There is not much more iconic in the US than Starbucks. As such they present some very visible and public lessons learned for the compliance practitioner. Recently Starbucks generated extremely negative news for having Philadelphia police arrest two persons who were waiting for a third person for a meeting. I want to use this most recent black eye for Starbucks and an earlier incident to help explain the need for a nimble and agile risk management process in any best practices compliance program. This risk management process includes forecasting, risk assessments and risk-based monitoring.

Within the context of an anti-corruption compliance program, you are trying to make adjustments based on the risks of violation of the law, out in the marketplace. For instance, in a compliance forecast, third-party risk should be considered at the top of your ordinal list of risk and you should consider a multitude of factors such as the operating procedures, processes and systems and training. Of course, the execution of that process is a critical component as well.

All these things, to some degree, should appear in a risk assessment for the organization. Meaning, at the corporate level, what happens if your core product becomes something different than simply a consumer product, such as coffee? There should be a risk assessment node which has a component that notes these changes so that you can adapt as necessary. A robust risk management process should be designed to elevate these new issues. If something does change, the next step would be to take appropriate course of action to address any of those risks.

The most recent story involved the arrest of two African-American men who were waiting for a third person at a Philadelphia Starbucks. As Matt Kelly noted in his Radical Compliance blog entitled “Starbucks and Policy Management Perils”, the story was “two black men, Rashon Nelson and Donte Robinson, entered a Starbucks in downtown Philadelphia to meet an acquaintance for a business appointment. Nelson first asked the manager to use the bathroom; the manager declined and said the bathroom is reserved for paying customers only. The men then sat at a table without ordering anything, waiting for their acquaintance to arrive. The manager, who is white, came to their table and asked if they wanted to order anything. They said no. Two minutes later, the manager called the police to evict Nelson and Robinson from the store. The police arrived and arrested them for suspicion of trespassing.” After spending several hours in jail, the two men were released.

Matt detailed many of the issues from the compliance policy and procedures perspective. However, I see another lesson for the company. Starbucks was initially a coffee shop, selling coffee and the coffee experience. If you have ever been to the original Starbucks across from Pike Place Market in Seattle, it is the consummate coffee shop experience as it does not even provide seating. The most recently opened Starbucks in Houston is gorgeously laid out with comfortable chairs and full working tables for those writing blogs.

With its ubiquitousness and growth the company has largely become the meeting place of America. Starbucks’ design has made itself America’s public space with clean, welcoming and open stores. It is certainly one thing if you have a coffee shop with limited seating to request persons there purchase a cup of joe but that type of approach is inconsistent with being America’s greenspace, open and welcoming to all. If you have made yourself that deeply embedded into America’s consciousness as the gathering spot to wait for meetings or even type out and post a blog (as Matt did for his blog on the subject) your risk profile has rather dramatically changed.

This means your forecast and risk assessment must take into account there will be racism and racial profiling by Starbucks store managers. This event did not happen in the South where many similar attitudes still exist but in a major Northern metropolitan center. Starbucks should have not only forecast this risk but it should have been more closely assessed in both its hiring practices and ongoing training. As to the latter, Starbucks has announced a one-half day nationwide store closure for training on racial discrimination issues. While some may say this is too little, too late; at least it is a start.

The differences between forecasting and risk assessment is that risk assessment attempts to consider things which forecasting either did not reliably predict for, or those things which the forecasting models have raised as potential outcomes which could be troubling, critical themes and issues. As risk management specialist Ben Locwin has explained, “What you’re trying to do then is decide on how you would address these. Risk assessments will percolate to the top of the list, your risk registry. Those items which are most consequential for your organization, whatever it happens to be. Again, just like forecasting, risk assessments apply to every organization.”

Starbucks had previously provided another example which illustrated the differences between forecasting and a risk assessment, yet how the two are complimentary. During a past winter, when I began purchasing hot coffee products from Starbuck, as opposed to the cold drinks I buy during the hotter parts of the year, I discovered that baristas’ no longer put sleeves on coffee cups but required you to ask for one. The second time I had to ask for a sleeve, I inquired from the barista why I had to do so. She replied that corporate had changed the policy for environmental reasons and that she could only provide a sleeve at the specific request of the customer. When I pointed out that it slowed the line down and was much less efficient in the delivery of Starbuck’s coffee, she replied, “You’re absolutely right. I hate it. Would you please email Starbucks and tell them of your dissatisfaction?”

Locwin noted, “what you’ve put your finger on is the crux of the balance of forecasting versus risk assessment. They’re two very different things, but at the same time, as they weave through time, they interchange. For example, Starbucks would potentially say, “We forecast that consumers are going to be more concerned about paper use, sleeves, the economic costs to the world, of extra paper waste and things. We’re going to, in certain locations, let’s say across Texas, we’re going to pilot that we don’t give out sleeves unless they’re asked for.” In their risk assessment, which I can tell you didn’t change from that forecast, what they then should have had was a commensurate line item which said, “If consumers start to have a problem with what’s being done at these locations, our immediate contingency plan is to do the following, to strip it away immediately, full stop, so that every cup gets a sleeve, so that they’re not slowing down lines, consumers say you heard us immediately, and then the organization is back on track.

Their forecast plans something, the risk assessment should have had countermeasures to address, and instead if they didn’t have this in place, they’re going to have to wait until they start to have a Twitter feed that blows up… The risk assessment model should say, “Then we will do the following. Texas was dissatisfied by this change and same in our pilot in Wisconsin. Let’s stop not giving out sleeves… Then eventually that starts to dissipate and they get rid of this whole new silly paradigm.””

The differences between forecasting and risk assessment is that risk assessment attempts to consider things which forecasting either did not reliably predict for, or those things which the forecasting models have raised as potential outcomes which could be troubling, critical themes and issues. As Locwin explained, “What you’re trying to do then is decide on how you would address these. Risk assessments will percolate to the top of the list, your risk registry. Those items which are most consequential for your organization, whatever it happens to be. Again, just like forecasting, risk assessments apply to every organization.”

The furor over the arrest of the two men at Starbucks may well last for some time. As noted at least Starbucks did not try and hide behind the rogue employee argument. It is stopping its business for a half-day to address the problems in its own organization. I hope every compliance practitioner can learn from Starbucks mistakes and responses.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018

After you complete your risk assessment, you must then translate it into a risk profile, as Rick Messick has noted, to estimate where bribery is likely occur, so prevention efforts will be properly targeted. Ben Locwin explained, in “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”, “Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are in a better position to speak about the quality of our businesses.” This makes the evaluation of your risk assessment a key element in your compliance regime.

William C. Athanas, in an article entitled “Rethinking FCPA Compliance Strategies in a New Era of Enforcement”, posited that companies assume that Foreign Corrupt Practices Act (FCPA) violations follow a “bell-curve distribution, where the majority of employees are responsible for the majority of violations.” However, Athanas believed that the distribution pattern more closely follows a “hockey-stick distribution, where a select few…commit virtually all violations.” Athanas concludes by noting that is this limited group of employees, or what he terms the “shaft of the hockey-stick”, to which a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts such as “intensive training sessions or focused analysis of key financial transactions — on those individuals with the opportunity and potential inclination to violate the statute.” This focus will provide companies the greatest “financial value and practical worth of compliance efforts.”

David Lawler, in Frequently Asked Questions in Anti-Bribery and Corruption”, suggested that you combine the scores or analysis you obtained from the corruption markers you review; whether it is the Department of Justice (DOJ) list or those markers under the UK Bribery Act. From there, create a “rudimentary risk-scoring system that ranks the things to review using risk indicators of potential bribery. This ensures that high-risk exposures are done first and/or given more time. As with all populations of this type, there is likely to be a normal or ‘bell curve’ distribution of risks around the mean. So 10-15% of exposure falls into the relative low-risk category; the vast majority 70-80% into the moderate-risk category; and the final 10-15% would be high risk.”

In an article entitled “Improving Risk Assessments and Audit Operations” author Tammy Whitehouse focused on how one company, Timken Co., created a risk matrix to evaluate risks determined by the company’s risk assessment. At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used to continuously monitoring risk going forward. However, you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the approach set forth by the DOJ from the 2012 FCPA Guidance, through the Evaluation of Corporate Compliance Programs (Evaluation), up to the FCPA Corporate Enforcement Policy (Policy). I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

Three Key Takeaways 

  1. Even after you complete your risk assessment, you must evaluate those risks for your company.
  2. The DOJ and SEC are looking for a well-reasoned approach on how you evaluate your risk.
  3. Create a risk matrix and force rank your risks.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

One cannot really say enough about risk assessments in the context of an anti-corruption programs. Since at least 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessment which measure the likelihood and severity of possible FCPA violations the manner in which you should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.”

This language was supplemented in the 2017 in both the Evaluation and the new FCPA Corporate Enforcement Policy. Under Prong 4 of the Evaluation, Risk Assessments, the following issues were raised: Risk Management ProcessWhat methodology has the company used to identify, analyze, and address the particular risks it faced? Manifested RisksHow has the company’s risk assessment process accounted for manifested risks? In the FCPA Corporate Enforcement Policy it stated, “The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment”.

The risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company. The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.

Rick Messick laid out the four steps of a risk assessment as follows: “First, all conceivable forms of corruption to which the organization, the activity, the sector, or the project might be exposed is catalogued.  Second, an estimate of how likely it is that each of the possible forms of corruption will occur is prepared and third an estimate of the harm that will result if each occurs is developed.  The fourth step combines the chances of occurrence with the probability of its impact to produce a list of risks by priority.”

What Should You Assess?

In 2011, the DOJ concluded three FCPA enforcement actions which specified factors which a company should review when making a Risk Assessment. The three enforcement actions, involving the companies Alcatel-Lucent, Maxwell Technologies and Tyson Foods all had common areas that the DOJ indicated were compliance risk areas which should be evaluated for a minimum best practices  compliance program. In both Alcatel-Lucent and Maxwell Technologies, the Deferred Prosecution Agreements listed the seven following areas of risk to be assessed, which are still relevant today.

  1. Geography-where does your Company do business.
  2. Interaction with types and levels of Governments.
  3. Industrial Sector of Operations.
  4. Involvement with Joint Ventures.
  5. Licenses and Permits in Operations.
  6. Degree of Government Oversight.
  7. Volume and Importance of Goods and Personnel Going Through Customs and Immigration.

All of these factors were reiterated in the 2012 FCPA Guidance which stated, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.

One of the questions that I hear most often is how does one actually perform a risk assessment. Mike Volkov has suggested a couple of different approaches in his article, “Practical Suggestions for Conducting Risk Assessments.” In it Volkov differentiates between smaller companies which might use some basic tools such as “personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices” from larger companies. Such larger companies may use these basic techniques but may also include a deeper dive into high risk countries or high-risk business areas. If your company’s sales model uses third party representatives, you may also wish to visit with those parties or persons to help evaluate their risks for bribery and corruption would might well be attributed to your company.

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries into your risk analysis, it should be acceptable for your starting point.

Three Key Takeaways 

  1. Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program.
  2. The DOJ will now consider both your risk assessment methodology for identifying risks and gathered evidence.
  3. You should base your compliance program on your risk assessment.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Yesterday we considered how to perform a risk assessment. Today how do you evaluate the information you have developed.  After you complete your risk assessment, you must then translate it into a risk profile, as Rick Messick has noted, to estimate where bribery is likely occur, so prevention efforts will be properly targeted. Ben Locwin explained, in “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”, “Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are in a better position to speak about the quality of our businesses.”

William C. Athanas, in an article entitled “Rethinking FCPA Compliance Strategies in a New Era of Enforcement”, posited that companies assume that Foreign Corrupt Practices Act (FCPA) violations follow a “bell-curve distribution, where the majority of employees are responsible for the majority of violations.” However, Athanas believed that the distribution pattern more closely follows a “hockey-stick distribution, where a select few…commit virtually all violations.” Athanas concludes by noting that is this limited group of employees, or what he terms the “shaft of the hockey-stick”, to which a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts such as “intensive training sessions or focused analysis of key financial transactions — on those individuals with the opportunity and potential inclination to violate the statute.” This focus will provide companies the greatest “financial value and practical worth of compliance efforts.”

David Lawler, in Frequently Asked Questions in Anti-Bribery and Corruption”, suggested that you combine the scores or analysis you obtained from the corruption markers you review; whether it is the Department of Justice (DOJ) list or those markers under the UK Bribery Act. From there, create a “rudimentary risk-scoring system that ranks the things to review using risk indicators of potential bribery. This ensures that high-risk exposures are done first and/or given more time. As with all populations of this type, there is likely to be a normal or ‘bell curve’ distribution of risks around the mean. So 10-15% of exposure falls into the relative low-risk category; the vast majority 70-80% into the moderate-risk category; and the final 10-15% would be high risk.”

In an article entitled “Improving Risk Assessments and Audit Operations” author Tammy Whitehouse focused on how one company, Timken Co., created a risk matrix to evaluate risks determined by the company’s risk assessment. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit monitoring plan. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks.

LIKELIHOOD

Likelihood Rating Assessment Evaluation Criteria
1 Almost Certain High likely, this event is expected to occur
2 Likely Strong possibility that an event will occur and there is sufficient historical incidence to support it
3 Possible Event may occur at some point, typically there is a history to support it
4 Unlikely Not expected but there’s a slight possibility that it may occur
5 Rare Highly unlikely, but may occur in unique circumstances

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

PRIORITY

Priority Rating Assessment Evaluation Criteria
1-2 Severe Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans
3-4 High Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans
5-7 Significant
8-14 Moderate
15-19

20-25

Low

Trivial

Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used to continuously monitoring risk going forward. However, you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the approach set forth by the DOJ from the 2012 FCPA Guidance, through the Evaluation of Corporate Compliance Programs (Evaluation), up to the FCPA Corporate Enforcement Policy (Policy). I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018

One cannot really say enough about risk assessments in the context of an anti-corruption program. Since at least 1999, in the Metcalf & Eddy enforcement action, the Department of Justice (DOJ) has said that a risk assessment, which measures the likelihood and severity of possible Foreign Corrupt Practices Act (FCPA) violations, shows the manner in which you should direct your resources to manage these risks. The 2012 FCPA Guidance (Guidance) stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” Over the next two blog posts, I will consider how to perform a risk assessment then how to evaluate it.

This language was supplemented in 2017 in both the Evaluation of Corporate Compliance Programs (Evaluation) and the new FCPA Corporate Enforcement Policy (Policy). Under Prong 4 of the Evaluation, Risk Assessments, the following issues were raised: Risk Management ProcessWhat methodology has the company used to identify, analyze, and address the particular risks it faced? Manifested RisksHow has the company’s risk assessment process accounted for manifested risks? The Policy states, “The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment”.

The risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company. The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.

Rick Messick laid out the four steps of a risk assessment as follows: “First, all conceivable forms of corruption to which the organization, the activity, the sector, or the project might be exposed is catalogued.  Second, an estimate of how likely it is that each of the possible forms of corruption will occur is prepared and third an estimate of the harm that will result if each occurs is developed.  The fourth step combines the chances of occurrence with the probability of its impact to produce a list of risks by priority.”

What Should You Assess?

In 2011, the DOJ concluded three FCPA enforcement actions which specified factors which a company should review when making a Risk Assessment. The three enforcement actions, involving the companies Alcatel-Lucent, Maxwell Technologies and Tyson Foods all had common areas that the DOJ indicated were compliance risk areas which should be evaluated for a minimum best practices  compliance program. In both Alcatel-Lucent and Maxwell Technologies, the Deferred Prosecution Agreements (DPAs) listed the seven following areas of risk to be assessed, which are still relevant today:

  1. Geography – where does your Company do business.
  2. Interaction with types and levels of Governments.
  3. Industrial Sector of Operations.
  4. Involvement with Joint Ventures.
  5. Licenses and Permits in Operations.
  6. Degree of Government Oversight.
  7. Volume and Importance of Goods and Personnel Going Through Customs and Immigration.

All of these factors were reiterated in the Guidance which stated, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”

These factors provide guidance into some of the key areas that the DOJ believed can put a company at higher corruption risk. These factors supplement those listed in the now withdrawn UK Bribery Act Consultative Guidance which stated, “Risk Assessment – The commercial organization regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” The UK Bribery Act Consultative Guidance pointed towards several key risks which should be evaluated in this process. These risk areas included:

  1. Internal Risk – this could include deficiencies in
  • employee knowledge of a company’s business profile and understanding of associated bribery and corruption risks;
  • employee training or skills sets; and
  • the company’s compensation structure or lack of clarity in the policy on gifts, entertaining and travel expenses.
  1. Country risk – this type of risk could include:
  • perceived high levels of corruption as highlighted by corruption league tables published by reputable Non-Governmental Organizations such as Transparency International;
  • factors such as absence of anti-bribery legislation and implementation and a perceived lack of capacity of the government, media, local business community and civil society to effectively promote transparent procurement and investment policies; and
  • a culture which does not punish those who seeks bribes or make other extortion attempts.
  1. Transaction Risk – this could entail items such as transactions involving charitable or political contributions, the obtaining of licenses and permits, public procurement, high value or projects with many contractors or involvement of intermediaries or agents.
  1. Partnership risks – this risk could include those involving foreign business partners located in higher-risk jurisdictions, associations with prominent public office holders, insufficient knowledge or transparency of third party processes and controls.

Another approach was detailed by David Lawler, in his book Frequently Asked Questions in Anti-Bribery and Corruption”. He broke the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Sector Risk, (4) Transaction Risk and (5) Business Partnership Risk. He further detailed these categories as follows:

  1. Company Risk – Lawyer believes this is only “likely to be relevant when assessing a number of different companies – either when managing a portfolio of companies from the perspective of a head office of a conglomerate or private equity house.” High risk companies involve, some of the following characteristics:
  • Private companies with a close shareholder group;
  • Large, diverse and complex groups with a decentralized management structure;
  • An autocratic top management;
  • A previous history of compliance issues; and/or
  • Poor marketplace perception.
  1. Country Risk – this area involves countries which have a high reported level or perception of corruption, have failed to enact effective anti-corruption legislation and have a failure to be transparent in procurement and investment policies. Obviously the most recent, annual Transparency International Corruption Perceptions Index (TP-CPI) can be a good starting point. Other indices you might consider are the Worldwide Governance Indicators and the Global Integrity index.
  2. Sector Risk – these involve areas which require a significant amount of government licensing or permitting to do business in a country. It includes the usual suspects of:
  • Extractive industries;
  • Oil and gas services;
  • Large scale infrastructure areas;
  • Telecoms;
  • Pharmaceutical, medical device and health care;
  • Financial services.
  1. Transaction Risk – Lawyer says that this risk “first and foremost identifies and analyses the financial aspects of a payment or deal. This means that it is necessary to think about where your money is ending up”. Indicia of transaction risk include:
  • High reward projects;
  • Involve many contractor or other third-party intermediaries; and/or
  • Do not appear to have a clear legitimate object.
  1. Business Partnership Risk – this prong recognizes that certain manners of doing business present more corruption risk than others. It may include:
  • Use of third party representatives in transactions with foreign government officials;
  • A number of consortium partners or joint ventures partners; and/or
  • Relationships with politically exposed persons (PEPs).

One of the questions that I hear most often is how does one actually perform a risk assessment. Mike Volkov has suggested a couple of different approaches in his article “Practical Suggestions for Conducting Risk Assessments.” In it Volkov differentiates between smaller companies which might use some basic tools such as “personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices” from larger companies. Larger companies may use these basic techniques but may also include a deeper dive into high risk countries or high-risk business areas. If your company’s sales model uses third party representatives, you may also wish to visit with those parties or persons to help evaluate their risks for bribery and corruption that might well be attributed to your company.

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries into your risk analysis, it should be acceptable for your starting point.

Tomorrow, I will consider how to evaluate a risk assessment.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018