At the PLI Advanced Compliance & Ethics Workshop in NYC in October, Scott Killingsworth of the Bryan Cave law firm noted that each risk assessment should be unique. I agree, and I believe that the case for uniqueness is even more powerful for the combined program and risk assessments companies sometime undertake. Given the diversity of possibilities, where should you start in scoping out such an engagement? Another way of asking this question is “How should you conduct a needs assessment for a program/risk assessment?”
To begin, it may be worth thinking in terms of the following six fields of information which can comprise the subjects of an assessment:
- Program assessment: tools/elements that many employees have information/views about. Examples include C&E training and the helpline.
- Program assessment: tools/elements that relatively few employees have information/views about. Examples include monitoring approaches and pre-hiring due diligence.
- Risk assessment: risk areas that are the primary responsibility of the C&E office and that are both broad (meaning they touch many employees) and deep (meaning they have a potentially high impact). Examples – at least in some companies – include corruption, competition law and possibly fraud.
- Risk assessment: risk areas that are the primary responsibility of the C&E office but are not so broad and/or deep. In some companies, conflicts of interest (often broad, but not that deep) or insider trading (deep, but not typically that broad) fit into this category.
- Risk assessment: risk areas that may be broad and deep, but that are the primary responsibility of another function at the company. In some companies, trade compliance or employment law would fit this bill.
- Culture assessment (which is relevant to both program and risk assessment, but for planning purposes generally should be viewed as its own effort): factors that could impact both the degree of risk and the efficacy of the program. Examples include tone at the top, accountability, openness of communication and alignment of rewards with stated C&E values.
Second, for each of the six fields, consider what the assessment need actually is for your company. For instance, for corruption (in group 3), companies that, because of the nature or locations of their business, likely have a high risk presumably will want to follow applicable law enforcement expectations (e.g., discussion in the 2012 DOJ/SEC resource guide on risk assessment and program components), and questions tracking these can and should take up a significant portion of total interview/document review time. But for risk areas that are largely the province of other functions (meaning those in group 5), one might have a narrower gauge of inquiry in the interviews/document reviews, at least if such functions have already conducted some form of targeted assessment(s) regarding these risks. And the extent of questioning/document reviews about risks in group 4 will depend on a variety factors (e.g., the extent of that part of the assessment regarding confidential information will depend partly on how important such information is to a company).
Program assessment needs also might vary in many ways. For instance, getting a wide array of feedback on training (in group 1) will make sense if you are considering overhauling your training. Additionally, a report that is going to the Board of Directors or is expected to be reviewed by the government generally should be the subject of greater overall efforts – especially in the culture part (group 6) – than an assessment that is undertaken merely as part of a regular C&E “check-up.” Moreover, for the program, risk and culture assessment components, the need might vary by different lines of business or geographies within a company. Also, for some assessment topics, the extent to which one is measuring risk areas versus program tools tends to blur. The emerging area of compliance monitoring (group 2) often falls into that category.
Finally, taking into account the results of this needs analysis, one should seek to identify which employees are likely to have relevant information for each of these six fields and then use that to develop a list of interviewees that can get you all that you need for each of the the various aspects of an assessment. Assuming time and budget are not unlimited, identifying individuals who can speak to multiple topics is an obvious plus. Similarly, one should use this framework to identify and obtain pre-existing materials relevant to each group. Examples include reports of prior C&E audits/reviews; relevant sections of employee engagement surveys; training feedback; and to a lesser extent, prior results of ERM efforts.