Talk about risk. With pitcher and catcher reporting in just over two weeks, the mind of the Compliance Evangelist is turning towards the upcoming baseball season and the reigning World Series Champions, the Houston Astros. Will the Astros repeat? I for one will certainly be interested in that question. Today we honor another baseball milestone as it was on this day in 1936 that the first Baseball Hall of Fame (HOF) class was announced. It included Ty Cobb, the most productive hitter in history; Babe Ruth, both an ace pitcher and the greatest home-run hitter to play the game, Honus Wagner, a versatile star shortstop and batting champion, Christy Mathewson, who had more wins than any pitcher in National League (NL) history and Walter Johnson, considered one of the most powerful pitchers to ever have taken the mound. As a youngster I read a book about the first five inductees and it cemented my life love of baseball and the greats going forward.

The first HOF class informs my blogpost today on one of the steps to more fully operationalize your compliance program, which can take many shapes and forms. Using the entire risk management process to embed your compliance program within the contours of your organization is an important key step as it allows you to have full visibility of your compliance risks through a longer life cycle. Forecasting allows you to consider your business strategy and wed the risks you can foresee. Risk assessments allow you to evaluate and measure known risks. Risk-based monitoring allows you to monitor both the compliance risks you know about and detect those you do not know about on an ongoing basis.

I think there are several key lessons to be considered by any Chief Compliance Officer (CCO) or compliance practitioner. The first is the process around risk management. Most compliance practitioners understand the need for a risk assessment as it is articulated in Hallmark No. 4 of the Ten Hallmarks of an Effective Compliance Program. From the 2012 FCPA Guidance (Guidance), the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) said, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” In addition to this business case, the Guidance also specified the enforcement reasons for performing a risk assessment, “DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not pre­vent an infraction in a low risk area because greater atten­tion and resources had been devoted to a higher risk area.” The DOJ Evaluation of Corporate Compliance Programs (Evaluation) and new FCPA Corporate Enforcement Policy (Policy) builds on these two underlying documents, with an assist from the 2016 FCPA Pilot Program.

Just as the DOJ’s thought process on Foreign Corrupt Practices Act (FCPA) enforcement has evolved, compliance evolves, and corporate compliance programs become more sophisticated, compliance is seen not as simply a legal requirement but as a business process. Seen in this light, it is clear the risk management process should begin with forecasting as it attempts to estimate future aspects of your business. Compliance professionals should be able to say with some degree of authority, what will happen in the next three, six, twelve and twenty-four months. This can facilitate resources deployment where they think is appropriate in order to meet these future demands.

By starting with forecasting, a compliance function utilizes risk assessment to consider issues which forecasting did not predict for or issues which the forecasting model raised as a potential outcome which warranted a deeper dive. If you are moving into a new product or sales area and are required to use third-party sales agents, a risk assessment would provide information that a company could use to ameliorate the risks. Risk-based monitoring follows on from the issues that your risk assessment identified as your highest risks. Risk-based monitoring tends to look at things on an ongoing basis, and the models that are behind the risk-based modeling, are continuously refined based on incoming data.

All of these three tools tie back into process management and process improvement. There is a balance between what is actually important for your business or for proper execution; versus the practical aspects of the whole process. Ben Locwin stated, “If you are not measuring at a high enough resolution, then you are not capturing a lot of the environmental, market forces and external factors that probably are of high leverage to your operations in business that you simply do not know about.”

For example, if there is a one-in-three chance of a compliance failure occurring that a company knew that in advance, the executive committee will probably almost stop the activity before there is a compliance failure and possible legal violation. This is how the risk management process can work to fulfill the three prongs of a compliance program, prevent, detect and remediate. You are using your risk forecast and you have a contingency in place, which you execute upon. In other words, it comes down to execution. This means you have to use the risk management tools available to you and when a situation arises, you remediate when required. This is not only where the rubber hits the road but the information and data you garner in the execution phase should be fed back into the process loop. From this, you will develop continuous feedback and continuous improvement.

I have gone through this in some detail to emphasize the business process nature that compliance has evolved into as a corporate discipline. By using these techniques, the CCO or compliance practitioner makes the business run more efficiently and at the end of the day, more profitably. The more you can bring these types of insight to a Chief Executive, the more you demonstrate how compliance adds to the bottom line and is not simply a cost center.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2018