One of the best methods of learning about compliance and ethics programs is to review enforcement actions. And some recent actions provide very useful guidance regarding one of the most important elements of any compliance and ethics program: the risk assessment.
I won’t bother naming the companies involved—that only gets me in trouble anyway, and the lessons are clear. Instead, I’ll just describe three of the common themes I’ve noticed in reviewing several recent cases.
First, regulators want us to do more than simply identify a broad category of compliance risk. They want us to break each risk down into subcategories, such as geographic location, type of customer, type of product or service, etc. Taking this more granular approach to a risk refines an organization’s ability to identify additional factors that are associated with a risk, which helps in the development of a risk response.
Next, we should be retaining appropriate levels of supporting documentation for our risk assessments. Too often, once the risk assessment is completed, the only record kept is the final work product and perhaps some reporting associated with the assessment, often limited to a description of the process used. Regulators want to see more backup for how conclusions were reached in the assessment, from how we determined impact and likelihood, to other important information and data used in the assessment.
Finally, another common theme seems to be a reminder that the risk assessment methodology and process should be periodically subject to an independent evaluation. We often think of auditing in the context of specific risk areas. But there is a broader element to auditing as well, where the focus should be on auditing the compliance and ethics program itself. The U.S. Sentencing Guidelines remind us that we should “evaluate periodically the effectiveness of the organization’s compliance and ethics program.” This includes an evaluation of the risk assessment process, with a goal of continually making improvements.
I’ve chosen to focus on the risk assessment process in this column, simply because it’s what I noticed most in some recent enforcement actions. But reviewing enforcement actions on an ongoing basis can provide direction for assessing the effectiveness of all the elements of your compliance and ethics programs. And the orders can also provide you with some additional support for the resources you’ll likely be requesting.
1 USSG § 8B2.1(b)(5)(B).