We believe that Risk Assessment is a tool and is one with which a company should begin to craft its Foreign Corrupt Practices (FCPA) or UK Bribery Act compliance program. The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face. Both the both the Principles of Federal Prosecution of Business Organization (US Sentencing Guidelines) and its section on corporate compliance programs and the UK Bribery Act’s Consultative Guidance list Risk Assessment as the initial step in creating an effective anti-corruption and anti-bribery program. So far, in 2011 the US Department of Justice (DOJ) has concluded three FCPA enforcement actions which specify some factors which a company should review when making a Risk Assessment.
The three enforcement actions, involving the companies Alcatel-Lucent, Maxwell Technologies and Tyson Foods all had common areas that the DOJ indicated were FCPA compliance risk areas which should be evaluated for a minimum best practices FCPA compliance program. In both Alcatel-Lucent and Maxwell Technologies, the Deferred Prosecution Agreements (DPAs) listed the seven following areas of risk to be assessed.
1. Geography-where does your Company do business.
2. Interaction with types and levels of Governments.
3. Industrial Sector of Operations.
4. Involvement with Joint Ventures.
5. Licenses and Permits in Operations.
6. Degree of Government Oversight.
7. Volume and Importance of Goods and Personnel Going Through Customs and Immigration.
In the Tyson Foods DPA, this list was reduced to the following (1) Geography, (2) Interaction with Governments, and (3) Industrial Sector of Operations. It would seem that the DOJ did not believe that Tyson Foods had the same compliance risks as Alcatel-Lucent and Maxwell Technologies because (a) there limited internal sales market and (b) the fact it only has 6 food processing plants outside the United States.
These factors provide guidance into some of the key areas that the DOJ apparently believes can put a company at higher FCPA risk. These factors supplement those listed in the UK Bribery, Consultative Guidance which states, “Risk Assessment – The commercial organization regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” The Guidance points towards several key risks which should be evaluated in this process. These risk areas include:
1. Internal Risk – this could include deficiencies in
• employee knowledge of a company’s business profile and understanding of associated bribery and corruption risks;
• employee training or skills sets; and
• the company’s compensation structure or lack of clarity in the policy on gifts, entertaining and travel expenses.
2. Country risk – this type of risk could include:
(a) perceived high levels of corruption as highlighted by corruption league tables published by reputable Non-Governmental Organizations such as Transparency International;
(b) factors such as absence of anti-bribery legislation and implementation and a perceived lack of capacity of the government, media, local business community and civil society to effectively promote transparent procurement and investment policies; and
(c) a culture which does not punish those who seeks bribes or make other extortion attempts.
3. Transaction Risk – this could entail items such as transactions involving charitable or political contributions, the obtaining of licenses and permits, public procurement, high value or projects with many contractors or involvement of intermediaries or agents.
4. Partnership risks – this risk could include those involving foreign business partners located in higher-risk jurisdictions, associations with prominent public office holders, insufficient knowledge or transparency of third party processes and controls.
Risk Assessment as ‘Best Practices’
Both the Consultative Guidance and the recent DPAs provide guidance to the FCPA compliance practitioner and include ongoing Risk Assessment as a key component of any best practices program. A well-managed organization makes an assessment of the risks it faces now and in the future and then designs appropriate risk management and control mechanisms to control such risks. However, the key point is that a Risk Assessment is absolutely mandatory and must be used as a basis for the design of an effective compliance policy, whether under the FCPA or the UK Bribery Act. If a Risk Assessment is not used, it might be well nigh impossible to argue that your compliance program meets even the basic standards of either law.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2011