Risk Assessment – By the Book

[This essay was originally posted on Corporate Compliance Insights.]

Nothing is more important to developing and maintaining an effective C&E program than risk assessment, and effective risk assessment is, as a general matter, perhaps the most daunting task a C&E officer is likely to face.  The challenges are both conceptual (a surprising lack of consensus on what the point of a risk assessment is) and practical (getting business people and others to be candid and thoughtful about what they may view as unpleasant and unnecessary topics).

But C&E risk assessment has been an expectation of the U.S. government since the 2004 amendments to the Federal Sentencing Guidelines for Organizations, and anti-corruption compliance standards of other countries are turning these expectations into something of a global mandate. Beyond this, many companies’ C&E programs are in desperate need of some sort of refreshment – and, as much as any program function, a risk assessment can provide a powerful foundation for this.

To help companies and their advisors meet these and related challenges, I’ve assembled my CCI risk assessment columns for the past four years into an e-book – Compliance and Ethics Risk Assessment: Concepts, Methods and New Directions, which is available for free download here.  The book – which, in addition to past columns, has new content, including a comprehensive list of legal risk areas and a very detailed index – covers such topics as:

  • The government’s expectations regarding risk assessment.
  • Why assessing the “nature” of the risk is critically important to – but missing from – many assessments.
  • A framework for assessing third-party risks.
  • “Nano compliance,” meaning identifying risks that may be very specific to a location, business area or function but are still significant.
  • Refresher risk assessments.
  • Assessing managers’ C&E risks.
  • Use of the attorney-client privilege in risk assessment.

The book also looks at risk assessment in several key substantive areas – competition law, conflicts of interest, corruption and insider trading.  Additionally, it explores practical ways of turning risk assessments into risk mitigation plans and points of intersection between risk assessment and program assessment. Finally, the book looks at some new directions risk assessments can take, including assessing genuine ethics risks (which very few companies do) and incorporating key learnings from social science (particularly behavioral ethics) into one’s assessment approach.

So, that’s risk assessment “by the book.” But to learn more, you don’t need to “buy the book” – just click on the above link for a free download.