Both the Justice Department and the Securities and Exchange Commission make clear the need for a risk assessment to inform your compliance program. I believe that most, if not all CCOs and compliance practitioners understand this well-articulated need. The 2012 FCPA Guidance could not have been clearer when it stated, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DoJ and SEC evaluate when assessing a company’s compliance program.” While many compliance practitioners have difficulty getting their collective arms around what is required for a risk assessment and then how precisely to use it, the FCPA Guidance makes clear there is no “one size fits all” for anything in an effective compliance program.
One type of risk assessment can consist of a full-blown, worldwide exercise, where teams of lawyers and fiscal consultants travel around the globe, interviewing and auditing. This can be a notoriously expense exercise. Using the 2012 FCPA Guidance’s no one size fits all” proscription, I would submit that is also true for risk assessments. You might try assessing other areas annually, through a more limited focused risk assessment, literally while staying at your desk and not traveling away from your corporate headquarters. Hence the Desktop Risk Assessment.
There are a variety of materials that you can review from or at a company that can facilitate such a Desktop Risk Assessment. You can review your company’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities. My suggestion is that you try identifying and focusing on core compliance components in your organization. You cannot fix everything, however, so you must make a decision about your primacies, and then act on them. A Desktop Risk Assessment may well help you to do so.
If you perform an annual Desktop Risk Assessment with a full worldwide risk assessment every two years, you should be in a good position to keep abreast of compliance issues that may change and need more or greater risk management. Do not forget that the 2012 FCPA Guidance ends its section on risk with the following, “When assessing a company’s compliance program, DoJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” By using the Desktop Risk Assessment, you can answer any regulator who asks what have you done to manage the risks in your company, by using the resources and tools that were available to you.