Excerpted from a January 22, 2020 article by Megan Zwiebel in Anti-Corruption Report
In part four of a series of articles concerning risk assessment programs, Anti-Corruption Report focused on what companies should do once a risk assessment is complete, and the strategies for avoiding pitfalls during the process.
Drafting a Report
According to firm partner Kathleen Hamann, an internationally recognized authority in the field of white collar enforcement and compliance matters, “at the end of a risk assessment it makes sense to put together a report that lays out where there have been notable changes from the previous risk profile and what new gaps have been identified. That report should take the information gathered internally and put it ‘into external context.’”
The form of the report, however, can vary. Kate recommends “creating a heat map (a visual that shows various risks with color-coding) that shows visually where a company’s risks lie. These can oversimplify risks but the visual often sticks with people better than a memo.”
Developing an Action Plan
The completed risk assessment is not the end of the process, rather it’s a “jumping off point” for making “informed decisions” on how to mitigate the risks that have been identified. “A periodic risk assessment that just explains a company’s risk and does not propose any action items does no good,” Kate warned. She added, “The action plan should include not just actions that should be taken but also a proposed timeline. The list of recommendations needs to be specific and concrete.” For example, “a recommendation to ‘improve tone at the top’ is not going to do the company any good. A better recommendation would be to create a messaging plan for senior vice presidents and ensure that they are sending some form of compliance messaging no less than once per quarter.”
Kate cautioned, “The worst thing a company can do in the context of a risk assessment is create a list of recommendations and then not follow through. Execution of a remediation plan can vary,” she explained. “In some companies, the general counsel can take ownership because everyone is terrified of the general counsel, while in other companies, the CEO needs to take control. It might also make sense for the department heads and not the C-suite to take ownership, because the C-suite doesn’t get deep enough into the weeds to fix the problems.” Kate added, “The next time a company undertakes a periodic risk assessment, the first thing to look at his how the company did on implementing the recommendations last time.”
Three Strategies to Avoid Pitfalls
1. Look in the Right Places
The first major pitfalls is looking for risks in the wrong places. Kate warns that companies should be wary of using “generic external measurements such as Transparency International’s Corruption Perception Index without thinking critically about what they mean for the company’s specific industry and business model.”
2. Listen to the Business but Verify
Risk assessors should listen to the business people, but Kate cautions that “it is also a mistake to take answers entirely at face value. Nobody wants to assume the worst of their colleagues, but to a certain degree, compliance officers are paid to be paranoid.
If the sales department says everything is fine, there is a problem – sales is never fine. If the GM of China says that everything is good then someone has to have a long chat with the GM of China. I’ve had companies say that they have no whistleblower complaints because their compliance department was so good, but it turned out that no one knew the phone number for the hotline. It’s critical to kick the tires and dig behind what people say initially.”
Kate also suggested that the need to challenge responses from people in the business is an argument in favor of working with outside counsel, because “it avoids people in the compliance department having to confront colleagues directly and damage their working relationship unnecessarily.”
3. Be Brave about what an Assessment Uncovers
Kate warned, “A company should be wary of focusing so narrowly on the risks being assessed that it ignores red flags that arise in other areas.”
The complete article on wrapping up a risk assessment and avoiding pitfalls can be found in the January 22, 2020 issue of Anti-Corruption Report.