“In order to solve a problem, it must first be identified”, author Harvey Mackay wrote “People don’t usually buy products and services. They buy solutions to problems.” He notes that successful sales people “tailor their products and services to meet a demand”. However, in compliance the ‘demand’ that often needs to be satisfied is risk. In your role as a compliance professional, you need to be able to identify risk and then design a system to manage it. If you review a proposed transaction and concluded it would violate the Foreign Corrupt Practices Act (FCA) and then reported that to senior management, you may well be told that it is the job of compliance to manage compliance risks, now go back and figure out a way to manage that risk so that the transaction can be done within the law. The question is how to determine the compliance risk so that it can be managed. The answer is by performing a risk assessment.
In three enforcement actions in early 2011, the Department of Justice (FOJ) indicated FCPA compliance risk areas which should be evaluated for a minimum best practices FCPA compliance program. In both Alcatel-Lucent and Maxwell Technologies, the Deferred Prosecution Agreements (DPAs) listed the following seven areas of risk to be assessed.
1. Geography – Where does your Company do business.
2. Interaction with types and levels of Governments.
3. Industrial Sector of Operations.
4. Involvement with Joint Ventures.
5. Licenses and Permits in Operations.
6. Degree of Government Oversight.
7. Volume and Importance of Goods and Personnel Going Through Customs and Immigration.
However, the British government has gone further in providing guidance around the parameters of a risk assessment. The UK Ministry of Justice (MOJ), in Principle III of the Six Principles of an Adequate Procedures compliance program, discusses risk assessment. It mandates that a company should assess “the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it.” Further a risk assessment should be performed on a periodic basis, it should be reasoned and it should be documented. From this risk assessment, a company should then be able to “promote the adoption of risk assessment procedures that are proportionate to the organisation’s size and structure and to the nature, scale and location of its activities.”
- Country risk. This is evidenced by perceived high levels of corruption, an absence of effectively implemented anti-bribery legislation and a failure of the foreign government, media, local business community and civil society effectively to promote transparent procurement and investment policies.
- Sector risk. Some sectors are higher risk than others. Higher risk sectors include the extractive industries and the large scale infrastructure sector.
- Transaction risk. Certain types of transaction give rise to higher risks, for example, charitable or political contributions, licenses and permits, and transactions relating to public procurement.
- Business opportunity risk. These risks might arise in high value projects or with projects involving many contractors or intermediaries; or with projects which are not apparently undertaken at market prices, or which do not have a clear legitimate objective.
- Business partnership risk. There are some relationships which involve higher risk, for example, the use of intermediaries in transactions with foreign public officials; consortia or joint venture partners; and relationships with politically exposed persons where the proposed business relationship involves, or is linked to, a prominent public official.
Additionally, the MOJ believes that the areas of risk that are assessed should enable a company to accurately identify and prioritize the risks it faces, whatever its size, activities, customers or markets, as these usually reflect a few basic characteristics. They listed these as:
- Oversight of the risk assessment by top level management. More than simply tone at the top but is management truly committed to installing and maintaining a culture of compliance.
- Appropriate resourcing – this should reflect the scale of the organization’s business and the need to identify and prioritize all relevant risks. Have your designated persons with authority to make compliance decisions and back that up with the budget required to do so.
- Identification of the internal and external information sources that will enable risk to be assessed and reviewed. Who are you are going to use for the risk assessment?
- Due diligence enquiries. Is your due diligence sufficient, if not, what are you going to do to resolve this issue?
- Accurate and appropriate documentation of the risk assessment and its conclusions. Document, Document, Document.
So the key is to assess the risk. From both the DOJ and MOJ, there is specific guidance of the quality of risks that should be assessed. A risk assessment is a key tool to use to identify the types of problems that the compliance group needs to solve, or at least manage. A risk assessment should not be an annual exercise that your company goes through. You can use the guidance from the DOJ or MOJ in a wide variety of circumstances, down to the granular transactional level. Or as Harvey Mackay might say, to solve a problem, you first need to identify that problem.