One cannot really say enough about risk assessments in the context of anti-corruption programs. Since at least 1999 the DOJ has said that risk assessments that measure the likelihood and severity of possible Foreign Corrupt Practices Act (FCPA) violations identifies how you should direct your resources to manage these risks. The FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.
What risks should you assess? The FCPA Guidance states, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”
These factors provide guidance into some of the key areas that the DOJ apparently believes can put a company at higher FCPA risk. One approach to putting these amorphous guidelines into place was detailed by David Lawler, in his book “Frequently Asked Questions in Anti-Bribery and Corruption”. He broke the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Sector Risk, (4) Transaction Risk and (5) Business Partnership Risk.
- Company Risk – High risk companies involve some of the following characteristics:
- Private companies with a close shareholder group;
- Large, diverse and complex groups with a decentralized management structure;
- An autocratic top management;
- A previous history of compliance issues; and/or
- Poor marketplace perception.
- Country Risk – this area involves countries, which have a high reported level or perception of corruption, have failed to enact effective anti-corruption legislation and have a failure to be transparent in procurement and investment policies. Obviously the most recent, Transparency International Corruption Perceptions Index can be a good starting point. Other indices you might consider are the Worldwide Governance Indicators and the Global Integrity index.
- Sector Risk – these involve areas that require a significant amount of government licensing or permitting to do business in a country. It includes the usual suspects of:
- Extractive industries;
- Oil and gas services;
- Large scale infrastructure areas;
- Pharmaceutical, medical device and health care; and/or
- Financial services.
- Transaction Risk – this risk takes a look at the financial aspects of a payment or deal. This means that it is necessary to think not only about where your money is ending up but what is the source of the funding. Indicia of transaction risk include:
- High reward projects;
- Involve many contractor or other third party intermediaries; and/or
- Do not appear to have a clear legitimate object.
- Business Partnership Risk – this prong recognizes that certain manners of doing business present more corruption risk than others. It may include:
- Use of third party representatives in transactions with foreign government officials;
- A number of consortium partners or joint ventures partners; and/or
- Relationships with politically exposed persons (PEPs).
There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries into your risk analysis, it should be acceptable for your starting point.
How Should You Assess Your Risks?
One of the questions that I hear most often is how does one actually perform a risk assessment? Mike Volkov has suggested a couple of different approaches in his article “Practical Suggestions for Conducting Risk Assessments.” Here Volkov differentiates between smaller companies which might use some basic tools such as “personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices” from larger companies. Such larger companies may use these basic techniques but may also include a deeper dive into high risk countries or high risk business areas. If your company’s sales model uses third party representatives, you may also wish to visit with those parties or persons to help evaluate their risks for bribery and corruption that might well be attributed to your company.
It is suggested that you combine the scores or analysis you obtain from the corruption markers you review; whether it is the DOJ list or those markers under the UK Bribery Act, and from there create a “rudimentary risk-scoring system that ranks the things to review using risk indicators of potential bribery.” This ensures that high-risk exposures are done first and/or given more time. As with all populations of this type, there is likely to be a normal or ‘bell curve’ distribution of risks around the mean. So 10-15% of exposure falls into the relative low-risk category; the vast majority (70-80%) into the moderate-risk category; and the final 10-15% would be high risk.
How do You Evaluate a Risk Assessment?
Volkov has advised that you should prepare a risk matrix detailing the specific risks you have identified and relevant mitigating controls. From this you can create a new control or prepare an enhanced control to remediate the gap between specific risk and control. Finally, through this risk matrix you should be able to assess relative remediation requirements. One way to do so was explored by Tammy Whitehouse, in an article entitled “Improving Risk Assessments and Audit Operations”, in which she looked at the risk evaluation process used by Timken Company (Timken).
Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks.
The ‘Likelihood’ factors to consider include: the existence of internal controls, written policies and procedures designed to mitigate risk; leadership capable to recognize and prevent a compliance breakdown; compliance failures or near misses; and training and awareness programs. The Priority Rating factors are the product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.
The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit-monitoring plan going forward. A variety of tools can be used, such as continuous controls monitoring with tools like those provided by the Red Flag Group (RFG), relationship-analysis based software or other analytical based tools. But you should not forget the human factor. This means not only training but ongoing communication with employees to guard against the most significant risks coming to pass and to keep the key messages fresh and on top of the mind. RFG also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.
The keys to this approach are the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the method set forth by the DOJ in its FCPA Guidance and in the UK Bribery Act’s Adequate Procedures. The DOJ has made clear that it wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model described is a reasoned approach and can provide the articulation needed to explain which steps were taken.
For more information on this Hallmark, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week by clicking here.
To listen to my podcast on this Hallmark, click here.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2016