And we’re back. So far, we’ve covered corporate policies, tone at the top, and policies & procedures. Today, we’re talking about risk assessments.
I’ve written about this before, and it’s something I feel strongly about. Risk assessments have incredible potential to provide benefits to your program beyond just knowing what your risks are.
As always, let’s start with the language of Schedule C:
4. [The Company] will develop these compliance standards and procedures, including internal controls, ethics, and compliance programs on the basis of a risk assessment addressing the individual circumstances of the company, in particular the foreign bribery risks facing the company, including, but not limited to, its geographical organization, interactions with various types and levels of government officials, industrial sectors of operation, involvement with joint venture arrangements, importance of licenses and permits in the company’s operations, degree of governmental oversight and inspection, and volume and importance of goods and personnel clearing through customs and immigration.
Let’s break that out for you. The DOJ is saying that FCPA risk comprises:
- Geography. Now, I love World Check. I’ve done a webinar series with them in the past, and I’m actually in the middle of one now. They have their own geographical risk index. I’m sure it’s wonderful. But let’s face it, the Transparency International Corruption Perceptions Index is the standard.
- Interactions with Government. Are your biggest clients the government? Do you have frequent contact with regulators? Do you have a regulator?
- Industrial Sectors. Extractive industries, telecom, pharma, all are higher risk. I would also include in here any sector where individual contracts are worth substantial amounts of money. The more an individual contract is worth, the more in bribes you’re going to be willing to pay to get it.
- JVs. They’re higher risk. There needs to be recognition of that in your assessment. The really funny thing is that a lot of companies don’t even know their corporate structure: how many JVs, where they are, how many subsidiaries. Someone in the company usually knows this stuff—someone in tax or in Treasury, maybe—but not the businesspeople and not legal or compliance.
- License and Permits. This might rightly just be a subsection of risk area #2, but licenses and permits are so risky they deserve their own category.
- Government oversight. Another subsection of point #2, how much does the government care about what you do? If you’re in the financial industry, that’s been increasing in the last few years, this risk point.
- Customs. Do you regularly ship stuff through customs? I remember a story told at an FCPA breakfast. Some CEO from a company in India. He had just gotten FCPA training, and when a shipment was held up in Customs because the customs agent wanted a payment, the CEO called down the Minister of Transportation. The minister came down to the docks and there was a press conference where he cleared the shipment. No bribe paid. The customs agent called the CEO over and said “I’m here every day. How many times can you get the Minister down here?” Ouch.
(This next section is from an old Forbes article I wrote on this subject that I’ve re-edited for this article). For all that it’s common sense and regulatorily mandated, I’m consistently and constantly shocked at how much of a muck-up companies make of their risk assessment. For such an important tool, you’d think companies would take full advantage of it.
Risk assessments can serve as a vehicle for early buy-in, as a method to secure budget and resources, as a gauge for progress, as a way to avoid fire-drills and set priorities for your program, as a natural reporting-out format, and as proof for regulators of the adequacy of your program. All that from a process that most companies don’t comprehend or utilize to its fullest. Or worse, misuse to the point where it’s either value neutral or even detrimental to the program. In some cases, the risk assessment itself can become a risk.
First, let’s delve into a root cause analysis of the most common failures of a risk analysis. The first, most egregious, and most common failure is to consider the risk assessment as a document and not a process. Companies that fail in this way are often trying to check the risk-assessment box on their program. That’s fine, as far as it goes. At first glance, a risk assessment seems like a low-ROI effort. You put in time and potentially money, and you get back a piece of paper laying out what you already know. I understand that attitude, and I’ve heard that before. So if you want to check the box, go right ahead. But don’t think that the regulators aren’t savvy to this attitude. We’ve heard the SEC recently say that a nimble risk assessment is an indicator of an effective program, and a major consideration in declination decisions. So while your business might push towards a low-cost, low-effort end product, you need to warn the business that it’s not going to fly with the regulators should you actually need to trot it out and hold it up to the light. A true risk assessment isn’t something you create and file. A true assessment is just that, an assessment of current conditions. Because life is dynamic, a risk assessment cannot be static. It must incorporate new information because it must reflect reality.
A follow-on failure from the failure of the risk assessment to be an ongoing process and be dynamic/reflect reality is when the risk assessment is backward-looking. A risk assessment, because it’s dynamic, and reflects reality, should be forward looking. It should address not where the risk was, but where it is, and where it will be. There are follow-on benefits to this, which we’ll discuss shortly. Many companies take their entire assessment to discuss historical risks. History is important in that it informs the present, but the majority of the assessment should look to forward-leaning present state. What does “forward leaning” mean? First, compliance has got to understand the business: where is the business going? What markets will the business be entering in the next three to six quarters? What new products will the business be rolling out? What customer segments represent the largest growth areas for your business? Where is the greatest revenue yield in existing products? What is the most common deal structure for your business? How long is the sales cycle? Who are the five largest customers? What’s the success metric the business most cares about? If your compliance people can’t answer these questions, get new compliance people. The answers to these questions all impact—indeed, they define—your risk assessment. That’s what having a forward-leaning risk assessment means, and there are two follow-on effects that have a dramatic impact on the perception of compliance. First, the business reaction to a compliance officer who knows the business is entirely different from the usual, “business prevention department” moniker applied to us. The next step, making the business understand that your goal is their success, is a much shorter step than the first. Second, when compliance understands the business this well, the relationship can become a partnering one. And this leads to the first concrete benefit to an effective risk assessment: business buy-in.
Buy-in from the business has two sources, of which the partnering relationship with compliance is just one. The second is understanding that a risk assessment that is completed without business participation isn’t a risk assessment, it’s a Compliance guess at a risk assessment. Because one thing I can absolutely guarantee: the business is doing something you don’t know about, and wish you did. And another thing I can guarantee: if you surprise the business with your risk conclusions, they’ll resist. They’ll criticize any mitigation efforts. Anything you try to do will be labeled unrealistic, unwieldy, too disruptive, and too expensive. ”You’ll kill the business.” And then, I’m afraid, they’ll get negative. So what you need to do is involve the business from the word go. This actually makes sense logically: you’re assessing risk in the business. Even better is if Compliance guides the risk assessment, but the actual work is done by the business. This is an assessment of business risk, after all. But when coupled with the partnering relationship, early business involvement has a force multiplying effect leading to business buy-in.
Working with and alongside of the business has some side benefits. You want the best people available within the business to work on the risk assessment: it’s a high-priority effort and should be treated as such; literally millions of dollars are on the line. But there’s another argument to make to the business to convince them to assign some high performers to this task. Often, the business identifies high performers and then gives them tasks which will take them out of their silo and give them a view to other areas of the business. Take a high-performing marketing person and give them an assignment that couples them with operations, for example. The risk assessment is the perfect vehicle not only for high performers, but those high performers who the business believes are destined for high leadership. A risk assessment—indeed, a lot of compliance projects—gives a view into all areas of business activity. It involves developing relationships in every nook and cranny of the business, and developing relationships with leaders in every division. For a future leader, those relationships are invaluable. For compliance too. Not only does Compliance get the efforts of a high performing employee, every other employee now knows that high-performers get assigned compliance projects. And it would start competition for compliance projects among high performers. If you can systematize it, what a great story about tone at the top! And that’s just the side benefit.
The main benefit is business buy-in. Your risk assessment has several key sections: business activities that bring risk, what type of risk (gifts, due diligence, etc), current mitigating controls, planned mitigating controls, and target dates. This is what I mean when I say that a risk assessment shouldn’t be static. It has elements of a project plan. And once the business buys into that project plan, you’ve just won half the battle. Because buying into the plan means buying into the commitment of resources—budget and people—to accomplish that plan. Even the arguments you’ll be having are better ones. You’ll argue with the business about resource allocation versus return on investment, which planned mitigation enhancements will have the most impact, you’ll be forced to prioritize, think through, and focus your efforts. All this will help you improve your program. And as my old boss used to say, it’s the right conversation to be having.
Because you know what you call it when you’re arguing with the business about these things?
Once you’ve got agreement about the plan, and the target dates, you’ve got commitment about budget and resources. And more, you’ve got a natural reporting-out format. You now have a plan you can track progress against. And if you’re ahead of schedule—unlikely, but possible—that’s a powerful argument for more resources. If you’re behind schedule, you can reprioritize or explain it, or renew the discussion around what new resources could achieve. The difference between normal resource discussions and this one is your newfound ability to specify what new risk mitigation the new resources will enable.
So now you have engagement, budget, resources, and reporting out. But the benefits don’t stop there.
One of the most important things a program can have is the ability to incorporate new information. That’s not me, that’s Charles Cain at the recent ABA 4th Annual Institute on the Foreign Corrupt Practices Act (the subject of a blog post of mine). He said that if a company has a nimble program that can incorporate new information, that’s a significant factor he considers when thinking about declinations. I knew of a place once where the compliance people felt they were always working on “fire drills,” the newest thing happens and it requires an immediate response. Everything else gets put on hold to work on this new thing. The problem is that other things are important too. How can a program stop confusing the “important” with the “urgent,” as Steven Covey says? The answer? Your risk assessment. When you encounter a new problem, you now have a mechanism to examine that problem—or as I now call it, a challenge—in context. You can now discuss the new risk to determine its place in your panoply of risks. And your argument—even if you decide not to address the risk right away—is strong, even if your next issue arises from that risk. I’d much rather be able to tell a regulator “look, we caught that issue, and we discussed it. We looked at our entire universe of risk and decided that it needed to be addressed, but that we have 4 issues more pressing, and so it’s now on our risk map as risk #5. We have a plan in place to address that risk, and we’ve already decided, alongside the business, what resources—budget and people—will be allocated to it. We’ve agreed with the business on delivery dates, and oh, by the way, let me show you for our identified risks how we’ve been able to be 12% ahead of schedule. The business is fully behind this effort, and is integral to our continued risk identification and mitigation efforts.” I’ve often wondered how companies can claim to have an effective program in the face of an egregious failure. This is how. You have written proof of the efficacy of not just your program, but also your implementation of it, for the regulators.
Anything else? We’ve got engagement, budget, resources, reporting out, avoiding fire drills and aiding prioritization, and proof for regulators. You need more?
Ask yourself, which do you want, a document you put on a shelf, or an ongoing process that gives you significant benefits over time?