Since the 2004 amendments to the Federal Sentencing Guidelines for Organizations moved risk assessments and program assessments from the realm of best practice to what can be seen as the territory of de facto requirements, there has been a fair bit of confusion regarding the distinctions between these two C&E program components.
In principle, a C&E risk assessment helps an organization understand not only what its risks are, but how to mitigate them. A program assessment, of course, tells the company how well the program is functioning. So, risk assessment can be seen as more design oriented, and a program assessment has more of an operational focus.
But in practice, the two overlap because one cannot assess risks without understanding how well a C&E program is mitigating them (i.e., the concept of “net risk”) and one cannot measure program efficacy without meaningful reference to an organization’s C&E risks. Moreover, some program measures will clearly serve both risk and program assessment purposes. For instance, C&E-related questions on employee surveys (e.g., whether the respondent agrees with the statement, “My manager acts with integrity”) can be useful both for program assessment purposes (that is, assessing how well the program is impacting behavior) and also risk assessment ones (that is, variations in responses among business units and/or geographies can help an organization determine where its risks are, and hence where additional C&E measures – such as training or auditing – are warranted).
Further blurring these lines, some organizations conduct what are essentially stand-alone program assessments of discrete risk areas. While this would not be warranted for all risk areas of significance, it does make sense for anti-corruption compliance – at least for some organizations – and perhaps several other areas (competition law and trade compliance, among others).
A final part of this mix: a program assessment should always include review of the risk assessment function (and sometimes it works the other way, too). Among other things, this typically entails examining the following:
- The extent to which there is a defined C&E risk assessment process with a logical methodology.
- The breadth of C&E inputs (and note that in my view, a typical ERM survey of employees by itself is only a start in this direction).
- The depth of the C&E inputs (e.g., personnel who provide information on risks will, either by virtue of their day-to-day work or from preparation for the interviews, be sufficiently informed for the information to be meaningful to the risk assessment process).
Finally, a key question in this area – and for many companies, a major stumbling block – is whether the results of the risk assessments are used to a sufficient degree to design and enhance the various elements of the program (and not just the obvious ones, like training and auditing). In other words, to be effective, a risk assessment should provide “news you can use” in making other parts of your program effective.