After completing your risk assessment, you must translate it into a risk profile. If your estimate of where your bribery risk is greatest is wrong, it will be an effort to address it. As Ben Locwin explained in his BioProcess International article entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”:
Once we have assessed risks and determined a process that includes options to resolve and manage them whenever appropriate, we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are better positioned to speak about the quality of our businesses.
William C. Athanas, in his Industry Week article, “Rethinking FCPA Compliance Strategies in a New Era of Enforcement,” posited that companies assume that FCPA violations follow a bell curve in which most employees are responsible for most of the violations. However, Athanas believed that the distribution pattern more closely follows a hockey-stick distribution, where just a few people commit virtually all violations. Athanas concluded by noting that it is this limited group of employees, or what he terms the “shaft of the hockey stick,” to which a company should devote most of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts, such as intensive training sessions or detailed analysis of key financial transactions involving those employees with the greatest means and motive to commit a violation.
The priority risks are the most significant risks with the greatest likelihood of occurring. These become the focus of your most significant risk management efforts, coupled with ongoing audits and monitoring. A variety of tools can be used to monitor risk going forward continuously. Consider providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. It is important to create a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. Finally, let this risk assessment and evaluation inform your compliance program rather than letting the compliance program inform the risk assessment.
Three key takeaways:
- Even after you complete your risk assessment, you must evaluate those risks for your company.
- The DOJ and SEC are looking for a well-reasoned approach to how you evaluate your risk.
- Create a risk matrix and rank your risks; then remediate and monitor as appropriate.
