Another mechanism to facilitate continuous improve comes from ideas around risk assessments. Both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) make clear the need for a risk assessment to inform your compliance program. I believe that most, if not all CCOs and compliance practitioners understand this well-articulated need. The FCPA Guidance could not have been clearer when it stated, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” While many compliance practitioners have difficulty getting their collective arms about what is required for a risk assessment and then how precisely to use it; the FCPA Guidance makes clear there is no ‘one size fits all’ for about anything in an effective compliance program. 

One type of risk assessment can consist of a full-blown, worldwide exercise, where teams of lawyers and fiscal consultants travel around the globe, interviewing and auditing. Of course, this can be a notoriously expense exercise. However, if there is one thing that I learned as a lawyer, which also applies to the compliance field, it is that you are only limited by your imagination. So using the FCPA Guidance’s no ‘one size fits all’ proscription, I would submit that is also true for risk assessments. You might try assessing other areas annually, through a more limited focused risk assessment, literally while staying at your desk and not traveling away from your corporate headquarters. 

The idea comes from Jan Farley, the Chief Compliance Officer at Dresser-Rand and he calls it the ‘Desktop Risk Assessment’. I think it is an excellent tool for continuous improvement. Moreover, it is a tool you can employ at little to no cost by you or your compliance team and on an ongoing basis. It is something you can use as often as quarterly, semi-annually or annually. Some of the areas that such a Desktop Risk Assessment could inquire into might be the following: 

• Are resources adequate to sustain a culture of compliance?
• How are the risks in the C-Suite and the Boardroom being addressed?
• What are the FCPA risks related to the supply chain?
• How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
• Is the documentation adequate to support the program for regulatory purposes?
• Is culture, attitude (tone from the top), and knowledge measured? If yes, can we use the information enhance the program?
• Disciplinary guidelines – Do they exist and has anyone been terminated or disciplined for a violating policy?
• Communication of information and findings - Are escalation protocols appropriate?
• What are the opportunities to improve compliance? 

There are a variety of materials that you can review from or at a company that can facilitate such a Desktop Risk Assessment. You can review your company’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities. 

This list is not intended to be a complete list of items, you can pick and choose to form some type of Desktop Risk Assessment but hopefully you can see some of the areas you can assess. My suggestion is that you try identifying and focusing on core compliance components in your organization. Obviously there are probably a million things you could fix. However, you cannot fix everything, so you must make a decision about your primacies, and then act on them. A Desktop Risk Assessment may well help you to do so. 

If you perform an annual Desktop Risk Assessment with a full worldwide risk assessment every two years or so, you should be in a good position to keep abreast of compliance issues that may change and need more or greater risk management. Do not forget that the FCPA Guidance ends its section on risk with the following, “When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” By using the Desktop Risk Assessment, you can answer any regulator who asks what have you done to manage the risks in your company, by using the resources and tools that were available to you. 

Three Key Takeaways 

1. As a compliance professional you are only limited by your imagination.
2. Use the Desktop Risk Assessment to supplement the full Risk Assessment, performed biennially.
3. You must remediate as appropriate.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.