In a previous post on the FCPA Blog I briefly explored five ways to make the most of risk assessments. Since then, interest in risk assessment has continued to be very strong. So, here are five more suggestions.
1. Include in the assessment the reasons for – as well as the likelihood and impact of – different types of compliance and ethics (C&E) risks.
This is the “why” dimension to risk assessment, and it is important because different risk reasons can require different types of compliance responses.
For instance, employees’ failure to fully understand or appreciate a given risk may suggest the need for more or different training and communications about that risk. But for other types of risk, knowledge or appreciation is not the issue. For these risks of a knowing violation, audit or other forms of checking is generally more important.
Checking can indeed be key to dealing with compensation or revenue-related risks. That is because such risks tend to be powerful – and often require strong “medicine,” which checking tends to be (at least when compared with training and communications).
Of course, in planning risk assessments, the selection of methodologies is not of a “one or the other” nature. Good risk assessments can use more than one method But understanding the why dimension can help a company know where to emphasize its efforts.
2. Use “risk scenarios” to identify the “what,” “where,” “when,” and “how” of risks.
For instance, simply proclaiming that a company has a significant antitrust risk does not go far enough to be helpful. Using scenarios, one should also assess risks in a more granular way. E.g., what type of antitrust misconduct poses the likeliest risk for the company? For horizontal restraints, is it bid-rigging, price-fixing, boycotting, or something else? Which geographies are risky? Same questions about specific product or service lines: What are antitrust risks along the supply or distribution chain?
Of course, one can go too far in drilling down on risks. But, at least in my experience, more companies do too little in this regard, and too few do too much.
3. Use the assessment results not only for traditional purposes (typically audit prioritization and board program oversight) but also for all the other major program elements (e.g., policies, training, communication, process controls, incentives, resources, and accountability).
This may sound obvious, but many companies fall short in this regard, even though it is right out of the Sentencing Guidelines. What is needed for some companies is a process for mining risk information to make sure that it is addressed using all relevant C&E “tools.”
4. Assess a sufficiently broad range of risks.
For instance, many should but do not assess insider trading risks. The same is true of economic espionage.
With these and various other risks, one need not conduct the assessment with the same degree of granularity that one assesses corruption risks. But even a small amount of focus can yield real C&E value, particularly when dealing with a risk that has been largely ignored over the years.
5. Consider combining risk and program assessments.
This will not work for every company for a host of reasons.
But for those that do both types of assessments based largely on employee interviews combining the efforts can make both more efficient and effective.