Excerpted from an August 7, 2019 article by Megan Zwiebel in Anti-Corruption Report
In the second of a series of articles concerning corporate compliance and risk assessment programs, Anti-Corruption Report focused on how companies choose a team to perform periodic compliance risk assessments and “the techniques used to gather information.”
Pierce Atwood litigation partner Kathleen Hamann, an internationally recognized authority in the field of white collar enforcement and compliance matters, shared her insights in several areas of risk assessment including:
Working With Outside Experts
An Outside Point of View
- Hiring an outside vendor can give you a better vantage point.
- Kate explains, “An internal compliance person sees everything in the context of their company, which means they sometimes might not ask questions about certain practices because they are used to them.”
- Kate added, “Someone external to the company is in a better position to benchmark a company’s practices against what is going on at other companies and identify best practices. External attorneys, accountants or consultants keep a close eye on new processes and technologies and have a better sense of what works and what does not.”
- “Working with an external team that is knowledgeable about the industry in which a company works can be helpful in terms of scoping where the risks are for that particular industry. For example, risks in the extractive industry will often closely track the Transparency International Corruption Perception Index (CPI), but for the medical device industry, in recent years the highest risks have been in Eastern Europe.”
- Kate suggests, “When setting up a periodic risk assessment, a company should review reports that have come in through its whistleblower hotline and try to categorize them by area of risk,”
- Kate adds, “Another good place to start is by looking at questions that have come into the compliance department because they can shed light on aspects of a company’s policies and procedures with which people are struggling.”
- Some compliance consultants suggest looking at the CPI score at the location. Kate, however, cautions against doing so, since CPI scores measure the perception of corruption in a country, not the level of risk. She adds, “The CPI can be useful for looking at how perceptions of corruption have changed in a single country over time, however, a single scandal can dropkick a CPI score off the end of a pier and that might have no impact on a company’s actual risk if the scandal was in an unrelated industry.”
- Speaking with employees about the risks they face can be a useful tool in conducting a risk assessment.
- Kate says, “A risk assessment can be an entirely desktop exercise using questionnaires, emails, phone calls, and video conferences, but sometimes boots on the ground can be more revealing.”
- Include senior management in all risk assessment interviews, and conduct those interviews at the company’s headquarters and in relevant geographic locations.
- Kate suggests, “The key control functions such as finance, legal, audit and, in some cases, IT, should also be interviewed as part of a risk assessment.”
What to Ask
- Begin with open-ended questions.
- Kate suggests asking, “What have you been seeing?”, “What are your pressures?”, and a personal favorite, “From a compliance perspective, what is keeping you up at night?” She added, “At one client, I asked that question to the head of sales and he blurted out the name of a client. I followed up and it turned out there were a whole host of compliance issues with that client I would never have known about if I hadn’t asked that broad question.”
- After open-ended questions, Kate suggested specific questions including:
- Have there been any spikes in particular types of spending?
- What has the press been saying about the company and the company’s industry?
- What enforcement actions have been brought in this industry?
- Are there new schemes in the industry, perhaps that our competitors have engaged in?
- What hotline reports have there been?
- What issues has compliance seen?
- What kinds of questions are being sent to compliance? Is there a pattern?
- Have there been any internal investigations?
Finally, Kate suggests that interviewers also ask employees if they “want more help or feel that they are not getting the help they need” to show that the compliance team is looking at the full picture and they are paying attention.
The complete article can be found in the August 7, 2019 issue of Anti-Corruption Report.