Friday, March 5, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

Scoping Out Your Program/Risk Assessment

by Jeff Kaplan
January 8, 2015
in Risk
Scoping Out Your Program/Risk Assessment

At the PLI Advanced Compliance & Ethics Workshop in NYC in October, Scott Killingsworth of the Bryan Cave law firm noted that each risk assessment should be unique.  I agree, and I believe that the case for uniqueness is even more powerful for the combined program and risk assessments companies sometime undertake.  Given the diversity of possibilities, where should you start in scoping out such an engagement?  Another way of asking this question is “How should you conduct a needs assessment for a program/risk assessment?”

To begin, it may be worth thinking in terms of the following six fields of information which can comprise the subjects of an assessment:

  1. Program assessment: tools/elements that many employees have information/views about. Examples include C&E training and the helpline.
  2. Program assessment: tools/elements that relatively few employees have information/views about. Examples include monitoring approaches and pre-hiring due diligence.
  3. Risk assessment: risk areas that are the primary responsibility of the C&E office and that are both broad (meaning they touch many employees) and deep (meaning they have a potentially high impact). Examples – at least in some companies – include corruption, competition law and possibly fraud.
  4. Risk assessment: risk areas that are the primary responsibility of the C&E office but are not so broad and/or deep. In some companies, conflicts of interest (often broad, but not that deep) or insider trading (deep, but not typically that broad) fit into this category.
  5. Risk assessment: risk areas that may be broad and deep, but that are the primary responsibility of another function at the company. In some companies, trade compliance or employment law would fit this bill.
  6. Culture assessment (which is relevant to both program and risk assessment, but for planning purposes generally should be viewed as its own effort): factors that could impact both the degree of risk and the efficacy of the program. Examples include tone at the top, accountability, openness of communication and alignment of rewards with stated C&E values.

Second, for each of the six fields, consider what the assessment need actually is for your company. For instance, for corruption (in group 3), companies that, because of the nature or locations of their business, likely have a high risk presumably will want to follow applicable law enforcement expectations (e.g., discussion in the 2012 DOJ/SEC resource guide on risk assessment and program components), and questions tracking these can and should take up a significant portion of total interview/document review time.  But for risk areas that are largely the province of other functions (meaning those in group 5), one might have a narrower gauge of inquiry in the interviews/document reviews, at least if such functions have already conducted some form of targeted assessment(s) regarding these risks. And the extent of questioning/document reviews about risks in group 4 will depend on a variety factors (e.g., the extent of that part of the assessment regarding confidential information will depend partly on how important such information is to a company).

Program assessment needs also might vary in many ways. For instance, getting a wide array of feedback on training (in group 1) will make sense if you are considering overhauling your training. Additionally, a report that is going to the Board of Directors or is expected to be reviewed by the government generally should be the subject of greater overall efforts – especially in the culture part (group 6) – than an assessment that is undertaken merely as part of a regular C&E “check-up.” Moreover, for the  program, risk and culture assessment components, the need might vary by different lines of business or geographies within a company.    Also, for some assessment topics, the extent to which one is measuring risk areas versus program tools tends to blur.  The emerging area of compliance monitoring (group 2) often falls into that category.

Finally, taking into account the results of this needs analysis, one should seek to identify which employees are likely to have relevant information for each of these six fields and then use that to develop a list of interviewees that can get you all that you need for each of the  the various aspects of an assessment.  Assuming time and budget are not unlimited, identifying individuals who can speak to multiple topics is an obvious plus.  Similarly, one should use this framework to identify and obtain pre-existing materials relevant to each group.  Examples include reports of prior C&E audits/reviews; relevant sections of employee engagement surveys; training feedback; and to a lesser extent, prior results of ERM efforts.


Previous Post

EY Names Top Fraud and Corruption Trends for 2015

Next Post

The Alstom FCPA Enforcement Action – Part I

Jeff Kaplan

Jeffrey M. Kaplan is a partner in the Princeton, New Jersey office of Kaplan & Walker LLP. He has specialized since the early 1990s in the practice of compliance- and ethics-related law, including assisting numerous companies in developing, implementing and reviewing C&E programs and conducting C&E risk assessments. He has also reviewed programs for many official bodies in connection with settlements of enforcement actions. He is the co-author of a C&E legal treatise, author of several e-books — including “Compliance & Ethics Risk Assessment” — and book chapters and many articles on C&E, a frequent speaker at C&E conferences, editor of the Conflict of Interest Blog and formerly an Adjunct Professor of Business Ethics at NYU’s Stern School of Business.

Related Posts

blue road sign with arrow on black asphalt background

Dynamic Risk Governance: Linking Strategy and Risk Management

February 15, 2021
three red dice on green felt tabletop

The COVID Trio: 3 Top Risks from a Year of Upset

February 4, 2021
Deloitte: Global Risk Management Survey, 12th Edition

Deloitte: Global Risk Management Survey, 12th Edition

February 2, 2021
illustration of businessman holding giant shield to protect him from falling arrows

Is Your Risk Culture Aligned With the Realities of the Digital Age?

February 2, 2021
Next Post
The Alstom FCPA Enforcement Action – Part I

The Alstom FCPA Enforcement Action – Part I

OneTrust offers download to demonstrate privacy management leadership
Access realtime data
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights