One cannot really say enough about risk assessments in the context of an anti-corruption program. Since at least 1999, in the Metcalf & Eddy enforcement action, the Department of Justice (DOJ) has said that a risk assessment, which measures the likelihood and severity of possible Foreign Corrupt Practices Act (FCPA) violations, shows the manner in which you should direct your resources to manage these risks. The 2012 FCPA Guidance (Guidance) stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” Over the next two blog posts, I will consider how to perform a risk assessment then how to evaluate it.
This language was supplemented in 2017 in both the Evaluation of Corporate Compliance Programs (Evaluation) and the new FCPA Corporate Enforcement Policy (Policy). Under Prong 4 of the Evaluation, Risk Assessments, the following issues were raised: Risk Management Process – What methodology has the company used to identify, analyze, and address the particular risks it faced? Manifested Risks – How has the company’s risk assessment process accounted for manifested risks? The Policy states, “The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment”.
The risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company. The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.
Rick Messick laid out the four steps of a risk assessment as follows: “First, all conceivable forms of corruption to which the organization, the activity, the sector, or the project might be exposed is catalogued. Second, an estimate of how likely it is that each of the possible forms of corruption will occur is prepared and third an estimate of the harm that will result if each occurs is developed. The fourth step combines the chances of occurrence with the probability of its impact to produce a list of risks by priority.”
What Should You Assess?
In 2011, the DOJ concluded three FCPA enforcement actions which specified factors which a company should review when making a Risk Assessment. The three enforcement actions, involving the companies Alcatel-Lucent, Maxwell Technologies and Tyson Foods all had common areas that the DOJ indicated were compliance risk areas which should be evaluated for a minimum best practices compliance program. In both Alcatel-Lucent and Maxwell Technologies, the Deferred Prosecution Agreements (DPAs) listed the seven following areas of risk to be assessed, which are still relevant today:
- Geography – where does your Company do business.
- Interaction with types and levels of Governments.
- Industrial Sector of Operations.
- Involvement with Joint Ventures.
- Licenses and Permits in Operations.
- Degree of Government Oversight.
- Volume and Importance of Goods and Personnel Going Through Customs and Immigration.
All of these factors were reiterated in the Guidance which stated, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”
These factors provide guidance into some of the key areas that the DOJ believed can put a company at higher corruption risk. These factors supplement those listed in the now withdrawn UK Bribery Act Consultative Guidance which stated, “Risk Assessment – The commercial organization regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” The UK Bribery Act Consultative Guidance pointed towards several key risks which should be evaluated in this process. These risk areas included:
- Internal Risk – this could include deficiencies in
- employee knowledge of a company’s business profile and understanding of associated bribery and corruption risks;
- employee training or skills sets; and
- the company’s compensation structure or lack of clarity in the policy on gifts, entertaining and travel expenses.
- Country risk – this type of risk could include:
- perceived high levels of corruption as highlighted by corruption league tables published by reputable Non-Governmental Organizations such as Transparency International;
- factors such as absence of anti-bribery legislation and implementation and a perceived lack of capacity of the government, media, local business community and civil society to effectively promote transparent procurement and investment policies; and
- a culture which does not punish those who seeks bribes or make other extortion attempts.
- Transaction Risk – this could entail items such as transactions involving charitable or political contributions, the obtaining of licenses and permits, public procurement, high value or projects with many contractors or involvement of intermediaries or agents.
- Partnership risks – this risk could include those involving foreign business partners located in higher-risk jurisdictions, associations with prominent public office holders, insufficient knowledge or transparency of third party processes and controls.
Another approach was detailed by David Lawler, in his book “Frequently Asked Questions in Anti-Bribery and Corruption”. He broke the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Sector Risk, (4) Transaction Risk and (5) Business Partnership Risk. He further detailed these categories as follows:
- Company Risk – Lawyer believes this is only “likely to be relevant when assessing a number of different companies – either when managing a portfolio of companies from the perspective of a head office of a conglomerate or private equity house.” High risk companies involve, some of the following characteristics:
- Private companies with a close shareholder group;
- Large, diverse and complex groups with a decentralized management structure;
- An autocratic top management;
- A previous history of compliance issues; and/or
- Poor marketplace perception.
- Country Risk – this area involves countries which have a high reported level or perception of corruption, have failed to enact effective anti-corruption legislation and have a failure to be transparent in procurement and investment policies. Obviously the most recent, annual Transparency International Corruption Perceptions Index (TP-CPI) can be a good starting point. Other indices you might consider are the Worldwide Governance Indicators and the Global Integrity index.
- Sector Risk – these involve areas which require a significant amount of government licensing or permitting to do business in a country. It includes the usual suspects of:
- Extractive industries;
- Oil and gas services;
- Large scale infrastructure areas;
- Pharmaceutical, medical device and health care;
- Financial services.
- Transaction Risk – Lawyer says that this risk “first and foremost identifies and analyses the financial aspects of a payment or deal. This means that it is necessary to think about where your money is ending up”. Indicia of transaction risk include:
- High reward projects;
- Involve many contractor or other third-party intermediaries; and/or
- Do not appear to have a clear legitimate object.
- Business Partnership Risk – this prong recognizes that certain manners of doing business present more corruption risk than others. It may include:
- Use of third party representatives in transactions with foreign government officials;
- A number of consortium partners or joint ventures partners; and/or
- Relationships with politically exposed persons (PEPs).
One of the questions that I hear most often is how does one actually perform a risk assessment. Mike Volkov has suggested a couple of different approaches in his article “Practical Suggestions for Conducting Risk Assessments.” In it Volkov differentiates between smaller companies which might use some basic tools such as “personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices” from larger companies. Larger companies may use these basic techniques but may also include a deeper dive into high risk countries or high-risk business areas. If your company’s sales model uses third party representatives, you may also wish to visit with those parties or persons to help evaluate their risks for bribery and corruption that might well be attributed to your company.
There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries into your risk analysis, it should be acceptable for your starting point.
Tomorrow, I will consider how to evaluate a risk assessment.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2018