One cannot say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based upon a risk assessment to understand your organization’s business from the commercial perspective, how your organization has identified, assessed, and defined its risk profile, and, finally, the degree to which the program devotes appropriate scrutiny and resources to this range of risks. Yet the 2020 Update added a new emphasis that Risk Assessments should not be done not less than annually but, in reality, should be done each time your risk change. Over the past couple of years, every company’s risks changed from Work From Home to Return to the Office to Hybrid Work environments. Have you assessed these new paradigms for risks from the compliance perspective?
As far back as 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessments that measure the likelihood and severity of possible FCPA violations should direct your resources to manage these risks. The 2012 FCPA Guidance succinctly stated, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.”
There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, your protocol must be well thought out. If you use one, some, or all of the above as your basic inquiries for your risk analysis, it should be acceptable for your starting point.
Three key takeaways:
- Since at least 1999, the DOJ has pointed to risk assessment as the start of an effective compliance program.
- The DOJ will now consider your risk assessment methodology for identifying risks and gathering evidence.
- You should base your compliance program on your risk assessment.
