When the Federal Sentencing Guidelines for Organizations were first issued in 1991, risk assessment was not among the specified elements of an effective C&E program. By the time risk assessment was added to the definition of an effective C&E program in 2004 (as part of a comprehensive revision of this aspect of the Guidelines), many of those working in the C&E field saw risk assessment as indispensable to program efficacy, a view which has indeed strengthened over the years since then.
Risk assessment can come up in two ways in the program assessment setting.
First, the assessor can be asked to conduct a risk assessment alongside the program assessment. In this model a portion of all or most of the assessment interviews is devoted to posing risk assessment questions about the client organization.
One advantage of such an approach is that it can make the rest of the assessment (i.e., the pure program assessment part) more risk sensitive. Another advantage is economic – combining risk and program assessment might entail a more efficient use of interviewee times and assessor resources than would having two totally separate processes. On the other hand, a combined approach may mean insufficient time for each.
The other way in which risk assessment comes up in a program assessment setting – and this is presumably the case in all program assessments – is that how a company conducts risk assessment should itself be assessed. There is, of course, no one-size-fits-all set of criteria for this analysis, but there are certain questions that are particularly helpful and approaches that seem to work well generally – including the following:
– Is the risk assessment designed to identify information regarding all significant elements of the C&E program? Many risk assessments are designed to produce two types of risk-related information: that which helps the board of directors and senior management oversee the program and that which helps the internal audit function audit the program. These are important, of course. However, as a matter of common sense (and for meeting the pertinent Sentencing Guidelines expectations), the design and operation of all other aspects of the program – e.g., policies, procedures, training, communications, monitoring, the helpline, incentives, accountabilities – should be informed by the results of the risk assessment too.
– Does the assessment produce qualitative – as well as quantitative – information? Most risk assessments produce some quantitative data, particularly with respect to the likelihood and impact of a potential violation. But in assessing a risk assessment, one should also consider whether and how well it produces qualitative data.
One type of qualitative data concerns the “why” of risk. For instance, a risk caused by ignorance or lack of appreciation of applicable C&E standards tends to suggest enhancing relevant training and communications, whereas a risk caused by lack of attention by key personnel may suggest the need for stronger accountability measures.
A second type of qualitative data that risk assessments should generate is based on the “where” and “how” of risk. For instance, it is less helpful to merely identify competition law as a risk than it is to identify particularly risky markets (by geography and/or product/service line) and types of violations (e.g., division of markets) more likely to occur than others.
Finally, in assessing a company’s C&E risk assessment process, one should consider what might be called the risk assessment of every day work. That is, while presumably all companies should have a formal risk assessment process, the particulars of that process may depend in part on how well the company already knows its risks from other aspects of the program, such as monitoring, and indeed from having law or compliance personnel being deeply involved in business planning and operations – and whether the knowledge obtained this way is put to use to help mitigate C&E risk in an effective manner.