Compliance and Ethics Risk
Assessments
Jeff Kaplan/Kaplan & Walker LLP
jkaplan@kaplanwalker.com
PLI C&E Institute
June 1, 2015
Today’s presentation
• What your risk assessment should do for your
program
▫ Recovering the lost dimension of risk assessment
▫ Optimize program elements
▫ Gain broader benefits
• How to get there
▫ But not describing a technology/methodology, so
much as an approach – that should inform the use of
technology/methodologies
• Relationship between risk and program assessment
2
Governmental expectations
• Historical experience: companies were preparing to fight the
last war
• Sentencing Guidelines added risk assessment as a
foundational element in 2004
▫ What is sometimes forgotten: the need to use results to
implement the other C&E tools
▫ For this reason, “why” information is important
▫ Why important too for efficiency, as well as efficacy
 Achieving “Goldilocks C&E”
• Other official C&E program expectations include risk
assessment
▫ It is also a foundational element in 2010 OECD anti-bribery
guidance (the “global sentencing guidelines”)
▫ Important under 2011 UK Bribery law guidance and 2012 DoJ
FCPA guidance
3
What a risk assessment
should do: some specifics
• Determine whether additional C&E policies are needed
for any given part of the company (e.g., business or
geographical unit) on any given topic, or the extent to
which such policies need to be revised
• Develop company-specific examples or Q&A that can
help make a code of conduct less abstract
• Determine whether any additional C&E communications
(training or other) should be targeted at any particular
part of the company on any given topic
• Develop/enhance C&E audit protocols, monitoring tools
and other approaches to “checking” on both an
enterprise-wide and local “level”
▫ Side note: monitoring is an area of widespread C&E
underperformance
4
What a risk assessment
should do (cont.)
• Identify C&E risks for which additional controls are
warranted, such as pre-approvals by management or
staff for specified (high-risk) activities
• Establish additional C&E oversight/reporting
responsibilities for high-risk areas
• Add C&E components to job descriptions, performanceevaluation criteria or business unit plans in a risk-based
way
• Determine whether incentives in any part of the
Company pose an undue risk from a C&E perspective
• Assess where/how the C&E program should apply to
contractors, vendors, other third parties
What a risk assessment
should do (cont.)
• Design/revise program efficacy metrics
• Identify true ethics, as well as compliance, issues
that the Program should address
• Identify cultural C&E risks, such as lack of employee
identification with the company or its mission,
short-term thinking or other “moral hazard” related
risks
• Provide a stronger foundation for the Program
oversight by the Board
• Provide a basis for future (or “evergreen”) risk
assessments
6
What a risk assessment
should do: some generalities
• Educate key people in your company
• Set boundaries of your program
• Maintain program momentum
7
Risk assessment as education
• Interviews of business leaders/key staff can be
educational because:
▫ The questions/instructions themselves offer
embedded learning about how C&E risk works
▫ Providing answers gets interviewees to think about
how the program is relevant to them
▫ Helps make interviewees risk sentinels
• Surveys –generally less useful for determining what
risks are than for educating senior personnel as to
the need for the program
▫ But the latter can be crucial in some instances
8
Risk assessment as education (cont.)
• The risk assessment report
▫ A full report is itself helpful from educational
perspective
 E.g., report should provide framework for assessing
risks, not just findings
▫ This augers in favor of reasonably wide
“readership”
 But need to consider approach vis a vis attorneyclient privilege
 Recent case on investigations underscores need
not to take privilege for granted in C&E work
9
Setting C&E program boundaries
• Important because
▫ Initial “rough cut” in establishing program may
not have been optimum
▫ Risks change – so should program boundaries
▫ Progression of a healthy C&E function is to
expand both
 Outwardly – greater scope of risks
 Example: human rights and C&E
 Inwardly (i.e., deeper) – penetration by business,
staff or geographic unit (or even project)
10
Issue of program momentum
• Many programs were result of the C&E “Big
Bang” (Enron/Worldcom, S-Ox, revised
Sentencing Guidelines)
• Many are susceptible to the “mission
accomplished” fallacy
• A good risk assessment helps fend that off by
▫ Providing education – as to the why, what, how,
when and where of C&E
▫ Outward/inward expansion
▫ Being otherwise dynamic
11
“Inward” expansion: the
importance of granularity
• C&E risks are often more local than global
▫ Need is for “nano compliance”
• How to address this: use a 3-D approach
• What are the dimensions?
▫ Geography and/or product/service
▫ Type of risk (e.g., bid rigging)
▫ Mitigation tool:
 if in place, how useful?
 if not, how needed?
▫ A great use for technology (for complex organizations)
12
Examples of 3-D approach
• For your operations in Vietnam:
▫ What are corruption risks?
▫ What is present mitigation using
training/communications?
 Is it effective? Is more/different needed?
• For a given product line
▫ What are risks of competition law violation?
▫ What is present mitigation using auditing?
 Is it effective? Is more/different needed?
13
3-D examples (cont.)
• For human resources department
▫ What are risks of a privacy violation?
▫ What are our controls?
 Are they effective?
 Do we need something more/different?
 Do they need to vary by geography?
14
3-D approach:
geographic dimension
• Can be whatever size geography makes sense for
the organization in questions
▫ Region
▫ Nation
▫ Location
• Product and/or service line and/or staff unit
▫ As an alternative to this dimension, or
▫ Combined with geographic (for 4-D approach)
15
3-D approach: risk areas
• These are types of violations
• Start with those in your code
▫ But need to consider right level of specificity
 E.g., not just competition law but horizontal restraints,
vertical restraints, etc.
• Add others you know about from whatever source
▫ Interviews
▫ External sources (e.g., industry groups)
• There is a list in my e-book:
http://www.corporatecomplianceinsights.com/wpcontent/uploads/2013/12/CCI-Compliance-andEthics-Risk-Assessment-Final-Dec-30-PDF.pdf
16
More on 3-D approach: C&E tools
• Not all of them – only those that are risks
sensitive
• Generally 5 types
▫
▫
▫
▫
▫
Standards (policies typically)
Training/communication
Auditing/monitoring/other forms of checking
Internal controls (e.g., required pre-approvals)
Accountabilities (which includes incentives)
• Others (e.g., investigations, hotlines) are not risk
area specific (for the most part)
17
3-D risk assessment in practice
• No one would ever explore risks/mitigation at
every intersection
• Idea is to
▫ Look at a category of risk; and
▫ Ask if there are any high-risk variants; and
▫ For those, see what the mitigation is/should be
• I.e., it is largely handled on an exception basis
18
Methodology for risk identification
• Applies both generally and to individual risk
areas
▫ Very relevant to the “why” of risk assessment
• Historical information meaning:
▫ Prior C&E violations or near misses at your
company
▫ Prior C&E violations or near misses at other
companies company’s areas of business, to the
extent that such are known
19
Substance of methodology (cont.)
• Other factors, including:
▫ Organizational culture (not necessarily uniform)








Organizational justice
Openness
Workforce alignment with company
Honesty
Treatment of C&E and other control staff
Internal/external
Exhaustion
Short-term thinking
▫ Other cultural factors
 Industry (external pressure, customs)
 Regional
20
Substance of methodology (cont.)
• The extent to which legal or ethical standards
might not be sufficiently understood or
appreciated at the company
• The extent of “temptation”
▫ Vis a vis the risk area
▫ Or just generally (overall incentive approaches)
• Control issues, including those arising from
organizational structure
21
Substance of methodology:
offense related
• Need to look closely at risk causing factors
specific to types of offenses
• E.g., for insider trading:
▫ How often does company have material nonpublic info vis a vis its own securities, e.g., does it
have a lot of significant “events”?
▫ How often does it have such info re: third parties?
▫ How many employees/agents have access to such
information?
22
Substance – offense related (cont.)
• Competition law
▫ Issues are often product/service specific
 Concentration in the market
 Pressure in the market
▫ History can be particularly relevant here
▫ Industry cultures can be strong where there is a lot
of inter-company mobility
▫ Sometimes lack of understanding is, too
▫ So are controls (pricing, bidding discretion)
23
Corruption risk
• UKBA: Identifies types of risks to be assessed:
▫
▫
▫
▫
▫
Country
Sector
Transaction
Business Opportunity
Business Partnership
• Also, need to assess risk in light of general
factors (similar to ones discussed earlier, e.g.,
training deficiencies)
24
Substance of methodology:
enforcement related
• Increasingly important as enforcement trends
continue upward
• Consider the “demand side” – governments’ need
for revenue, and where enforcement can produce
substantial revenue
▫ E.g., competition law, tax
▫ Relevant to both likelihood and impact of risk
• Consider “pre-enforcement” declarations of intent
by government
▫ E.g., financial reporting warnings by SEC two years
before Enron
25
26
Questions