Monday, March 1, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

DOJ’s Risk Assessment Expectations in “Evaluation of Corporate Compliance Programs”

Pointers for Compliance Practitioners

by Jeff Kaplan
May 8, 2019
in Featured, Risk
Department of Justice emblem on American flag background

Kaplan & Walker’s Jeff Kaplan discusses the Department of Justice’s recent updates to its guidelines for evaluating the effectiveness of corporate compliance programs in the context of an investigation.


Editor’s note. Later this month CCI will publish the second and expanded edition of Jeff Kaplan’s popular e-book Compliance & Ethics Risk Assessment: Concepts, Methods and New Directions.  Today’s post is excerpted from that volume.


When the original Federal Sentencing Guidelines for Organizations (“the Sentencing Guidelines”) were issued in 1991, there was no mention in them of risk assessment as part of compliance programs. It was not until the Sentencing Guidelines were amended in 2004 that this striking omission was remedied. But even then, risk assessment had not fully “arrived,” as some of the early compliance program requirements in FCPA settlements failed to include a risk assessment component.

Today, of course, risk assessment is front and center in governmental compliance program expectations. This is evident in the Justice Department’s recently published guidance Evaluation of Corporate Compliance Programs (“the Evaluation”).

This post reviews the Evaluation’s discussion of risk assessment. It also offers some practice pointers for meeting those expectations.

First, the Evaluation notes: “Prosecutors should consider whether the program is appropriately ‘designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business’ and ‘complex regulatory environment.’ ([Justice Manual] 9-28.800) For example, prosecutors should consider whether the company has analyzed and addressed the varying risks presented by, among other factors, the location of its operations; the industry sector; the competitiveness of the market; the regulatory landscape; potential clients and business partners; transactions with foreign governments; payments to foreign officials; use of third parties; gifts, travel and entertainment expenses; and charitable and political donations.”

Practice Pointer: The list of risk factors – while excellent – is heavily weighted to corruption compliance. Different factors need to be applied to assessing other risks, such as protection of confidential information, conflicts of interest and consumer fraud. For instance, one of the risk factors regarding protection of confidential information is whether the company, its competitors and other parties with which it deals have any information “worth stealing.” And a risk factor for fraud is the extent to which successful misrepresentation regarding a product or service is even possible, given the nature of the business in question.

The Evaluation next provides that “prosecutors should also consider ‘[t]he effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment’ and whether its criteria are ‘periodically updated.’ (See, e.g., [Justice Manual]  9-47-120(2)(c); [Sentencing Guidelines] § 8B2.1(c) (‘the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement or modify each requirement [of the compliance program] to reduce the risk of criminal conduct’.”)

The Evaluation further provides: “prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.”

Practice Pointer: Compliance officers should make their boards and senior management aware that violations of low-risk areas may – given the right risk assessment process – be treated with some degree of leniency, as this is a very compelling reason to conduct a risk assessment.

Risk assessment results should be used to strengthen all aspects of a compliance program. Many companies use this information for audit prioritization and training selection, but not other purposes.

The Evaluation next provides that “‘prosecutors should therefore consider, as an indicator of risk-tailoring, revisions to corporate compliance programs in light of lessons learned.’” ([Justice Manual] 9- 28.800) Additionally, it directs prosecutors to ask the following:

Risk Management Process – What methodology has the company used to identify, analyze and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?

Risk-Tailored Resource Allocation – Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than more modest and routine hospitality and entertainment?

Updates and Revisions – Is the risk assessment current and subject to periodic review? Have there been any updates to policies and procedures in light of lessons learned? Do these updates account for risks discovered through misconduct or other problems with the compliance program.”

Practice Pointer: As part of their risk assessment governance/management document(s) companies should:

  • describe the formal risk assessment process;
  • have a process for capturing the informal risk assessment that occurs at virtually all companies (what might be called the “risk assessment of everyday life”);
  • require periodic risk updates – both as to internal sources of risk (e.g., changes to the business) and external ones (e.g., changes to the law);
  • document the usage of risk assessment results to update/improve mitigation and measures; and
  • document any risk assessment failures, as well as lessons learned and implemented from such failures.

Finally, risk assessments should also have a meaningful methodology. For instance, it is not enough (in my view) to simply ask interviewees about the likelihood of certain types of violations occurring. A methodology should also:

  • give the interviewees a conceptual framework for analyzing risk and
  • identify “risk scenarios” regarding particular circumstances which should be the focus of a high degree of mitigation.

Tags: risk assessment
Previous Post

How CISOs Can Effectively Convey Information Security Risk to the Board

Next Post

Making KYC Simpler Through Intelligent Automation

Jeff Kaplan

Jeffrey M. Kaplan is a partner in the Princeton, New Jersey office of Kaplan & Walker LLP. He has specialized since the early 1990s in the practice of compliance- and ethics-related law, including assisting numerous companies in developing, implementing and reviewing C&E programs and conducting C&E risk assessments. He has also reviewed programs for many official bodies in connection with settlements of enforcement actions. He is the co-author of a C&E legal treatise, author of several e-books — including “Compliance & Ethics Risk Assessment” — and book chapters and many articles on C&E, a frequent speaker at C&E conferences, editor of the Conflict of Interest Blog and formerly an Adjunct Professor of Business Ethics at NYU’s Stern School of Business.

Related Posts

woman looking at horizon from mountain top

What’s on the Horizon for Anti-Corruption Enforcement?

February 25, 2021
cannabis leaf on $100 bill

The Intersection of EDD and Banking Cannabis

February 24, 2021
gold cup award on red background with stars

Ethisphere Announces the 2021 World’s Most Ethical Companies

February 23, 2021
illustration of hand holding flashlight illuminating hidden stairs

The Corporate Transparency Act: Pulling Back the Veil

February 23, 2021
Next Post
illustration of two businessmen shaking hands and three green check boxes

Making KYC Simpler Through Intelligent Automation

Access realtime data
Addressing systemic racism in the workplace SAI Global
Dynamic Risk Assessments with Workiva
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights