Practical suggestions for conducting risk assessments
With the Foreign Corrupt Practices Act (FCPA) enforcement actions ramping up from the Department of Justice and the SEC, companies both big and small need to keep their risk assessment processes in check—regardless of access to resources.
This blog post from Michael Volkov provides insight into a few practical approaches to performing a risk assessment using three tools.
The bottom line: if you do not conduct a risk assessment, then you should start praying. The FCPA Guidance made it clear—conduct a risk assessment and tailor your compliance program to the risk assessment.
In the unfortunate event that your company is involved in an FCPA enforcement action, the Department of Justice and the SEC will conduct a thorough review of a company’s compliance program. If the program falls into the "paper program" pile, prosecutors will aggressively investigate potential FCPA violations.
On the other hand, if the company can demonstrate an "effective program," which is tailored to the specific risks identified in a risk assessment, the company will have a much better shot at arguing for a declination or a significantly reduced penalty.
Risk assessments look different depending on the company’s size and footprint. A small company will not conduct the same type of risk assessment, nor will it have as comprehensive of an anti-corruption compliance program. By contrast, larger companies will have a more formalized risk assessment process.
There are several practical approaches to conducting a risk assessment. The tools for conducting a risk assessment include:
- Personal or telephone interviews of key employees
- Surveys and questionnaires of employees
- Review of historical compliance information, such as due diligence files for third parties, mergers and acquisitions, and internal audits of key offices
For smaller companies, these three tools may be sufficient to develop a good risk profile for the company. The personal interviews are critical because they provide a real-time measure of what is actually occurring in various countries. A country manager and a lead sales or business development employee should be interviewed about current practices with a focus on interactions with foreign officials, third parties, and overall compliance culture. Such reviews should include a review of regional or local compliance policies and procedures.
Large companies with more resources can conduct risk assessments with sophisticated and time-intensive tools, such as personal, face-to-face, interviews and on-site visits, and informal audits. These deep-dive inquiries could be focused on high-risk countries.
Most companies do not have the luxury of deep-dive risk assessments. The Sentencing Guidelines and the FCPA Guidance both take this into account and provide different expectations for big and small companies.
Smaller companies should not be reluctant to conduct a risk assessment. Because of the limitation in resources, small companies can conduct a more informal risk assessment using the basic tools outlined above. The key to such a risk assessment is to conduct it in good faith and with proper attention to potential risks. Not every stone needs to be turned over, but significant issues and risks should be addressed.
For smaller companies, the risk assessment should be documented—the interviews the documents reviewed, the surveys and questionnaires, and an analysis of the risks. A memorandum setting out the review and analysis should be prepared and maintained as the basis for anti-corruption compliance policies and procedures.
This article is by Michael Volkov from blog.volkovlaw.com.