I often write about risk, risk management and the strategic use of risk by an organization. If you are not managing risk from a compliance perspective, in many ways you are simply flying blind. Think about that in the context of international business, if you do not manage your Foreign Corrupt Practices Act (FCPA) risk from the compliance perspective, in addition to potentially stumbling into a violation, you do not have a proper business perspective. If you can assess your risk, you can work out a range and likelihood of possible outcomes which you can then plan for and manage if they occur. This is the job of a risk analyst.

One of the things that struck me is that a Chief Compliance Officer (CCO) or compliance practitioner falls into this category when it comes to compliance risk. Yet properly considering such risk is in reality a business risk. This means a CCO or compliance practitioner might need to rethink how they think about risk. Adapting an Inc. Tip Sheet Data Science article, entitled ‘Into the Unknown’, I have put together some considerations which may be helpful to do so.

A CCO should consider using risk analysis more expansively. This might mean rather than simply trying to mitigate FCPA or compliance risks, your goal should be to understand how the patterns of behavior which might lead an employee or more probably a group of employees to engage in bribery and corruption, then try to hide it from the company. David Klein, the Chief Executive Officer (CEO) of CommonBond, Inc., noted, “At the core, the role is all about data and models and finding insights. But you can apply that to anything that would benefit from predictive power.” That sounds like a pretty good description of a risk management process and in a FCPA compliance program would include a FCPA risk assessment.

One of the things I have observed practicing in Houston TX, the Energy Capital and FCPA Enforcement Epicenter of the World, is the maturity in compliance programs, coupled with a large talent pool of compliance practitioners. As compliance professionals get out of their lawyer training hats, they become more business savvy allowing a more robust compliance program, which goes beyond simple policies and procedures. Such mature compliance professionals understand that compliance is a business process. With that key insight, improvement in business process can make for a more efficient and more profitable company. There is a reason that Ethisphere’s World’s Most Ethical companies beat the Standard & Poor’s (S&P) average. Having robust compliance makes them better run.

Now take that concept of increased profitability and apply it to how a company can use a robust risk analysis program as a business differentiator. Investors and shareholders want companies to institutionalize how they think about, assess and manage risk. This means if you have a robust risk management process it will make you more attractive for investors, business venture partners and even with customers.

What are the patterns you can discern from a risk assessment? Patrick Taylor, the CEO of Oversight Systems, Inc., has described the process of using big data for risk analysis as “looking for patterns in raked leaves.” If a CCO has access to and can consider a wider variety of factors, using their own company data, they can have a more robust risk management process. This can be applied to areas as varied as anti-corruption compliance to supply chain to anti-money laundering (AML) to cybersecurity.

One area not generally considered in an anti-corruption risk assessment is political risk. However, with the internationalization of anti-corruption investigation and enforcement that calculus may need to change. This week, an Italian court announced prosecutors could move forward in a criminal trial against Royal Dutch Shell plc and Italian energy giant Eni S.p.A. For Eni, it also included individual criminal charges against both the current and immediate past chief executive. This is by far the highest profile international corruption trial in Italy. Sweden is already pursuing criminal charges against the former CEO of Telia Company for his role in the bribery into Uzbekistan. These two prosecutions should give pause to every executive who might be subject to the Italian courts. Moreover, it might also move other jurisdictions to consider individual prosecutions.

Finally, Matt Kelly has been on the forefront of discussing the intersection of CCOs/compliance professionals and cybersecurity since at least 2014. It now seems like the rest of us have caught up with him. CCOs and compliance professionals will be required to lead the efforts to create best practices compliance programs for cybersecurity, sooner rather than later. The risk could range from theft of email to embarrass your organization, to stopping your organization from doing business due to being overwhelmed by a denial of service, attack to data and personal information theft. In the area of cybersecurity compliance many CCOs will have to get a lot smarter, very quickly.

One of the key insights about compliance and compliance practitioners is that the profession is evolving. But this should not come as a surprise as businesses are evolving as well. To move compliance into the fabric of an organization through operationalization, it will require nimble, agile and dynamic compliance practitioners. No area could be a better illustration than in the risk management strategy, including assessing a wide variety of risk.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017