By now, many companies have conducted foundational C&E risk assessments in response to the 2004 revisions to the Federal Sentencing Guidelines for Organizations that established risk assessment as an overarching requirement of an effective C&E program. But risks obviously change over the course of time – both as a general matter, and to “mutate” in the face of newly constructed compliance-related obstacles. Companies developing C&E plans for 2013 may therefore wish to conduct a refresher risk assessment if they have not done so recently.
Indeed, the Sentencing Guidelines speak of the need to assess risk periodically. But official C&E guidance documents are less clear on what a refresher risk assessment should entail, and so here are some considerations on this important but somewhat conceptually challenging topic.
First, one should review the foundational risk assessment and any subsequent refresher assessments to determine what circumstances have changed since those reports were prepared. Risk-related changes can, of course, be either internal (e.g., based on a new business line, a new geographical presence) or external (such as enhanced risk-causing pressures from customers or new scrutiny by enforcement agencies). Identifying which of the circumstances identified initially as relevant to risks have changed can be a good starting place for a risk assessment refresher.
Second, one should review how well identified risks in fact have been mitigated under the company’s current approach. I stress this because the imperative of the Guidelines not only to assess risk but to use the results of the assessment in designing/improving all other parts of a C&E program is itself widely underappreciated. A refresher risk assessment can be a good opportunity to consider this unexciting but very important part of a compliance program. (For more information on assessing identified risks see this post.)
Third, if you have not already done so, use the occasion to conduct a “deep-dive” assessment of substantive areas of high risk. Corruption is the most obvious such area for many companies. However, competition law is – at least for some organizations – also worth focusing on. Indeed, assessing pure ethics risks can be an important part of a refresher process – both to show that a company is serious about ethics, as well as compliance, and also to help identify compliance “risks around the corner.”
Fourth, the assessment can be an occasion to develop in a comprehensive way a more granular understanding of risk, not only with respect to substantive areas of law (like corruption) but also the many parts of a company (including geographical and business units). This approach is discussed in more detail in an earlier posting on “Nano Compliance.”
Finally, and related to the immediately preceding point, the refresher assessment might include detailed review of how a company assesses C&E risks on its “frontier,” meaning with respect to organizations that are not fully under the company’s control but which can still create C&E risk for it. This piece on assessing joint venture risks discusses part of what this sort of effort might entail, although there is obviously much more that could be done in this regard.