The Elusive Art of the Risk Assessment

June 20, 2011

Print
Email
Reprint
Text: A | A | A

More The Big Picture

Our latest Compliance Week editorial roundtable happened last week in Chicago, where we paired up with the software firm Recommind and convened a group of nine compliance officers to talk about anti-corruption programs. Now at first glance, you'd assume that any roundtable with the word “anti-corruption” in the title would dwell on the Foreign Corrupt Practices Act in the United States, the Bribery Act in Britain, and the many other anti-corruption laws coming onto the books around the world these days.

You'd assume that—but you'd be rather wrong.

In reality, our two-hour conversation revolved around risk assessments: who should do them, what they should contain, and even whether they're all that useful. As always, we'll have complete coverage of the roundtable in an upcoming edition of Compliance Week, but let me share some preliminary thoughts here.

One of my most arresting observations came early, as we went around the table asking participants to describe their businesses and specify what parts of their anti-corruption programs were most difficult. At least half the group said something along the lines of “we're expanding internationally and going into emerging markets we don't know well.” That was the prime fact for compliance officers in the room, and it's the prime fact for many others as well.

You'll see it in any business headline you read right now: Growth is sputtering in North America and Europe, but surging in places like India, China, Brazil, Indonesia, South Africa. Whether you want to avoid the corruption in those areas or not is irrelevant; that's where the business is, and your corporation is going to go there. Indeed, as I heard all those responses at our roundtable, I was reminded of a question posed to the compliance officers at PepsiCo and Procter & Gamble at our annual conference last month, where someone asked the men whether any country in the world had so much corruption risk that their companies would not do business there. Both said no.

Little surprise, then, that if your company is racing into these emerging markets, the chief compliance officer wants a strong, accurate risk assessment of doing business those locations.

What surprised me, however, was the spirited discussion that ensued about how to conduct a risk assessment. Who should participate in a project like that? How large should the group be? And are many assessments even all that useful?

Several participants argued against the conventional wisdom of a “bottom-up” risk assessment that involves local employees around the world—heresy, according to some compliance thinkers out there, but they had a point. The people at the bottom who do take risk assessments seriously—and there aren't many of them—raise the same concerns time and again: corruption; stupid middle management; market competitors. One roundtable attendee quipped any compliance officer with two brain cells to fire together could figure that out. I agree.

Others disagreed. Yes, they said, a top-down risk assessment can correctly frame bribery risks at a high strategic level, which is how an over-scheduled board of directors needs to understand the issue—but those same top executives won't know that “bribery risk in our IT sales division” actually means “a business unit manager in Indonesia has a brother-in-law in the provincial lottery division.” Only local employees will see that specific threat.

In truth, both camps were right, and they both led to a question I've heard time and again from compliance officers everywhere: How do we empower the middle? Because only those middle managers will know how to translate those top-down, strategic risk assessments into real terms, and match them to the fact patterns that bottom-up employees are warning you about.

We had no good answer to that question at our roundtable. If you have one, let me know so we can name you “Compliance Officer of the Century” immediately. You'll deserve it.

Risk assessments aside, we did have one other, more pedestrian concern worth noting: travel and entertainment budgets. Proper use of T&E, of course, has flummoxed prim global compliance officers and bar-hopping Wall Street traders for the better part of a decade. But at least under the FCPA, the boundaries of T&E were fairly clear—don't shower foreign officials with gifts or entertainment that could reasonably be construed as a bribe. That's a hassle to implement in practice, yes, but the principle is fairly straightforward.

On the other hand, the Bribery Act now also prohibits commercial bribery—so the same T&E goodies you couldn't give to foreign officials, you now can't provide to current or future customers either. I can already imagine the sales departments screaming about that, and compliance hotlines buzzing with questions about whether it's OK to take your biggest customer to a golf getaway weekend.

Howard Sklar, senior counsel at Recommind and my co-host for the roundtable, said that section of the Bribery Act seems untenable. I tend to agree.

Compliance Week Podcasts ...

Every week we chat with leading thinkers in compliance, auditing, risk management, public policy and more. These short (10-15 minutes) interviews are free to all. Follow Compliance Week podcasts on iTunes.

Compliance Week LinkedIn Group

Compliance Week now has a companion group on LinkedIn, where members can network and discuss the compliance and governance news of the day. Open to all compliance professionals, free to join.

Survey of the Week

Deloitte is conducting their annual Look Before You Leap: Managing Risks in Global Investments survey to better understand the approaches companies are taking to address compliance and integrity-related risks in emerging markets.