One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based upon a risk assessment, to understand your organization’s business from the commercial perspective, how your organization has identified, assessed, and defined its risk profile and, finally, the degree to which the program devotes appropriate scrutiny and resources to this range of risks.
As far back as 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessments that measure the likelihood and severity of possible FCPA violations should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.”
This language was supplemented in the 2017 FCPA Corporate Enforcement Policy, which stated, “The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment.”
A risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company. The reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.
Having made clear what was risks needed to be assessed, the 2019 Guidance was focused on the methodology used in the risk assess process. It stated:
Risk Management Process – What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?
Rick Messick, in a 2018 article, entitled “Corruption Risk Assessments: Am I Missing Something?”, laid out the four steps of a risk assessment as follows:
First, all conceivable forms of corruption to which the organization, the activity, the sector, or the project might be exposed is catalogued. Second, an estimate of how likely it is that each of the possible forms of corruption will occur is prepared and third an estimate of the harm that will result if each occurrence is developed. The fourth step combines the chances of occurrence with the probability of its impact to produce a list of risks by priority.
What should you assess? In 2011, the DOJ concluded three FCPA enforcement actions which specified factors that a company should review when making a risk assessment. The three enforcement actions, involving Alcatel-Lucent S.A., Maxwell Technologies Inc. and Tyson Foods Inc., all had common areas that the DOJ indicated were compliance risk areas which should be evaluated for a minimum best practicescompliance program. The Alcatel-Lucent and Maxwell Technologies Deferred Prosecution Agreements (DPAs) listed seven areas of risk to be assessed, which are still relevant today:
- Where your company does business;
- Geography-where does your Company do business;
- Interaction with types and levels of governments;
- Industrial sector of operations;
- Involvement with joint ventures;
- Licenses and permits in operations; and
- Degree of government oversight.
These factors provide guidance into some of the key areas the DOJ believes can put a company at higher corruption risk. These factors supplement those listed in the now withdrawn UK Bribery Act Consultative Guidance (UK Guidance), which stated that commercial organizations must “regularly and comprehensively assesses the nature and extent of the risks relating to bribery” to which they are exposed. The former guidance pointed towards several key risks which should be evaluated in this process. These risk areas include:
Internal risk. This includes deficiencies in employee knowledge of a company’s business profile and understanding of associated bribery and corruption risks; employee training or skills sets; and the company’s compensation structure or lack of clarity in the policy on gifts, entertaining and travel expenses.
Country risk. This type of risk could include perceived high levels of corruption as highlighted by corruption league tables published by reputable Non-Governmental Organizations such as Transparency International (TI). It could also include factors such as absence of anti-bribery legislation and implementation and a perceived lack of capacity of the government, media, local business community and civil society to effectively promote transparent procurement and investment policies. It could also include a culture which does not punish those who seeks bribes or make other extortion attempts.
Transaction risk. This could entail items such as transactions involving charitable or political contributions, the obtaining of licenses and permits, public procurement, high value or projects with many contractors or involvement of intermediaries or agents.
Partnership risks. This risk could include those involving foreign business partners located in higher-risk jurisdictions, associations with prominent public office holders, insufficient knowledge or transparency of third-party processes and controls.
Another approach, as detailed by David Lawler in his book “Frequently Asked Questions in Anti-Bribery and Corruption”, is to break the risk areas into the following categories: 1) company risk, 2) country risk, 3) sector risk, 4) transaction risk, and 5) business partnership risk. He further detailed these categories as follows:
Company risk. Lawler believes this is “only to be likely to be relevant when assessing a number of different companies – either when managing a portfolio of companies from the perspective of a head office of a conglomerate or private equity house.” High risk companies involve some of the following characteristics:
- Private companies with a close shareholder group;
- Large, diverse and complex groups with a decentralized management structure;
- An autocratic top management;
- A previous history of compliance issues; and/or
- Poor marketplace perception
Country risk. This area involves countries which have a high reported level or perception of corruption, have failed to enact effective anti-corruption legislation and have a failure to be transparent in procurement and investment policies. The Transparency International Corruption Perceptions Index (TI-CPI) can be a good starting point. Other indices you might consider are the Worldwide Governance Indicators and the Global Integrity index.
Sector risk. These involve areas that require a significant amount of government licensing or permitting to do business in a country. It includes the usual suspects of:
- Extractive industries;
- Oil and gas services;
- Large scale infrastructure areas;
- Pharmaceutical, medical device and health care; and/or
- Financial services
Transaction risk. Lawler says this risk “first and foremost identifies and analyses the financial aspects of a payment or deal. This means that it is necessary to think about where your money is ending up.” Indicia of transaction risk include:
- High reward projects;
- Involves many contractor or other third-party intermediaries; and/or
- Do not appear to have a clear legitimate object
Business partnership risk. This prong recognizes that certain manners of doing business present more corruption risk than others and may include:
- Use of third-party representatives in transactions with foreign government officials;
- A number of consortium partners or joint ventures partners; and/or
- Relationships with politically exposed persons (PEPs)
There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries for your risk analysis, it should be acceptable for your starting point.
Three key takeaways:
- Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program.
- The DOJ will now consider both your risk assessment methodology for identifying risks and gathered evidence.
- You should base your compliance program on your risk assessment.