Tag: Risk Assessment

Categories
31 Days to More Effective Compliance Programs

Day 14 | Risk Assessments

One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based upon a risk assessment, to understand your organization’s business from the commercial perspective, how your organization has identified, assessed, and defined its risk profile and, finally, the degree to which the program devotes appropriate scrutiny and resources to this range of risks.

As far back as 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessments that measure the likelihood and severity of possible FCPA violations should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.
This language was supplemented in the 2017 FCPA Corporate Enforcement Policy, which stated, “The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment.
A risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company. The reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.
 Three key takeaways:

  1. Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program.
  2. The DOJ will now consider both your risk assessment methodology for identifying risks and gathered evidence.
  3. You should base your compliance program on your risk assessment.
Categories
This Week in FCPA

This Week in FCPA-Episode 145 – Conferencing in America edition

Tom and Jay were both conferencing this week, albeit in different disciplines. Tom at Podfest Expo and Jay at the ABA White Collar Crime conference. In between they discussed some of this week’s top compliance and ethics stories which caught their collective eyes.

  1. MTS has massive FCPA resolution. Harry Cassin breaks the story in the FCPA Blog. See DOJ Press Release. See SEC Cease and Desist Order.
  2. CTFT to follow DOJ lead on enforcement and SEC lead on Whistleblowers. Dick Cassin reports in the FCPA Blog. See CTFT Press Release.
  3. Hacienda Healthcare is one of the worst corporate governance failures ever. Matt Kelly writes about it in Radical Compliance. Tom and Matt take a deep dive in Episode 113 of Compliance into the Weeds.
  4. Gulnara Karimova charged with conspiracy to commit money laundering in the whooping amount of $866MM. Harry Cassin reports in the FCPA Blog. See DOJ Press Release.
  5. Are consumers the new regulators of global business practices? Richard Young explores in the Navex Global’s Ethics and Compliance Matters
  6. Are Boards getting sufficient information on risk? Kristin Broughton reports in the WSJ Risk and Compliance Journal. Matt Kelly says compliance professionals can help in Navex Global’s Ethics and Compliance Matters.
  7. Is Baker MacKenzie in deep trouble over JBF bribery settlement? Former partner to be deposed over hire of Brazilian prosecutor. Michael Macagnone reports in Law360. The same partner left the firm to join Peirce Bainbridge, Clara Hudson reports in GIR. (sub req’d on both)
  8. Dutch prosecutors have told Shell the company will be criminally indicted over its role in obtain drilling rights in Nigeria. Chloe Taylor reports in CNBC.com.
  9. Jay begins a new role as a Featured Columnist on Corporate Compliance Insights. Check out CCI’s cool new look. (Interview with CCI’s new EIC Sarah Haddon next week).
  10. Rod Rosenstein says farewell to the compliance community. Text of Rosenstein speech here.
  11. Tom returns his periodic podcast series the Opinion Release Papers, with a five-part offering this week. Check out the following: Part 1-Opinion Release 10-03 on charitable donations under the FCPA; Part 2-Opinion Release 10-02 on hiring foreign officials as agents; Part 3– Opinion Release 07-01, travel for foreign officials; Part 4-Opinion Release 07-02, travel for and entertainment of foreign officials; Part 5-Opinion Release 11-01, why should you use the process. The podcast is available on multiple sites: the FCPA Compliance Report, iTunes, JDSupra, Panoplyand YouTube. The Compliance Podcast Network is now also on Spotify. It is now also on Corporate Compliance Insights.

Tom Fox is the Compliance Evangelist and can be reached at tfox@tfoxlaw.com. Jay Rosen is       Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Categories
Across the Board

Across the Board-Episode 6, Climate Impact-Will Your Assets Be Stranded?

SSGA’s Perspective On Effective Climate Change Disclosure”. While the white paper focused more specifically on climate impact and climate risk to businesses in the energy and mineral extractive industry, it set out a protocol which every Board of Directors can use for a wide variety of risks, including compliance risk.
We consider the purpose & methodology of SSGA’s white paper. We take a deep dive into the four areas of how a Board can better position climate change risk:

  1. Governance and board oversight of climate risk
  2. Establishing and disclosing long-term GHG goals
  3. Disclosing information on carbon price assumptions
  4. Discussing impacts of scenario planning on tong-term capital allocation impact

We then consider the SSGA approach in the context of a broader risk management process through the exploration of such issues as

  1. How broadly do climate related changes impact businesses?
  2. How should businesses prepare for disruption due to climate change or climate impact?
  3. Is there a business opportunity for companies which engage in strategic risk management around climate change?

For more from Rahki Kumar on the SSGA white paper, its application to the anti-corruption compliance practitioner, and management of strategic risk; see my blog post Will Your Assets Be Stranded? The Risk Management Process in ESG and Compliance
[tweet_box design=”default” url=”http://wp.me/p6DnMo-3xI” float=”none”]A robust risk management process provides both risk mitigation and significant business opportunities.[/tweet_box]]]>

Categories
FCPA Compliance Report

FCPA Compliance Report – Episode 344 – Virginia Suveiu

Legal Risk Management Specialized Studies Certificate Program for UCI Extension, where she teaches for that program and the Contract Management Certificate Program. She has published articles on various business law matters, most recently for the National Contract Management Association’s Contract Management Magazine May 2015 issue, as well as for the National Center for State Courts and the Aerospace and Defense Forum. Every corporation and compliance practitioner faces a wide variety of risks. These include regulatory risks, legal risks, reputational risks, safety risks, environmental risks, and many other types of risks. We consider whether there is one process or approach to take to the over-arching concept of risk management or if the approach needs to be fined tuned by an organization. We discuss the Legal Risk Management Specialized Studies Certificate Program, including the program benefits and who should attend. We explore the approach to teaching risk management. We discuss some of her current initiatives on the study of and teaching of risk. In this episode, I discuss with Virginia Suveiu the theories of risk and the process of risk management.

Categories
Blog

Day 16 of One Month to More Effective Internal Controls-COSO Objective II: Risk Assessments

Integrated Framework (Framework Volume) recognizes that “every entity faces a variety of risks from external and internal sources.” This objective is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner, none of this will sound new or even insightful; however, the COSO Framework requires a component of management input and oversight that was not as well understood. The Framework Volume says, “Management specifies objectives within the category relating to operations, reporting, and compliance with such clarity to identify and analyze risks to those objectives.” But management’s role continues throughout the process as it must consider internal and external changes that can affect or change risk “that may render internal controls ineffective.” This final requirement is also important for any anti-corruption compliance internal control. Changes are coming quite quickly in anti-corruption laws and their enforcement. Management needs to be cognizant of these changes and changes that its business model may make in the delivery of goods or services, which could increase the risk of running afoul of these laws. 

Objective-Risk Assessments

The objective of Risk Assessment consists of four principles. They are: Principle 6 – “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives.” Principle 7 – “The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” Principle 8 – “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Principle 9 – “The organization identifies and assesses changes that could significantly impact the internal control system.”

 Principle 6 – Suitable Objectives 

Your risk analysis should always relate to stated objectives. As noted in the Framework Volume, management is responsible for setting the objectives. Rittenberg explained, “Too often, an organization starts with a list of risks instead of considering what objectives are threatened by the risk, and then what control activities or other actions it needs to take.” In other words, your objectives should form the basis for your risk assessments.

Principle 7 – Identifies And Analyzes Risk 

Risk identification should be an ongoing process. While it should begin at senior management, Rittenberg believes that even though a risk assessment may originate at the top of an organization or even in an operating function, “the key is that an overall process exists to determine how risks are identified and managed across the entity.” You need to avoid siloed risks at all costs. The Framework Volume cautions that “Risk identification must be comprehensive.”

Principle 8 – Fraud Risk 

Every compliance practitioner should understand that fraud exists in every organization. Moreover, the monies that must be generated to pay bribes can come from what may be characterized as traditional fraud schemes, such as employee expense account fraud, fraudulent third-party contracting and payments, and even fraudulent over-charging and pocketing of the differences in sales price. This means that it should be considered an important risk analysis. Any company must follow the flow of money, and if the Fraud Triangle is present, management is placed around such risk.

Principle 9 – Identifies And Analyzes Significant Change

It is true that if there is one constant in business, there will always be change. The Framework Volume states, “every entity will require a process to identify and assess those internal and external factors that significantly affect its ability to achieve its objectives.” Rittenberg intones that companies “should have a formal process to identify significant changes, both internal and external and promptly assess the risks and approaches to mitigate the risk.” 

Discussion 

The SEC has clarified that companies should be expanding their view of risk in implementing the COSO 2013 Framework. Risk assessments are a cornerstone of a best practices compliance program as laid out in the 2012 FCPA Guidance and in the DOJ’s Evaluation of Corporate Compliance Programs, issued in February 2017. The regulators are telling companies specifically that they should see new risks that they need to address because of the changes brought about by the new standard. Howell noted that “in the internal control arena, fraud risk, in particular, has been keen interest because of the opportunity to mask fraud through the judgments made in recognizing revenue, no matter what the revenue recognition standard.” He went on to add other risks that companies should be considering in their risk assessments; “One risk is a company’s business practices do not relate to the accounting that they are providing right now because the business practices are changing and internally the company is not recognizing that the business practices are changing.”

Another example is that sales folks give concessions to customers that are not reflected in their understanding of the contract and its accounting.” Howell went on to add might be other activities that are going on to acquire contracts that aren’t being properly accounted for or even recognized at some level that the concessions are being given at the backend for return that isn’t being reported back into how that affects the estimate of cheap revenue going forward. Finally, risks that a company has misstated or underestimated require determining whether revenue should be recognized over time or estimated what that period is to recognize the revenue if it is a rolling time frame. Howell stated, “For example, the period could be longer, which means that your revenue would be recognized over a longer period. There’s always the risk that revenue could be recognized too early and that cost could be pushed out and spread over too long. As we begin to think about these new judgments that are required, we get into this entirely new level of judgment and risk related to the judgment that the companies need to identify and build both preventative controls and detective controls and have the plan to respond if they discover that the risk has happened and they have a failure.” 

Three Key Takeaways:

  1. Risk assessments are required under the COSO Framework, the 2012 FCPA Guidance, and almost all other best practices compliance programs.
  2. Look at your risks across your organization rather than in a siloed manner.
  3. Risks, determination, and management change over time, so be cognizant of changes in business practices on the ground.

For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com. Risk assessments are required under the COSO Framework, the 2012 FCPA Guidance, and all other compliance regimes.