Successful compliance rests on successful risk assessments

Remember my column on Data Privacy Compliance last week? Remember the risks involved in data breach and the criminal consequences?

Performing effective risk assessments, however, can be a difficult art to master. The very phrase — “compliance risk assessment”— can encompass a wide range of risks: anti-bribery, whistleblower retaliation, data privacy, workplace harassment, anti-competition, product safety, and much more.

What are the risks of poor risk due diligence? What are the risks that compensation schemes will lead sales agents to bribe their way to a performance bonus? What are the risks that internal controls won’t detect bribery payments? That complexity is now a permanent fixture of corporate compliance and risk management programs. More risks will emerge in the future, whether they come from business operations, government regulation, or external forces.

All of this drives the imperative for astute risk assessments—performed with rigor, following an efficient methodology, and embracing flexibility to meet whatever new risk is barreling up the audit committee’s agenda.

Areas to focus on in risk assessment:

Third Parties - to assess the risks around proper due diligence of third parties, the compliance function may need to enlist the procurement or accounting departments; they would have a list of all parties that received payments from the company. In a decentralized enterprise, the IT department may need to help “normalize” data that different divisions collect in different formats.

Employees - the risks associated with your company’s personnel require special attention: if corporate bribery is going to take place, the human element will necessarily be involved. When assessing risks your personnel might pose, you will need, again, to ask the right questions: Who interacts with government officials? Who sells products or gets business? Who controls funds leaving the company? Who is operating in the most corrupt environment? Who is in the best position to detect problems? Grouping the organization’s personnel as such will allow you to better identify which groups are most exposed, and to what levels of risk. Agents in frequent contact with government officials must be given extra care, as they can receive bribe requests in return for winning business opportunities. Personnel under pressure to make large sales may succumb and cut corners on compliance. Line-level accounting personnel, on the other hand, may be aware of improper payments. Identifying such weaknesses will help put in place a more accurate risk assessment as well as more efficient remedial mechanisms. If you have not signed the Integrity Pledge of the Integrity Initiative yet and had access to our self-assessment tool, it is high time you do this now.

Industries - some industries bear unique features often regarded as “high corruption risks.” Take resource extraction, for example. It has long been considered a high risk area partly due to: (a) the weak governance and rule of law environment in many countries where such resources are found; and (b) the necessity of working with governments at various levels within those countries to obtain the licenses, permits, and concessions necessary to extract these natural resources. In the defense sector (another high risk industry), procurement is generally not conducted as openly and transparently as other types of public procurement, mainly due to the sensitive nature of military material and information. The list of risk-prone industries goes on, which is why you must carefully consider the industry in which your organization operates, to sharpen the focus of your risk assessment.

Geographical Risk - evaluating geographical risk implies understanding where you operate; how much business you do in each area, the type of business you conduct in each area and the level of corruption in that particular area.

Customers - knowing your customer is key to mapping out your risk matrix. If you are delivering services or goods to a public entity, you are dealing with a high risk customer that could potentially bring your business under the scrutiny of anticorruption laws with global jurisdiction such as the US FCPA or the UK Bribery Act, which prohibit offering and giving bribes to foreign government officials. The coverage of applicable persons is broad and includes government officers and employees, consultants and agents acting on behalf of foreign governments, employees of public international organizations (like the World Bank, ADB or UN), and officials and employees of state-owned enterprises. If your customer does not fall under the definition of foreign officials, you must still consider whether your customer would present any risk as “private-to-private” bribery is also punishable under certain legislation with global jurisdiction such the UK Bribery Act and may also be punishable under local law in the country where the crime was committed. For instance, in a given tender or project you should ask whether a potential customer may operate corruptly, whether there is anything suspicious about the tender or project, etc.

   In conclusion, risk assessments present compliance professionals with the complicated task of tailoring the assessment of every risk to its specific details. If you need assistance, contact us at the Integrity Initiative Inc. – contact [email protected].