FCPAméricas Blog
Best Practices for Conducting Risk Assessments
6.06.2015
A well-designed compliance program starts with a thorough risk assessment. The Resource Guide to the FCPA refers to risk assessments as a factor “fundamental to developing a strong compliance program”. Similarly, the Brazilian regulation on compliance programs sets forth that a risk assessment is one of the elements that will be taken into consideration when authorities evaluate a company’s compliance program. There are certain best practices that companies should consider when conducting risk assessments. This post highlights six.
Decide on assessment scope. A risk assessment can cover a wide range of risks depending on the nature of a company`s activity. From the outset, the professionals involved in conducting the risk assessment should determine which areas to address in the assessment (e.g., anti-corruption, antitrust, environmental, labor). This will be important not only to determining which resources and required expertise are necessary for the assessment but also to guide the assessment. It should be noted that, more and more, companies are conducting risk assessments that cover a broad range of areas.
Recognize that one size does not fit all. As mentioned in the Resource Guide to the FCPA, “one-size-fits-all compliance programs are generally ill-conceived and ineffective”. That is because some of the most relevant risk will vary from one business sector to another or even among companies in the same industry. Assessing risks requires, among other things, knowledge of the company`s business models, internal practices, and places in which it operates and has businesses. At a minimum, a proper risk assessment will involve analysis of relevant materials of the company and interviews.
Obtain relevant materials. An important step of the risk assessment is to gather and review all relevant information of the company that may be helpful to evaluating risk. Examples of documents to be reviewed include: i) company planning documents on current business operations and strategic business plans; they can show, for example, that the company is looking to expand business into markets where there is a high probability of corruption or that local partners will be used in such jurisdictions; ii) compliance policies and procedures; iii) previous risk assessments; iv) internal audit / investigation reports; v) hotline reports; vi) financial management materials; vii) list of third parties used by the company; and, viii) list of main clients. Such reviews can help companies determine their risk profiles and identify existing weaknesses.
Conduct interviews. Interviews are often an important step in a risk assessment as they help identify specific risks of the company. The selection of interviewees will depend upon the scope of the assessment. It will typically focus on operational management, leadership, and, where appropriate, lower level employees. Preferably the interviews should be conducted in-person and on-site. Interviewers may want to discuss, among other things, operational responsibilities and processes, use of third parties, interactions with government officials, and challenges faced and how they are managed.
Consider industry practices. Standards for compliance programs have evolved and will continue to change with new laws and regulatory guidance, as well as with trends in enforcement actions, cases and industry best practices. Given this, companies should be aware of the steps that others in their industries are taking to address risk. Healthcare companies in Latin America, for example, may learn from others in its industry the different ways in which improper conduct may take place as well as local best practices to mitigate risks (see Healthcare Compliance Risks in Latin America here).
Revisit risk assessments. Companies should regularly assess their programs to evaluate effectiveness and identify areas where enhancements might be needed. A good practice is to revisit the risk assessment every few years or whenever risks may increase (e.g., expansion into other countries or lines of business, acquisition of another company).
Ed. Note: FCPAméricas discusses general Latin America risks here and here, and specific risks in Brazil here, in Mexico here, and in Colombia here.
The opinions expressed in this post are those of the author in his or her individual capacity, and do not necessarily represent the views of anyone else, including the entities with which the author is affiliated, the author`s employers, other contributors, FCPAméricas, or its advertisers. The information in the FCPAméricas blog is intended for public discussion and educational purposes only. It is not intended to provide legal advice to its readers and does not create an attorney-client relationship. It does not seek to describe or convey the quality of legal services. FCPAméricas encourages readers to seek qualified legal counsel regarding anti-corruption laws or any other legal issue. FCPAméricas gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to FCPAméricas LLC.
© 2015 FCPAméricas, LLC
Post authored by Carlos Henrique da Silva Ayres, FCPAméricas Contributor
Comments
June 8th, 2015 at 10:16 pm
[…] Tom Fox explains why Americans should care about the FIFA indictment. The FCPAmericas blog lists best practices for conducting risk assessments. Richard Bistrong continues his long interview with […]