I continue my exploration of risk in compliance by focusing today on risk assessments. However, before we get there, I wanted to pay tribute to one of the most well-known characters from television, Della Street, who was played by Barbara Hale; who died last week. She will forever be remembered for her role as Perry Mason’s loyal secretary. My memories of Della Street are that she was always there, always prepared and always professional.

According to her obituary in the New York Times (NYT) “The show ran from 1957 to 1966, with Della — Ms. Hale in classic businesslike fashions and her trademark short, dark hair — as a steadying and infinitely reliable presence, if not a constant one. “Della wasn’t really a very big role,” Ms. Hale told the New Jersey newspaper The Record in 1986. “I had six days, six lines and six wardrobe changes a show. When I changed clothes, it signified another day had gone by in the script.” It was important enough, however, for Ms. Hale to receive the Emmy Award for best supporting actress in a dramatic series in 1959. In 1985 she and Burr were reunited for a television movie, “Perry Mason Returns,” which won such high ratings that it led to 29 more TV movies starring the same characters.”

Hale’s role may have been minor but it was certainly central to the show’s success. Her role stands in contrast to today’s topic – risk assessment. One cannot really say enough about the role of risk assessment in compliance. Each time you hear a regulator talk about compliance programs, it starts along the lines of you cannot manage your Foreign Corrupt Practices Act (FCPA) risk without first determining what that risk is and that process comes through a risk assessment. While I have written extensively on risk assessments in the past, I want to take different approach in this series as I continue to explore risk forecast, risk assessment and risk monitoring for the compliance profession with Ben Locwin, Director of Global R&D at BioGen and an operational strategist in pharma and healthcare.

Yesterday, we looked at forecasting. The differences between forecasting and risk assessment is that risk assessment attempts to consider things which forecasting either did not reliably predict for, or those things which the forecasting models have raised as potential outcomes which could be troubling, critical themes and issues. As Locwin explained, “What you’re trying to do then is decide on how you would address these. Risk assessments will percolate to the top of the list, your risk registry. Those items which are most consequential for your organization, whatever it happens to be. Again, just like forecasting, risk assessments apply to every organization.”

Within the context of an anti-corruption compliance program, you are trying to make adjustments based on the risks of violation of the law, out in the marketplace. For instance, in a compliance forecast, third-party risk should be considered at the top of your ordinal list of risk and you should consider a multitude of factors such as the operating procedures, processes and systems and training. Of course, the execution of that process is a critical component as well.

All these things, to some degree, should appear in a risk assessment for the organization. Meaning, at the corporate level, what happens if you change products or sell into a new geographic area which is perceived to be more high-risk? There should be a risk assessment node which has a component that notes these changes so that you can adapt as necessary. Locwin stated, “The risk assessment itself is designed to be able to elevate these, and if something does happen, the next step would be to take appropriate course of action to address any of those risks.”

We discussed an example which illustrates the differences between forecasting and a risk assessment, yet how the two are complimentary. This winter when I began purchasing hot coffee products from Starbuck, as opposed to the cold drinks I buy during the hotter parts of the year, I discovered that baristas’ no longer put sleeves on coffee cups but now require you to ask for one. The second time I had to ask for a sleeve, I inquired from the barista why I had to do so. She replied that corporate had changed the policy for environmental reasons and that she could only provide a sleeve at the specific request of the customer. When I pointed out that it slowed the line down and was much less efficient in the delivery of Starbuck’s coffee, she replied, “You’re absolutely right. I hate it. Would you please email Starbucks and tell them of your dissatisfaction?”

I will let Locwin pick it up from here, “what you’ve put your finger on is the crux of the balance of forecasting versus risk assessment. They’re two very different things, but at the same time, as they weave through time, they interchange. For example, Starbucks would potentially say, “We forecast that consumers are going to be more concerned about paper use, sleeves, the economic costs to the world, of extra paper waste and things. We’re going to, in certain locations, let’s say across Texas, we’re going to pilot that we don’t give out sleeves unless they’re asked for.” In their risk assessment, which I can tell you didn’t change from that forecast, what they then should have had was a commensurate line item which said, “If consumers start to have a problem with what’s being done at these locations, our immediate contingency plan is to do the following, to strip it away immediately, full stop, so that every cup gets a sleeve, so that they’re not slowing down lines, consumers say you heard us immediately, and then the organization is back on track.

Their forecast plans something, the risk assessment should have had countermeasures to address, and instead if they didn’t have this in place, they’re going to have to wait until they start to have a Twitter feed that blows up… The risk assessment model should say, “Then we will do the following.” Really they don’t have the capability in a lot of cases to measure the effect of this and immediately course correct. It’s probably going to be a month, two months, four months before they start to get wind of this in a consistent way to say, “Texas was dissatisfied by this change and same in our pilot in Wisconsin. Let’s stop not giving out sleeves… Then eventually that starts to dissipate and they get rid of this whole new silly paradigm.”

Locwin’s point was that your risk assessment can help to inform your response to FCPA violation, corporate crisis or even (in my opinion) the misstep of requiring Starbucks customers to ask for sleeves for their coffee purchases. In another article by Locwin, entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”, he noted, “knowledge is power”. He went on to add, “Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we’ve classified them correctly. With a good understanding of each of these, we’re in a much better position to speak about the quality of our businesses.”

This is certainly true about a risk assessment in the anti-corruption compliance space. Tomorrow we begin to consider risk-based monitoring.

Ben Locwin is a healthcare expert who is frequently featured in the popular media. He gives speeches internationally and specifically has written about the forecasting, assessment and monitoring of risk in the life sciences industry. He has also taught risk management and modeling at universities and to top Fortune 500 companies in automotive, aerospace, food & beverage, pharma, and other industries. He can be reached at ben.locwin@HealthcareScienceAdvisors.com.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017