclosure mechanisms. Antitrust risk assessment will depend partly on a market analysis of where/how/with whom the company does business and the efficacy of antitrust auditing and monitoring in high-risk areas.
While this sounds like a lot of work, it can be much less so where the company has already conducted some risk-related activities that can be modified for inclusion in the assessment. For instance, review of disclosure records can sometimes go a long way in creating a COI risk assessment. And while the risk area of fraud can cover a great amount of ground (e.g., concerning financial reporting, product safety), much of that may have already been addressed by other compliance measures.
Finally, where does one begin? One possibility is with a needs analysis for a risk assessment. While that sounds like a lot of work, it can actually save time by focusing compliance efforts only where they are reasonably necessary. At the same time, assessing needs can help avoid a Maginot Line type debacle.