Does your organization apply a Sentencing Guidelines “seven-steps” approach to mitigating all significant areas of C&E risk? Many programs are built on the theory that they will do this, but far fewer actually do it to a meaningful degree.
A useful organizing tool for making an approach of this sort a reality is through the implementation of C&E risk plans, along the following lines.
First, the organization should appoint subject matter experts for all risk areas of significance (e.g., corruption, antitrust, IP).
While many companies do establish roles of this sort, the practice pointer here is to implement a written position description for SMEs and use this description for evaluation/compensation purposes.
Second, as part of their defined roles, SMEs should lead or participate in annual risk assessments for their respective areas. While also fairly common, the practice pointer here is here is to focus the SMEs less on estimating the likelihood and impact of a violation generally (both of which are often pretty obvious for given risks) and more on identifying specific points of vulnerability for use in enhancing mitigation measures (e.g., specific products for which collusion with competitors is relatively lik
ely, regulatory offices in a given country where bribes are relatively likely to be extorted.)
Third, the planning process should entail using the risk information the risk-related information to develop or enhance C&E program elements. The practice pointer here is that the actual “seven steps” framework actually is not optimal for these purposes since several of them (e.g., investigations, discipline) don’t vary by risk area enough to merit inclusion for these purposes.
Instead, organizations should consider using this modified list of program elements for risk plans:
In addition to these “risk-variable” program elements, the annual risk plan template could also have an “other” category for those rare instances where tools beyond those listed above are needed for effective mitigation of a given area.
Finally, while the SMEs will typically have the principal role in this process, others – e.g., members of regional C&E committees – should have defined responsibilities in it, too. The practice pointer here is to articulate these duties in program governance documentation (e.g., committee charters) and to audit against them.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Jeffrey Kaplan, a partner in the Princeton, New Jersey office of Kaplan & Walker LLP, has practiced law in the compliance and ethics field since the early 1990’s.
Mr. Kaplan is also former adjunct professor of business ethics at NYU’s Stern School of Business, co-editor (with Joseph Murphy) of Compliance Programs and the Corporate Sentencing Guidelines (West Thomson), former counsel to the Ethics and Compliance Officer Association and co-author of a study by the Conference Board on the use of compliance and ethics program criteria in government enforcement decisions.