Since the 2004 amendments to the Federal Sentencing Guidelines for Organizations moved risk assessments and program assessments from the realm of best practice to what can be seen as the territory of de facto requirements, there has been a fair bit of confusion regarding the distinctions between these two C&E program components.
In principle, a C&E risk assessment helps an organization understand not only what its risks are, but how to mitigate them. A program assessment, of course, tells the company how well the program is functioning. So, risk assessment can be seen as more design oriented, and a program assessment has more of an operational focus.
But in practice, the two overlap because one cannot assess risks without understanding how well a C&E program is mitigating them (i.e., the concept of “net risk”) and one cannot measure program efficacy without meaningful reference to an organization’s C&E risks. Moreover, some program measures will clearly serve both risk and program assessment purposes. For instance, C&E-related questions on employee surveys (e.g., whether the respondent agrees with the statement, “My manager acts with integrity”) can be useful both for program assessment purposes (that is, assessing how well the program is impacting behavior) and also risk assessment ones (that is, variations in responses among business units and/or geographies can help an organization determine where its risks are, and hence where additional C&E measures – such as training or auditing – are warranted).
Further blurring these lines, some organizations conduct what are essentially stand-alone program assessments of discrete risk areas. While this would not be warranted for all risk areas of significance, it does make sense for anti-corruption compliance – at least for some organizations – and perhaps several other areas (competition law and trade compliance, among others).
A final part of this mix: a program assessment should always include review of the risk assessment function (and sometimes it works the other way, too). Among other things, this typically entails examining the following:
Finally, a key question in this area – and for many companies, a major stumbling block – is whether the results of the risk assessments are used to a sufficient degree to design and enhance the various elements of the program (and not just the obvious ones, like training and auditing). In other words, to be effective, a risk assessment should provide “news you can use” in making other parts of your program effective.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Jeffrey Kaplan, a partner in the Princeton, New Jersey office of Kaplan & Walker LLP, has practiced law in the compliance and ethics field since the early 1990’s.
Mr. Kaplan is also former adjunct professor of business ethics at NYU’s Stern School of Business, co-editor (with Joseph Murphy) of Compliance Programs and the Corporate Sentencing Guidelines (West Thomson), former counsel to the Ethics and Compliance Officer Association and co-author of a study by the Conference Board on the use of compliance and ethics program criteria in government enforcement decisions.