The DOJ Evaluation of Corporate Compliance Programs states:
I continue my exploration of the risk management process by focusing today on risk assessments. One cannot really say enough about the role of risk assessment in compliance programs. Each time you hear a regulator talk about compliance programs, it starts along the lines of you cannot manage your FCPA risk without first determining what your company’s risk is; and to determine that compliance risk, the process you should utilize comes through a risk assessment.
We previously considered forecasting. The differences between forecasting and risk assessment is that risk assessment attempts to consider things which forecasting either did not reliably predict for, or those things which the forecasting models have raised as potential outcomes which could be troubling, critical themes and issues. As Ben Locwin has explained, “What you’re trying to do then is decide on how you would address these. Risk assessments should create your risk registry. Those items which are most consequential for your organization, whatever it happens to be.”
Within the context of an anti-corruption compliance program, you are trying to make adjustments based on the risks of violation of the law, out in the marketplace. For instance, in a compliance forecast, third-party risk should be considered at the top of your ordinal list of risk and you should consider a multitude of factors such as the operating procedures, processes and systems and training. Of course, the execution of that process is a critical component as well.
All these things, to some degree, should appear in a risk assessment for the organization. Meaning, at the corporate level, what happens if you change products or sell into a new geographic area which is perceived to be more high-risk? There should be a risk assessment node which has a component that notes these changes so that you can adapt as necessary. Locwin stated, “The risk assessment itself is designed to be able to elevate these, and if something does happen, the next step would be to take appropriate course of action to address any of those risks.”
An example which illustrates the differences between forecasting and a risk assessment, yet how the two are complimentary. This winter when I began purchasing hot coffee products from Starbuck, as opposed to the cold drinks I buy during the hotter parts of the year, I discovered that baristas’ no longer put sleeves on coffee cups but now require you to ask for one. The second time I had to ask for a sleeve, I inquired from the barista why I had to do so. She replied that corporate had changed the policy for environmental reasons and that she could only provide a sleeve at the specific request of the customer. When I pointed out that it slowed the line down and was much less efficient in the delivery of Starbuck’s coffee, she replied, “You're absolutely right. I hate it. Would you please email Starbucks and tell them of your dissatisfaction?”
I will let Locwin pick it up from here, “what you’ve put your finger on is the crux of the balance of forecasting versus risk assessment. They’re two very different things, but at the same time, as they weave through time, they interchange. For example, Starbucks would potentially say, “We forecast that consumers are going to be more concerned about paper use, sleeves, the economic costs to the world, of extra paper waste and things. We’re going to, in certain locations, let’s say across Texas, we’re going to pilot that we don’t give out sleeves unless they’re asked for.” In their risk assessment, which I can tell you didn’t change from that forecast, what they then should have had was a commensurate line item which said, “If consumers start to have a problem with what’s being done at these locations, our immediate contingency plan is to do the following, to strip it away immediately, full stop, so that every cup gets a sleeve, so that they’re not slowing down lines, consumers say you heard us immediately, and then the organization is back on track.”
Their forecast plans something, the risk assessment should have had countermeasures to address, and instead if they didn’t have this in place, they’re going to have to wait until they start to have a Twitter feed that blows up… The risk assessment model should say, “Then we will do the following.” Really they don’t have the capability in a lot of cases to measure the effect of this and immediately course correct. It’s probably going to be a month, two months, four months before they start to get wind of this in a consistent way to say, “Texas was dissatisfied by this change and same in our pilot in Wisconsin. Let’s stop not giving out sleeves… Then eventually that starts to dissipate and they get rid of this whole new silly paradigm.”
Locwin’s point was that your risk assessment can help to inform your response to FCPA violation, corporate crisis or even (in my opinion) the misstep of requiring Starbucks customers to ask for sleeves for their coffee purchases. In another article by Locwin, entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”, he noted, “knowledge is power”. He went on to add, “Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we’ve classified them correctly. With a good understanding of each of these, we’re in a much better position to speak about the quality of our businesses.”
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.