Yesterday we considered how to perform a risk assessment. Today how do you evaluate the information you have developed. After you complete your risk assessment, you must then translate it into a risk profile, as Rick Messick has noted, to estimate where bribery is likely occur, so prevention efforts will be properly targeted. Ben Locwin explained, in “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”, “Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are in a better position to speak about the quality of our businesses.”
William C. Athanas, in an article entitled “Rethinking FCPA Compliance Strategies in a New Era of Enforcement”, posited that companies assume that Foreign Corrupt Practices Act (FCPA) violations follow a “bell-curve distribution, where the majority of employees are responsible for the majority of violations.” However, Athanas believed that the distribution pattern more closely follows a “hockey-stick distribution, where a select few…commit virtually all violations.” Athanas concludes by noting that is this limited group of employees, or what he terms the “shaft of the hockey-stick”, to which a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts such as “intensive training sessions or focused analysis of key financial transactions — on those individuals with the opportunity and potential inclination to violate the statute.” This focus will provide companies the greatest “financial value and practical worth of compliance efforts.”
David Lawler, in “Frequently Asked Questions in Anti-Bribery and Corruption”, suggested that you combine the scores or analysis you obtained from the corruption markers you review; whether it is the Department of Justice (DOJ) list or those markers under the UK Bribery Act. From there, create a “rudimentary risk-scoring system that ranks the things to review using risk indicators of potential bribery. This ensures that high-risk exposures are done first and/or given more time. As with all populations of this type, there is likely to be a normal or ‘bell curve’ distribution of risks around the mean. So 10-15% of exposure falls into the relative low-risk category; the vast majority 70-80% into the moderate-risk category; and the final 10-15% would be high risk.”
In an article entitled “Improving Risk Assessments and Audit Operations” author Tammy Whitehouse focused on how one company, Timken Co., created a risk matrix to evaluate risks determined by the company’s risk assessment. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit monitoring plan. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks.
|Likelihood Rating||Assessment||Evaluation Criteria|
|1||Almost Certain||High likely, this event is expected to occur|
|2||Likely||Strong possibility that an event will occur and there is sufficient historical incidence to support it|
|3||Possible||Event may occur at some point, typically there is a history to support it|
|4||Unlikely||Not expected but there’s a slight possibility that it may occur|
|5||Rare||Highly unlikely, but may occur in unique circumstances|
‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.
|Priority Rating||Assessment||Evaluation Criteria|
|1-2||Severe||Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans|
|3-4||High||Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans|
|Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.|
Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.
At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used to continuously monitoring risk going forward. However, you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.
The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the approach set forth by the DOJ from the 2012 FCPA Guidance, through the Evaluation of Corporate Compliance Programs (Evaluation), up to the FCPA Corporate Enforcement Policy (Policy). I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.
After you complete your risk assessment, you must then translate it into a risk profile.Click to tweet
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2018