One cannot really say enough about risk assessments in the context of anti-corruption programs. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DoJ and SEC evaluate when assessing a company’s compliance program.” The simple reason is straightforward: One cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face. When you couple risk assessments with the root cause analysis required under the Justice Department’s Evaluation of Corporate Compliance Programs, you see the importance of these valuable tools.
What Should You Assess?
What risks should you assess? There are several ways you can slice and dice your basic inquiry. The 2012 FCPA Guidance states, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” Another way is to break the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Industry-Sector Risk, (4) Transaction Risk and (5) Third-Party Risk.
How Should You Assess Your Risks?
Risk assessments can be performed in a variety of ways. You can use some basic tools such as personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices. Another level might be a deeper dive into high-risk countries, high-risk business areas, and a more detailed review of your third-party representatives.
How Do You Evaluate a Risk Assessment?
Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan. You should prepare a risk matrix detailing the specific risks you can relative remediation requirements identified and relevant mitigating controls.