DOJ’s Risk Assessment Expectations in “Evaluation of Corporate Compliance Programs”

Editor’s note. Later this month CCI will publish the second and expanded edition of Jeff Kaplan’s popular e-book Compliance & Ethics Risk Assessment: Concepts, Methods and New Directions.  Today’s post is excerpted from that volume.

When the original Federal Sentencing Guidelines for Organizations (“the Sentencing Guidelines”) were issued in 1991, there was no mention in them of risk assessment as part of compliance programs. It was not until the Sentencing Guidelines were amended in 2004 that this striking omission was remedied. But even then, risk assessment had not fully “arrived,” as some of the early compliance program requirements in FCPA settlements failed to include a risk assessment component.

Today, of course, risk assessment is front and center in governmental compliance program expectations. This is evident in the Justice Department’s recently published guidance Evaluation of Corporate Compliance Programs (“the Evaluation”).

This post reviews the Evaluation’s discussion of risk assessment. It also offers some practice pointers for meeting those expectations.

First, the Evaluation notes: “Prosecutors should consider whether the program is appropriately ‘designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business’ and ‘complex regulatory environment.’ ([Justice Manual] 9-28.800) For example, prosecutors should consider whether the company has analyzed and addressed the varying risks presented by, among other factors, the location of its operations; the industry sector; the competitiveness of the market; the regulatory landscape; potential clients and business partners; transactions with foreign governments; payments to foreign officials; use of third parties; gifts, travel and entertainment expenses; and charitable and political donations.”

Practice Pointer: The list of risk factors – while excellent – is heavily weighted to corruption compliance. Different factors need to be applied to assessing other risks, such as protection of confidential information, conflicts of interest and consumer fraud. For instance, one of the risk factors regarding protection of confidential information is whether the company, its competitors and other parties with which it deals have any information “worth stealing.” And a risk factor for fraud is the extent to which successful misrepresentation regarding a product or service is even possible, given the nature of the business in question.

The Evaluation next provides that “prosecutors should also consider ‘[t]he effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment’ and whether its criteria are ‘periodically updated.’ (See, e.g., [Justice Manual]  9-47-120(2)(c); [Sentencing Guidelines] § 8B2.1(c) (‘the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement or modify each requirement [of the compliance program] to reduce the risk of criminal conduct’.”)

The Evaluation further provides: “prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.”

Practice Pointer: Compliance officers should make their boards and senior management aware that violations of low-risk areas may – given the right risk assessment process – be treated with some degree of leniency, as this is a very compelling reason to conduct a risk assessment.

Risk assessment results should be used to strengthen all aspects of a compliance program. Many companies use this information for audit prioritization and training selection, but not other purposes.

The Evaluation next provides that “‘prosecutors should therefore consider, as an indicator of risk-tailoring, revisions to corporate compliance programs in light of lessons learned.’” ([Justice Manual] 9- 28.800) Additionally, it directs prosecutors to ask the following:

Risk Management Process – What methodology has the company used to identify, analyze and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?

Risk-Tailored Resource Allocation – Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than more modest and routine hospitality and entertainment?

Updates and Revisions – Is the risk assessment current and subject to periodic review? Have there been any updates to policies and procedures in light of lessons learned? Do these updates account for risks discovered through misconduct or other problems with the compliance program.”

Practice Pointer: As part of their risk assessment governance/management document(s) companies should:

• describe the formal risk assessment process;
• have a process for capturing the informal risk assessment that occurs at virtually all companies (what might be called the “risk assessment of everyday life”);
• require periodic risk updates – both as to internal sources of risk (e.g., changes to the business) and external ones (e.g., changes to the law);
• document the usage of risk assessment results to update/improve mitigation and measures; and
• document any risk assessment failures, as well as lessons learned and implemented from such failures.

Finally, risk assessments should also have a meaningful methodology. For instance, it is not enough (in my view) to simply ask interviewees about the likelihood of certain types of violations occurring. A methodology should also:

• give the interviewees a conceptual framework for analyzing risk and
• identify “risk scenarios” regarding particular circumstances which should be the focus of a high degree of mitigation.