On this date in October 1971, Duane Allman died. He was the co-founder, along with his brother Greg, of the Allman Brothers Band. For my money he was one of the greatest guitarists of all time. At the time of his death, the Allman Brothers had released their debut album, simply entitled The Allman Brothers, and a second studio album Idlewild South. They had also released arguably one of the top live albums of all-time, The Allman Brothers at the Fillmore East. And they had most of their next album recorded, Eat A Peach, which became their biggest seller in the can at the time of Duane’s death.
Allman had also traded guitar licks with Eric Clapton, when he joined Clapton’s band and played on Layla and Other Love Songs earlier in 1971. Music producer Tom Dowd said in his work Tom Dowd and the Language of Music that “The two hit it off well and soon became good friends. There had to be some sort of telepathy going on because I’ve never seen spontaneous inspiration happen at that rate and level. One of them would play something, and the other reacted instantaneously. Never once did either of them have to say, ‘Could you play that again, please?’ It was like two hands in a glove. And they got tremendously off on playing with each other.” Duane Allman wrote the famous five-bar opening guitar riff for the song.
Just as one cannot say enough about how great the song Layla is or how much it influenced rock and roll, going forward one cannot really say enough about risk assessments in the context of anti-corruption programs. Since at least 1999, in the Metcalf & Eddy enforcement action, the Department of Justice (DOJ) said that risk assessments which measure the likelihood and severity of possible Foreign Corrupt Practices Act (FCPA) violations is the manner in which you should direct your resources to manage these risks. The FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC [Securities and Exchange Commission] evaluate when assessing a company’s compliance program.” The UK has a similar view. In Principal I of the Six Principals of an Adequate Compliance program, it stated, “The commercial organisation regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” In other words, risk assessments have been around and even mandated for a long time and their use has not lessened in importance. The British have a way with words, even when discussing compliance when Principal I of the Six Principals of an Adequate Compliance program said that your risk assessment should inform your compliance program.
Jonathan Marks, in his 13-step FCPA Compliance Action Plan, says the following about risk assessments, “A comprehensive assessment of the potential bribery and corruption risks – both existing and emerging risks – associated with a company’s products and services, customers, third-party business partners, and geographic locations can serve as the basis for the compliance program. The risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company.”
The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face. Both the both the US Sentencing Guidelines, the UK Bribery Act’s Consultative Guidance list Risk Assessment as the initial step in creating an effective anti-corruption and anti-bribery program.
One of the questions that I hear most often is how does one actually perform a risk assessment? Mike Volkov has suggested a couple of different approaches in his article “Practical Suggestions for Conducting Risk Assessments.” In it Volkov differentiates between smaller companies which might use some basic tools such as “personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices” from larger companies. Such larger companies may use these basic techniques but may also include a deeper dive into high-risk countries or high-risk business areas. If your company’s sales model uses third party representatives, you may also wish to visit with those parties or persons to help evaluate their risks for bribery and corruption that might well be attributed to your company.
Another noted compliance practitioner, William Athanas, in an article entitled “Rethinking FCPA Compliance Strategies in a New Era of Enforcement”, took a different look at risk assessments when he posited that companies assume that FCPA violations follow a “bell-curve distribution, where the majority of employees are responsible for the majority of violations.” However, Athanas believed that the distribution pattern more closely follows a “hockey-stick distribution, where a select few…commit virtually all violations.” Those individuals with the opportunity to interact with foreign officials have the greatest chance to commit FCPA violations. Diving down from that group, certain individuals also possess the necessary inclination, whether a personal financial incentive linked to the transaction or the inability to recognize the significant risks attendant, to bribery.
To assess these risks, Athanas suggested an initial determination of the touch-points where the operations of manufacturing companies “intersect with foreign officials vested with discretionary authority.” This will lead to an understanding of the individuals who hold these roles within a company. This means that a simple geographic analysis is but a first step in a risk analysis. Thereafter companies should also focus on “those who authorize and record disbursements, as well as those who represent the company in situations where they may be solicited for payments.” The next step is to determine those company employees who may have the incentive “to pay bribes on the Company’s behalf.” This incentive can come from a variety of forms; such as a company compensation plan, which rewards high producer; employees who do not understand the risk they place the company (and themselves) in by engaging in tactics which violate the FCPA; and finally those employees who seek to place their individual interests above those of the company.
Athanas concludes by noting that this is a limited group of employees, or what he terms the “shaft of the hockey-stick” to which a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts such as “intensive training sessions or focused analysis of key financial transactions — on those individuals with the opportunity and potential inclination to violate the statute.” This focus will provide companies the greatest “financial value and practical worth of compliance efforts.”
David Lawler, in his book “Frequently Asked Questions in Anti-Bribery and Corruption”, suggested that you combine the scores or analysis you obtained from the corruption markers you review; whether it is the DOJ list or those markers under the UK Bribery Act. From there, create a “rudimentary risk-scoring system that ranks the things to review using risk indicators of potential bribery. This ensures that high-risk exposures are done first and/or given more time. As with all populations of this type, there is likely to be a normal, or ‘bell-curve’, distribution of risks around the mean. So 10-15% of exposure falls into the relative low-risk category; the vast majority (70-80%) into the moderate-risk category; and the final 10-15% would be high-risk.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2015