"From ignorance our comfort flows.  The only wretched are the wise."  These words, written centuries ago by English poet and diplomat Matthew Prior, could be emblazoned on t-shirts worn by the modern day chief compliance officer.  After all, those sitting in corporate C-suites who are ignorant of the ethics and compliance risks their companies face certainly sleep better at night than the CCOs whose job it is to know the risks, however "wretched" it might make them.

While CCOs take many paths toward  "wisdom" and the knowledge it entails, a formal ethics and compliance risk assessment is quickly becoming an essential route. However, while the term, "risk assessment" is thrown around early and often in ethics and compliance circles, it is often hard to define just what the term means and what should be included in an ethics and compliance risk assessment.  Our intent is to provide some practical guidance, including a checklist of issues that should be part of any company's assessment of this kind, regardless of the business sector and geography.

I. Risk Assessments in Today's Environment

While it may not be immediately clear to companies what specific conduct their risk assessment ought to encompass, one thing is immediately clear:  governments, investors and the general public have a very real expectation that these will be conducted on a periodic basis.  This is made clear by, among other things, the U.S. Sentencing Guidelines, as well as guidance issued by the  U.S. Department of Justice and Securities and Exchange Commission.

When companies are unaware of their risks—or disproportionately allocate resources to low-risk operations at the expense of high-risk operations—they not only waste resources, they leave wide gaps of exposure.  A risk assessment benefits a company by (1) providing guidance as to where compliance dollars are best spent; (2) mitigating the chances of future legal and ethical violations; and (3) mitigating the company's loss in the event a violation does occur. This is true particularly because U.S. enforcement agencies consider the frequency and quality of ethics and compliance risk assessments when evaluating a company's compliance program.  

Indeed, in the DOJ and SEC's Resource Guide to the FCPA, risk assessments are described as "fundamental to developing a strong compliance program[.]" They can mitigate a company's liability for the actions of an officer or employee who violates the law.  Additionally, courts look to the U.S. Sentencing Guidelines for Organizations to determine the company's culpability for employee conduct.  The Guidelines themselves state that "organizations shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify" internal standards to prevent and detect criminal conduct.  As such, a thorough risk assessment not only limits future exposure, it can also mitigate a company's liability stemming from the actions of a truly rogue employee.

The need to evaluate a company's risks as a way to manage liability is not limited to the United States.  In connection with the issuance of the U.K. Bribery Act, the Ministry of Justice made clear that risk assessments are essential if a company wants to take advantage of that statute's adequate procedures defense.  

International organizations also recognize the importance of risk assessments.  In 2013, the Organisation for Economic Co-operation and Development (OECD), the United Nations Office on Drugs and Crime (UNODC), and the World Bank released the Anti-Corruption Ethics and Compliance Handbook for Business.  The Handbook provides a general structure for identifying and assessing risks, and emphasizes that an effective ethics and compliance program begins with a thorough assessment of a company's operations.  

Increasingly, investors are also looking at risk assessments – does one exist and how adequate is it.  Institutional investors and investor watchdog groups regularly send questions to companies concerning the adequacy of their compliance programs, often specifically asking if  routine risk assessments are being done.  

Additionally, lawsuits brought by investors after a compliance deficiency is identified will frequently base their claims on the real or perceived inadequacy of a risk assessment. These lawsuits generally take the form of either derivative actions brought on behalf of the company against management and/or directors for failing to implement adequate compliance programs, or shareholder class actions brought against officers and directors for failing to exercise oversight over risk management. 

Ultimately, the scope and rigor of a company's risk assessment determines the overall efficacy of its compliance program.  Market participants have come to expect risk assessments from all companies. The challenge now lies in determining where to begin.

II. The Risk Assessment Checklist

When we set out to do our own first ethics and compliance risk assessments in-house, we both encountered a noticeable dearth of practical resources on which to draw. We had read many fine articles on the importance of doing them and how, on a general level, they might be implemented. But we found little practical advice of value.

Specifically, we could not find guidance on what topics should be covered. In other words, what are some of the possible risks that every company, or at least most companies, might face?  Absent such a list, we were left to develop our own. We are pleased to make available now our Risk Assessment Checklist. 

The list covers a wide range of ethics and compliance topics, including anticorruption, conflicts of interest, antitrust, export controls and others. In addition to listing the various topics and subtopics, it provides an explanation as to why a given issue might pose risks.  The checklist is not intended to be comprehensive, as each company will face its own unique risks depending on business sector, geography, corporate history and multiple other factors. 

That said, we believe it can serve as a useful baseline for identifying risks faced by most medium-to-large international companies. We hope it proves useful to companies whether they are looking to evaluate their ethics and compliance risks for the first time, reviewing the adequacy of their current compliance programs or evaluating potential risks before embarking on a new venture.

View the Risk Assessment Checklist here

​By William "Billy" Jacobson & Suzanne Rich Folsom

Previously published in the April 23, 2015 edition of the Corporate Counsel

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.