One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based upon a risk assessment, to understand your organization’s business from the commercial perspective, how your organization has identified, assessed, and defined its risk profile and, finally, the degree to which the program devotes appropriate scrutiny and resources to this range of risks.
As far back as 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessments that measure the likelihood and severity of possible FCPA violations should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.”
This language was supplemented in the 2017 FCPA Corporate Enforcement Policy, which stated, “The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment.”
A risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company. The reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.
Three key takeaways:
- Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program.
- The DOJ will now consider both your risk assessment methodology for identifying risks and gathered evidence.
- You should base your compliance program on your risk assessment.