One of the most powerful episodes in risk-assessment history is the story of the Maginot Line, which the French military had deployed after WWI to prevail in any future trench warfare against the Germans. The latter, however, had other plans and so were able to outflank the former in WWII, with catastrophic consequences. Is there a danger that compliance professionals could face a “Maginot Line” problem in how they assess risk in their respective companies?
To begin, there is no question where the risk-assessment action is these days. We are indeed currently going through what might be considered a golden age of anti-bribery anti-corruption (ABAC) risk assessment. This emphasis should be no surprise, for a variety of reasons.
- The U.S. Department of Justice’s Criminal Division has—over the past few years—issued several iterations of an important compliance program evaluation manual (Evaluation of Corporate Compliance Programs) which places considerable emphasis on conducting ABAC risk assessments.
- There have been many ABAC enforcement activities for more than a decade, with no good reason to believe that it will abate any time soon. This is another major driver of ABAC risk assessment.
- Compliance program failures can be prosecuted without provable acts of bribery, heightening the need for sound programs generally and risk assessment in particular.
- Many ABAC risks are “local”—not only geographically but also in terms of product/service lines and various functions within a company. This further enhances the need for ABAC risk assessment.
This is a lot to deal with, and so it is not surprising that assessing other types of risks is not a great priority at some other companies. But ignoring other risks can be dangerously shortsighted.
Subscribe to the Ethical Systems newsletter
- Antitrust is another area where Justice has issued compliance program evaluation standards, and routinely brings costly enforcement actions. Yet—as best I can tell—there is much less risk assessment here than with ABAC.
- Conflicts of interest (COIs) is also an oft-neglected area when it comes to risk assessment. So is insider trading.
However, it is important to note that not all risk assessments are the same size and shape. For example, insider-trading assessment may focus largely on the volatility of a company’s stock, the number of employees and others who have access to insider information, and the efficacy of compliance training/other communications. COI assessment may turn—at least in part—on cultural factors in the geographies where a company operates, the efficacy of procurement controls, and the use of disclosure mechanisms. Antitrust risk assessment will depend partly on a market analysis of where, how, and with whom the company does business, and the efficacy of antitrust auditing and monitoring in high-risk areas.
While this sounds like a lot of work, it can be much less so where the company has already conducted some risk-related activities that can be modified for inclusion in the assessment. For instance, review of disclosure records can sometimes go a long way in creating a COI risk assessment. And while the risk area of fraud can cover a great amount of ground (e.g., concerning financial reporting, product safety), much of that may have already been addressed by other compliance measures.
Finally, where does one begin? One possibility is with a needs-analysis for a risk assessment. While that sounds like a lot of work, it can actually save time by focusing compliance efforts only where they are necessary. At the same time, assessing needs can help avoid a Maginot Line type debacle.
Jeffrey Kaplan is a partner in the Princeton, New Jersey office of Kaplan & Walker LLP and a member of Ethical Systems’ Steering Committee.
This post was originally published on the FCPA Blog, and is reprinted with permission.