Farewell to Mr. Spock and Risk Assessment Under COSO

Leonard Nimoy died last Friday. He will be forever associated with the role of Mr. Spock in the original Star Trek television show which premiered in 1966. The original series ran for only three years but had a full life in syndication up through this day. He also reprised the role in six movies featuring the crew of the original series and in the recent reboot.

Mr. Spock was about a personal character for me as I ever saw on television. For a boy going through the insanity of adolescence and the early teen years, I found Mr. Spock and his focus on logic as a way to think about things. He pursued this path while dealing with his half human side, which compelled emotions. This focus also led me to explore Mediations by Marcus Aurelius. But more than simply logic and being a tortured soul, Mr. Spock and his way looking at things and Star Trek with its reach for the stars ethos inspired me when it came out and still does to this day.

Mr. Spock and his pursuit of logic inform today’s blog post. Every compliance practitioner is aware of the need for a risk assessment in any best practices compliance program; whether that program is based on the US Foreign Corrupt Practices Act (FCPA), UK Bribery Act or some other compliance law or regime. While the category of risk assessment is listed as Number 3 in the Ten Hallmarks of an Effective Compliance Program in the FCPA Guidance, both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) intone that your compliance journey begins with a risk assessment for two basic reasons. The first is that you must know the corruption risks your company faces and second, a risk assessment is your road map going forward to manage those risks.

Interestingly Risk Assessment is the second objective in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Cube. In its volume entitled “Internal Control – Integrated Framework”, herein ‘the Framework Volume’, it recognizes that “every entity faces a variety of risks from external and internal sources.” This objective is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner none of this will sound new or even insightful, however the COSO Framework requires a component of management input and oversight that was perhaps not as well understood. The Framework Volume says that “Management specifies objectives within the category relating to operations, reporting and compliance with such clarity to be able to identify and analyze risks to those objectives.” But management’s role continues throughout the process as it must consider both internal and external changes which can effect or change risk “that may render internal controls ineffective.” This final requirement is also important for any anti-corruption compliance internal control. Changes are coming quite quickly in the realm of anti-corruption laws and their enforcement. Management needs to be cognizant of these changes and changes that its business model may make in the delivery of goods or services which could increase risk of running afoul of these laws.

The objective of Risk Assessment consists of four principles. They are:

Principle 6 – “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives.”

Principle 7 – “The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.”

Principle 8 – “The organization considers the potential for fraud in assessment risks to the achievement of objectives.”

Principle 9 – “The organization identifies and assesses changes that could significantly impact the system of internal control.”

Principle 6 – Suitable Objectives

Your risk analysis should always relate to stated objectives. As noted in the Framework Volume, it is management who is responsible for setting the objectives. Rittenberg explained, “Too often, an organization starts with a list of risks instead of considering what objectives are threatened by the risk, and then what control activities or other actions it needs to take.” In other words your objectives should form the basis on which your risk assessments are approached.

Principle 7 – Identifies and Analyzes Risk

Risk identification should be an ongoing process. While it should begin at senior management, Rittenberg believes that even though a risk assessment may originate at the top of an organization or even in an operating function, “the key is that an overall process exists to determine how risks are identified and managed across the entity.” You need to avoid siloed risks at all costs. The Framework Volume cautions that “Risk identification must be comprehensive.”

Principle 8 – Fraud Risk

Every compliance practitioner should understand that fraud exists in every organization. Moreover, the monies that must be generated to pay bribes can come from what may be characterized as traditional fraud schemes, such as employee expense account fraud, fraudulent third party contracting and payments and even fraudulent over-charging and pocketing of the differences in sales price. This means that is should be considered as an important risk analysis. It is important that any company follow the flow of money and if the Fraud Triangle is present, management be placed around such risk.

Principle 9 – Identifies and Analyzes Significant Change

It really is true that if there is one constant in business, it is that there will always be change. The Framework Volume states, “every entity will require a process to identify and assess those internal and external factors that significantly affect its ability to achieve its objectives. Rittenberg intones that companies “should have a formal process to identify significant changes, both internal and external, and assess the risks and approaches to mitigate the risk” in a timely manner.

Today’s blog post is a tribute to Mr. Spock as he, Star Trek and its characters continue to teach us lessons which we can apply in business going forward. It is the process of compliance which informs your program going forward. A risk assessment is recognized by sources as diverse as the DOJ, SEC and COSO as a necessary step. Just as Mr. Spock, the Science Officer onboard the Enterprise, was required to assess the risk to the ship and crew from a scientific perspective, a risk assessment can give you the tools to not only assess the corruption compliance risk to your company but a road map to managing that risk. So farewell to my long time friend Mr. Spock, you gave to me more than I ever gave back to you. I can think of no more fitting tribute to Spock than to say Live Long and Prosper.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015