Excerpted from a June 19, 2019 article by Megan Zwiebel in Anti-Corruption Report
In the first of a series of articles concerning corporate compliance and risk assessment programs, Anti-Corruption Report focused on the Department of Justice’s new guidance on risk assessments and the various types of assessments companies could undertake.
Pierce Atwood litigation partner Kathleen Hamann, an internationally recognized authority in the field of white collar enforcement and compliance matters, shared her insights in several areas of risk assessment including:
- Compliance Risk Assessments
- In periodically examining its risk within a compliance program, a company should “look at its compliance program and internal controls holistically to see where its risks are, whether there are gaps in policies and procedures, whether there are issues, and whether resources are being used appropriately.”
- The process can also include “looking at whether new technologies have emerged that would allow a company to address a risk more efficiently.”
- “A periodic risk assessment takes the broadest view of risk and its goal can be to provide decision makers with insights about how policies and procedures might need to be updated and resources could be reallocated.”
- Kate notes the importance of speaking to internal and external sources. “A periodic risk assessment should involve speaking to the salespeople on the ground to understand the challenges they face and to the finance folks about what anomalies are showing up.”
- Targeted Risk Assessments
- Sometimes it’s preferable for companies to more closely target its assessment of compliance risks.
- Kate suggests, “No matter the type of risk assessment, the elements are the same on both a micro and macro level. However, the control and level of input the risk assessor has can vary significantly.”
- Strategic Risk Assessments
- When do strategic risk assessments come into play? Kate tells us that a strategic risk assessment is performed “when there is a change in the business environment that requires a specific, targeted review. For example, if a company shifted its business strategy to focus on emerging markets, it would make sense to look specifically at the risks in the new markets for the company’s particular industry.”
- Kate adds, “The challenge here is for compliance personnel to know when new strategic directions are being considered and be invited into the process.
- Kate notes that those responsible for compliance need to have “direct access to the board” in order to gain insight into strategic decisions.”
- “If the compliance officer is a low-level person in a field office and has no idea what is going on in the rest of the company, she cannot give strategic advice and won’t even know that such advice is warranted.”
- Transactional Risk Assessments
- According to Kate, companies “assess risk every day as a regular part of their compliance program” when they look at risk “on a transaction-by-transaction basis.”
- As an example, Kate described a company doing due diligence on a third-party as an assessment of the risks of doing business with that entity.
- When a company is asked to make a charitable donation, for instance, the company needs to assess whether a donation request could be a cover for a bribe. “Most of the questions a compliance person answers are about assessing the risk of whether a transaction is misconduct in disguise.”
- These small assessments may be performed entirely by the compliance department without the involvement of outside consultants, depending on a company’s internal policies and procedures. For smaller assessments about individual donations or hospitality expenses, “the whole process might go on in the head of a single compliance officer in five minutes. Compliance is not a world of absolutes and there is no perfect compliance program so each compliance recommendation is a risk assessment on a micro-level.”
The complete article can be found in the June 19, 2019 issue of Anti-Corruption Report.