How to Perform a Risk Assessment
One cannot really say enough about risk assessments in the context of an anti-corruption programs. Since at least 1999, in the Metcalf & Eddyenforcement action, the DOJ has said that risk assessment which measure the likelihood and severity of possible FCPA violations the manner in which you should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.”
This language was supplemented in the 2017 in both the Evaluation and the new FCPA Corporate Enforcement Policy. Under Prong 4 of the Evaluation, Risk Assessments, the following issues were raised: Risk Management Process– What methodology has the company used to identify, analyze, and address the particular risks it faced?Manifested Risks– How has the company’s risk assessment process accounted for manifested risks?In the FCPA Corporate Enforcement Policy it stated, “The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment”.
What Should You Assess?
How Do You Evaluate a Risk Assessment?
LIKELIHOOD
Likelihood Rating | Assessment | Evaluation Criteria |
1 | Almost Certain | High likely, this event is expected to occur |
2 | Likely | Strong possibility that an event will occur and there is sufficient historical incidence to support it |
3 | Possible | Event may occur at some point, typically there is a history to support it |
4 | Unlikely | Not expected but there’s a slight possibility that it may occur |
5 | Rare | Highly unlikely, but may occur in unique circumstances |
‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.
PRIORITY
Priority Rating | Assessment | Evaluation Criteria |
1-2 | Severe | Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans |
3-4 | High | Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans |
5-7 | Significant | |
8-14 | Moderate | |
15-19 20-25 | Low Trivial | Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time. |
Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.
At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used to continuously monitoring risk going forward. However, you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.
To purchase a copy of The Complete Compliance Handbook on Amazon.com click here.
To purchase an autographed copy of The Complete Compliance Handbook from the author click here.