We recently wrote about ongoing assessments as a key component of a best practices anti-corruption and anti-bribery program. One of our colleagues commented that such a tool is also one with which a company should begin to craft its compliance program. The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face. Therefore this post will discuss the tool that an entity should utilize to build its anti-corruption and anti-bribery program around, the Risk Assessment.
We believe that for this reason both the Principles of Federal Prosecution of Business Organization (US Sentencing Guidelines) and its section on corporate compliance programs and the UK Bribery Act’s Consultative Guidance list Risk Assessment as the initial step in creating an effective anti-corruption and anti-bribery program. This posting will review the specifics of an effective Risk Assessment and how it will form the development, implementation and maintenance of any best practices compliance program.
US Sentencing Guidelines
The US Sentencing Guidelines state “compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct.” The Report of the Ad Hoc Advisory Group on the Organizational Sentencing Guidelines stated that “Each organization will need to scrutinize its operating circumstances, legal surroundings, and industry history to gain a practical understanding of the types of unlawful practices that may arise in future organizational activities.”
Writing in the most recent issue of the Society of Corporate Compliance and Ethics Magazine (SCCE) (Vol. 7 / No. 5)(Oct. 2010), Russ Berland suggested that a compliance risk assessment (1) catalogues the legal and compliance requirements facing the company; (2) uses information gathering tools such as interviews, surveys, benchmarking and document review to determine the company’s risks of failing to comply with legal and regulatory requirements; and (3) analyzes those risks to prioritize them according to likelihood, impact, and velocity.
Properly utilized, a Risk Assessment will identify risks/gaps and monitor/review performance against ongoing business requirement and compliance best practices. Such an assessment can also be used to guide a company on how to mitigate the most significant risks through implementation of a best practices compliance program and to make an organization’s effort less “reactive” and more “proactive”.
UK Bribery Act
Principle 1 of the UK Bribery Act’s Consultative Guidance states, “Risk Assessment-The commercial organisation regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” The Guidance points towards several key risks which should be evaluated in this process. These risk areas include:
1. Internal Risk – this could include deficiencies in
• employee knowledge of a company’s business profile and understanding of associated bribery and corruption risks;
• employee training or skills sets; and
• the company’s compensation structure or lack of clarity in the policy on gifts, entertaining and travel expenses.
2. Country Risk – this type of risk could include: (a) perceived high levels of corruption as highlighted by corruption league tables published by reputable Non-Governmental Organizations such as Transparency International; (b) factors such as absence of anti-bribery legislation and implementation and a perceived lack of capacity of the government, media, local business community and civil society to effectively promote transparent procurement and investment policies; and (c) a culture which does not punish those who seeks bribes or make other extortion attempts.
3. Transaction Risk – this could entail items such as transactions involving charitable or political contributions, the obtaining of licenses and permits, public procurement, high value or projects with many contractors or involvement of intermediaries or agents.
4. Partnership risks – this risk could include those involving foreign business partners located in higher-risk jurisdictions, associations with prominent public office holders, insufficient knowledge or transparency of third party processes and controls.
Risk Assessment as ‘Best Practices’
Both cornerstones of guidance available to the Foreign Corrupt Practices Act (FCPA) compliance practitioner include ongoing Risk Assessment as a key component of any best practices program. The text of each document and the remarks by commentators make clear the reasons for such an ongoing assessment. Not only do best practices evolve but companies and business evolve. A well-managed organization makes an assessment of the risks it faces now and in the future and then designs appropriate risk management and control mechanisms to control such risks.
Attention should also be paid to who and how the assessment is conducted. Berland, in his article cited above, has noted that unless the Risk Assessment is protected by some form of privilege, such as the attorney-client privilege or attorney work-product privilege, the Risk Assessment “May be disclosed outside the company in the event of criminal investigation or private litigation.” However, the key point is that a Risk Assessment is absolutely mandatory and must be used as a basis for design of an effective compliance policy, whether under the FCPA or the UK Bribery Act. If a Risk Assessment is not used, it might be well nigh impossible to argue that your compliance program meets even the basic standards of either law.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2010