A proactive, systematic risk assessment is an essential first step to developing and implementing any corporate compliance program, regardless of your industry or the compliance areas you are targeting. As US enforcement authorities have explained, “One-size-fits-all compliance programs are generally ill-conceived and ineffective because resources inevitably are spread too thin, with too much focus on low-risk markets and transactions to the detriment of high-risk areas.” The Department of Justice specifically identified the effectiveness of a company’s compliance risk assessment as a foundational consideration when evaluating whether to bring charges against a company and in negotiating a plea or other remedies. Moreover, in a corporate environment characterized by lean performance, tailoring your compliance program to your company’s actual risks is a business necessity.
A deliberate, iterative self-assessment methodology is crucial to obtaining the benefits of both mitigating enforcement risk and achieving a high-efficiency compliance program. This post describes a four step process foundation for a self-assessment methodology: (1) get a detailed picture of what your company actually does, (2) map the potential compliance risk “contact points” that exist in your company, (3) assess the current controls in place to prevent, detect, and correct violations, and (4) determine and prioritize the compliance enhancement measures you undertake.
1. Get a detailed picture of what your company actually does.
An effective risk assessment begins with an accurate, detailed, and documented picture of how your organization actually operates. Avoid the tendency to build a compliance program based on what management thinks is going on or notions of what “good compliance” should look like. Rather, grapple with the actual “who, what, where, when, and how” that is happening on the ground in your company.
One method for developing your company’s risk picture is to create a matrix detailing all key company processes, systems, and transactions. This kind of a matrix is typically better when based on information obtained from the “bottom-up.” It may be possible to leverage existing business process materials prepared for continuous improvement or contract certification purposes. But the key is to get a complete picture: it is hard to assess the risk for activities that are not identified.
Combine process-based information about your company’s activities with qualitative and quantitative learning. Take the opportunity to meet key personnel who execute the business’s processes and systems; find out what motivates and stresses them. Also leverage your company’s data streams to gain a metrics-based perspective. Create and document reporting processes that enable you to assess and update your understanding of company operations and compliance program performance over time. This iterative reporting is important both for engaging company leadership in your compliance program’s development and to documenting your self-assessment process in the event of future scrutiny by regulatory agencies.
2. Map the potential risk “contact points” that exist in your company.
Once you achieve a detailed picture of your company’s operations, you should next map its compliance risk “contact points”. This means identifying the specific company operations that present the potential for violating applicable regulatory regimes, whether through intentional or negligent individual conduct, or simple unawareness. One approach to identifying these contact points is to evaluate each of the key processes, systems, and recurring transactions identified in step 1 in terms of questions or issues associated with the regulatory regimes that you want to assess. For example, self-assessment of export controls would entail a battery of questions designed to identify each instance where a controlled technology or hardware is created, transferred, accessed, stored, disposed of, or otherwise transacted. An anti-corruption self-assessment would seek to identify each operation potentially relating to the transfer of valuable consideration to covered parties. For a multi-issue risk assessment, it may be helpful to design an evaluation matrix with different sections or tabs reflecting evaluation of your company’s business processes for each regulatory issue set.
3. Assess the current controls in place to prevent, detect, and correct violations.
The third step in this risk assessment process is to evaluate whether the procedures and controls already in place in your company effectively address the risk contact points you identified. In short, you want to deliberately identify the gaps or “manifested risks” in your current program. For each risk contact point, identify the specific policy, procedure, work instruction, and any other control that applies. You should assess the sufficiency of these controls in the context of your qualitative and quantitative knowledge of each contact point. Also evaluate not only whether each contact point is addressed by a prescriptive requirement, but whether controls are sufficiently effective in the context of your knowledge of the qualitative and quantitative significance of the risk. Consider the likelihood that a violation will occur given the current controls, whether such a violation would be detected, and, once detected, the significance of the escape to your company’s compliance risk profile. Those contact points that are insufficiently addressed by current controls represent program gaps that need to be addressed.
You should leverage qualitative and quantitative information to develop a complete assessment of your company’s risk contact points. Evaluate whether business pressures may create risk vectors that would otherwise not be apparent: if individual performance measures require achievement of certain results to obtain bonus compensation or favorable professional ratings, these enhanced risks should be reflected in your assessment of existing controls. Similarly, if enterprise data indicates a high volume of transactional activity relating to particular systems, processes, or individuals you should reflect this reality. Finally, use past escape, violation, or disclosure history to evaluate the completeness of your risk assessment. Your gap analysis should reflect the regulatory history of your organization.
4. Determine and prioritize the compliance enhancement measures you undertake.
The final step in the process is to deliberately prioritize and then address the manifested risks identified through the gap analysis. Companies rarely have the resources to tackle all compliance risks at once. Typically, compliance professionals need to rank their program’s gaps in terms of risk criticality and resources required to remediate. You want to maximize your return on compliance investment—again, this is both a business imperative and the enforcement agencies’ expectation.
Once you have prioritized your company’s compliance opportunities, you should pursue project-based initiatives to address them in a methodical fashion. Think holistically about what compliance enhancements will generate the most benefit for your company. If your company has a population of sales representatives, for example, it may be that targeting compliance resources to support them will reduce risk in multiple issue areas. Enrich your analysis with data. Do transaction histories show that only a few people are authorizing all payments to external consultants? Or that one technology manager is approving a disproportionate share of controlled technology exports? If so, targeted training and accountability measures, or a better distribution of responsibility may generate significant compliance enhancement returns.
Continue to assess the impact of these initiatives as they take effect. Also, be alert to changes in the organization and activities of your company. Acquisitions of new business units, movement into new geographical or sectoral markets, corporate reorganization, and engagement with new customers or government regulators all raise different types of compliance risks, as can changes in regulations or how enforcement authorities interpret those regulations. Implement a deliberate, recurring process to periodically update your company’s risk assessment. This will enable you to both tailor an efficient, effective compliance program, and to put your company in an optimal position in the event of future scrutiny by enforcement agencies.
For further information, please contact Randy Cook firstname.lastname@example.org
Randall Cook is a Senior Managing Director at Ankura Consulting Group, with more than 18 years of experience conducting complex investigations and audits; leading and advising organizations engaged with critical operational and compliance challenges; and designing and delivering high-performance, persistent, integrated risk mitigation solutions. Previously Mr. Cook was Senior Counsel for two Fortune 50 defense technology companies; he served as an Assistant United States Attorney in the federal district of New Jersey, where he prosecuted numerous complex crimes while serving as the Anti-Money Laundering District Coordinator for the Organized Crime and Drug Enforcement Task Force and as District Coordinator for Counterproliferation Initiatives; and he has served in the United States Army and Army Reserve as an Infantry Officer, Battalion Executive Officer, Company Commander, and Inspector General. Waqas Shahid is a Senior Managing Director at Ankura Consulting Group, with over 13 years of multi-disciplinary compliance and technology experience, including counseling companies on international trade compliance matters, conducting internal investigations, handling data privacy and security matters, and designing and deploying process automation solutions. Melanie Reed is an Ankura Consulting Group professional who has advised clients on compliance issues for over 10 years, including for private firms, international organizations, and non-governmental organizations. A lawyer by background, her focus is international corruption and political law compliance.
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement or of New York University School of Law. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.