Now, more than ever, risk assessments are an essential component of corporate compliance and ethics programs that organizations cannot afford to overlook. Risk assessments are an effective way for companies to monitor and evaluate potential compliance risk within an organization, and may take a variety of forms.
Conducting annual risk assessments is a strong preventive measure if done before something goes wrong. Due to the fact that enforcement trends and government priorities change rapidly, it is vital to stay up to date and conduct regular assessments. Enforcement authorities increasingly expect companies to have formal processes for periodic assessment of compliance risks everywhere they do business.
In 1991, the US Sentencing Commission did not specifically identify the completion of a formal risk assessment as essential to compliance. Today, however, government officials routinely identify risk assessments as a cornerstone of an effective compliance program. Companies must conduct periodic assessments of risk of criminal conduct and take appropriate steps to design, implement or modify each element to reduce risk.
Risk assessments aren’t just a legal obligation. They are an integral element to creating, implementing and enforcing an effective compliance and ethics program. Building annual risk assessments into your company’s compliance program is a must. Risk assessments should be a regular, systemic part of compliance efforts rather than an occasional, infrequent exercise performed when convenient or after a crisis. It is important to conduct risk assessments at
the same time every year and deputize a consistent group, such as your internal audit department, compliance committee, or outside legal team to conduct the annual review. Understand the array of compliance risks faced by the company and undertake a comprehensive review.
Some key areas of focus are: effective understanding and enforcement of company policies (i.e., bribery is prohibited). Compliance programs should address key risk areas. Companies should conduct due diligence on business partners and implement effective internal controls for accurate books and records. Employees should be able to report violations confidentially without fear of retaliation. These are all important areas to be mindful of while conducting risk assessments.
Conducting a formal risk assessment also provides an opportunity to take a closer look at recently-established business relationships to make sure partners and third parties do not have improper connections to government officials or some involvement in unethical or illegal conduct. This is a great way opportunity to scrutinize new and existing business partners and third-party agents. Proactively address and remediate any risks that are uncovered.
To be effective a risk assessment must: be objective, be comprehensive on risks, engage employees and functional leadership in the dialogue of what specific issues or concerns keep them up at night.
There are many options when it comes to how a company can conduct risk assessments. The methods for conducting risk assessments
vary and should be tailored to the specific industry, size and organizational structure of the company. For instance, when it comes to performing a needs assessment/gap analysis on policy preparation and enforcement, larger organizations will tend to have more specific policies in place, while smaller organizations will not.
The methods for conducting risk assessments may include the use of questionnaires, employee surveys, live assessments and workshops, self-assessments, and interviews. They may include the use of existing internal resources, or bringing in an independent party like external legal counsel to conduct and manage the assessments. Often times, having an outside team conduct an initial live risk assessment workshop with an organization’s senior management teams in order to identify high-level areas of concern is the appropriate first step. These workshops enable organizations to begin charting areas of concern and potential remedial action plans. Other times, providing the organization with a toolkit that can be used to conduct self-assessment exercises internally, including holding risk assessment workshops, is a more suitable option.
Regardless of how the risk assessments are conducted, it is important to memorialize risk assessment findings in an internal annual reporting process. While an initial formal risk assessment will likely take longer, when conducted every year, subsequent risk assessments may require significantly less time to complete, depending on the size of the company, its available compliance resources, and related factors. Once the assessment is complete, the compliance or audit team should carefully compile its findings and recommendations in a comprehensive report to be presented to the chief compliance officer, board of directors, and/or other senior
management for review and consideration of appropriate next steps.
What works for one particular company may not work for another. What is important is to regularly analyze and evaluate the potential risk areas that are present within your company, in order to minimize those risks to the greatest extent possible.
Outside General CounselTM and Santomassimo Davis LLP partner with employers to ensure their business is properly conducting regular and effective risk assessments, to minimizes their risk by alerting them to potential violations or internal concerns before those potential issues turn into big legal problems. For information on how our firm can help you, contact us online or call 201-712-1616 today to arrange a meeting with one of our experienced attorneys.