A compliance risk assessment is a basic tool of compliance professionals. It is used to determine where risks and vulnerabilities exist in a company’s compliance with laws. The Federal Sentencing Guidelines, [3] the Resource Guide to the U.S. Foreign Corrupt Practices Act[4] and the OECD Good Practice Guidance,[5] as well as numerous other guidance documents and best practices, mandate that a risk assessment is a necessary first step to have an effective compliance program. Typically a compliance risk assessment (1) catalogues the legal and compliance requirements facing the company; (2) uses information gathering tools such as interviews, surveys, benchmarking, and document and financial transaction review to determine the company’s risks of failing to comply with legal and regulatory requirements; and (3) analyzes those risks to prioritize them according to likelihood, impact, and velocity. But how the risk assessment is conducted can determine whether it stays safely within the company’s confidential information or must be given to prosecutors and plaintiffs’ attorneys.
A risk assessment is a potentially risky undertaking in itself. Suppose, despite all expectations to the contrary, that some significant improper conduct were to come to light in the assessment. The company could be deemed to be on notice of the bad condition. Suppose that the assessment showed control weaknesses that the company had not previously been aware existed. While the results of the assessment are critical, at the end of the process, no one wants to be forced unwillingly to give that report to prosecutors or plaintiffs’ attorneys. Because of the “dirt” that a risk assessment might uncover, it could end up being prosecutor’s exhibit number 1 or plaintiff’s exhibit A in court as they prosecute or sue your company. But unless the document is protected by some form of privilege, it may be disclosed outside the company in the event of criminal investigations or private litigation. Critical steps should be taken during the risk assessment to protect it from disclosure.
What Is Privilege and Why Does It Matter?
Privilege protects certain kinds of information from forced disclosure in legal proceedings and investigations. Suppose the Securities and Exchange Commission (SEC) were to say to the company (through a subpoena), “Give us all your documents and other records that assessed your risks of violation of the Foreign Corrupt Practices Act in the last five years.” When you look through your documents, you find one called “FCPA Risk Assessment” at your company. After reviewing the risk assessment, you think, “Some of this may be misunderstood, and it does not look like we acted very quickly when we learned about our risks,” even though you know that compared to most initiatives in your company, the remedial FCPA measures happened quite rapidly. In other words, it is a potentially damaging document. So unless a privilege applies, the SEC probably gets to see the risk assessment report. But, if it is privileged and you do not do unwise things with the document, your company should be able to protect it from disclosure.
Options
Here are the choices on how to conduct a risk assessment:
-
Do not do one at all. If there were no risk assessment, there would be no report to disclose. But, the resulting compliance program would not be risk-based, so it would be significantly less likely to be designed effectively. And, it would be difficult to argue that a compliance program meets the requirements of the Federal Sentencing Guidelines or similar standards if this crucial first step is skipped. This does not seem to be an acceptable outcome.
-
Have a non-legal internal group or an outside consultant conduct the risk assessment. At the end of the process, the company would have its risk assessment, which could be used to design an effective compliance program. But, the risk assessment report would not be protected from disclosure through legal or administrative discovery processes later on. In other words, the company could be forced to hand it over to people who would want to hurt the company with it.
-
Have in-house counsel direct the preparation of the risk assessment. The company might have an argument for attorney-client privilege or attorney-work product. If these succeeded, they would protect the report. But, there are circumstances where these privileges would not apply and the company could be forced to hand over the document.
-
Have outside counsel direct the preparation of the risk assessment. If done right, the company should have protection under attorney-client privilege and might even have protection as attorney-work product.
Legal Forms of Protection
There are two primary types of privilege that might protect a company’s compliance risk assessment from disclosure. The first is the attorney-client privilege and the second is the attorney-work product privilege. Each requires specific actions when the risk assessment is being created. After the fact, the company can only protect existing privilege, but it cannot go back and create privilege retroactively.
Attorney-client privilege
The attorney-client privilege is an old and established privilege based in common law. It can apply to both individuals and corporations. To establish the attorney-client privilege, the corporation needs to show the following[6] :
-
The corporation is a client of the attorney.
-
The attorney is a member of a bar of a court (or is the subordinate of such a person).
-
The attorney is acting as an attorney in connection with the communication.
-
The communication relates to facts that the client told the attorney about and there were no strangers present to overhear.
-
The primary purpose of the communication is for the attorney to give:
-
an opinion of law,
-
legal services, or
-
assistance in a legal proceeding.
-
-
The communication is not being used to commit a crime or tort.
-
The corporation claims that the communication is privileged and does not waive it.
One of the elements for a risk assessment report to be an attorney-client privileged communication is that it be directed and authored by an attorney. That attorney can be in-house or outside counsel. But if the author or overseer is in-house counsel, there are additional obstacles to overcome. The risk assessment will only be privileged if the attorney is acting as an attorney and not in a business role. Many courts are skeptical of in-house counsel asserting privilege, because of the mixed responsibilities of those attorneys. In fact, some courts presume that in-house counsel engage in a substantial amount of non-legal work and require that the company overcome this presumption to claim the privilege.[7] A greater degree of scrutiny may be applied to in-house counsel who are trying to overcome this presumption, meaning extra care should be taken to document and prove that the assessment was conducted for a legal purpose.[8] Some courts have warned against companies obstructing the truth-finding process by improperly having in-house counsel claim privilege.[9] And, some jurisdictions follow a general presumption that privilege applies if the work is conducted by outside counsel.
A company operating in multiple jurisdictions faces unique challenges when determining how privilege may be conferred. Multidistrict litigation may force companies to defend against disclosure according to the rules of a court outside of their “home turf, due to the fact the privilege may be based on where the documents originated.”[10] Not thinking about the differences among various state privilege laws risks unwanted disclosure where those laws are applied to narrower circumstances than anticipated.
Companies operating internationally can be caught between multiple approaches when determining the fundamentals of privilege. For example, if the risk assessment might be subject to discovery by a European agency or court, it may be unwise to use in-house counsel to claim privilege. The European Court of Justice and the Court of First Instance have rejected extending the “legal professional privilege” to in-house counsel.[11] Similarly, China also lacks special protections for in-house legal counsel when it comes to disclosure. For outside counsel, China views privilege as a “duty” extending from the attorney to the client. This duty creates a “privilege–like” protection that won’t always be enough to prevent disclosure when lawyers must testify during a civil case.[12] This distinction has even led to instances where US courts have refused to provide protection for documents created in line with Chinese law.[13]
To preserve the attorney-client privilege, the risk assessment report must be confidential, which means that the corporation intended and expected it to be and remain confidential. And the risk assessment must either contain legal advice or convey legal services.
It is important to ensure the process of creating a risk assessment report is planned and conducted with confidentiality and legal services in mind. During the process, the data collector should inform each person who provides data or information that the data collector is acting at the direction of counsel and that they are collecting documents, data, and information (through physical or electronic collection and through interviews) in order for counsel to give legal advice based on those documents, data, and information.[14] The written risk assessment report should also contain legal advice about the risks and vulnerabilities of the company, often in the form of assigning values to the potential impact of various risks. Also, attorneys “hired to investigate through the trained eyes of an attorney” are performing legal services consistent with the attorney-client privilege.[15] If an attorney requests and directs an investigation for legal purposes, and keeps the resulting reports confidential, the report may be privileged despite the fact non-lawyer personnel conducted the bulk of the investigation.[16] In contrast, investigations which appear to be undertaken in the “ordinary course of business” are less likely to receive protection.[17]
When beginning a risk assessment, it is necessary to step back and examine the types of individuals and company characteristics involved, as they may affect the final report’s confidentiality. Sometimes, a person involved in an risk assessment may occupy a “quasi-legal” role, in which they are technically an attorney but do not meet the criteria required to confer privilege.[18] If work is to be delegated to a quasi-legal person, the role that person plays should be clearly defined from the beginning. Additionally, characteristics of the company’s industry may cause the court to view some “quasi-legal” activity with more scrutiny. An example may be a compliance practioner for a company, who is also an attorney, but does not give legal advice as part of their role. In-house counsel working in highly regulated fields, such as insurance, may be considered acting as advisors on matters running in the ordinary course of business, and thus not under a privileged relationship.[19]
Those conducting a risk assessment should also be mindful of the effect a company’s structure may have on the assessment, and the subsequent report. For example, attorney client privilege generally applies to subsidiaries of a parent company conducting an assessment. But if the parent company indirectly owns the subsidiary, or else expects the subsidiary to have a conflicting legal interest, special steps may need to be taken to protect privileged communications.[20] Similarly, due care should be taken to ensure communications with third parties fall under the same umbrella of privilege as those made within the company.
The attorney-client privilege is an absolute privilege, meaning it cannot be avoided because a party seeking the information shows substantial need. This comes up when someone is seeking to obtain the company’s confidential information saying, “I don’t have any other way to get this information—I need that risk assessment.” Unlike the work product doctrine, discussed later, that justification does not work here.[21] Also, the attorney-client privilege only protects the communication, not the underlying facts. So, the risk assessment report is privileged, but in litigation, the opposing side may still subpoena employees who happened to give input for the risk assessment and ask them questions about the risks and vulnerabilities of the company. But they cannot ask, “Did you tell the attorney about this?” That conversation would be covered by the privilege.
Once the risk assessment report is covered by this privilege, the company could still lose it by waiver.[22] Most of the time, this happens when the privileged and confidential communication is shared with someone who is not with the company (such as an external auditor) or not otherwise acting in a confidential capacity. It could also happen during litigation, due to poor management of discovery or planning of the company’s defense.[23] In general, to prevent waiver, one should keep the risk assessment report confidential, locked up, and only make it available to senior personnel on a need-to-know basis. Some prefer to issue only paper copies of risk assessments with a footer notation on each page that says, “Do Not Copy,” while designating the name of the individual recipient. People are less likely to copy a confidential hard copy of a document when expressly advised not to do so and their name appears on every page.
Finally, the privilege is not self-executing. When, in litigation or in the investigation of a crime, the company is asked for documents that are covered by privilege, the company must say the documents exist but cannot be produced due to privilege. One cannot hide the documents or act like they do not exist because they are privileged. There are specific procedures for asserting privilege that are not covered here, but should be an immediate topic of conversation with counsel when subpoenas or discovery requests may involve your risk assessment report.
Work product doctrine
While attorney-client privilege exists to protect the attorney-client relationship, the work product doctrine exists to promote a better adversarial process in litigation. The work product doctrine[24] generally protects an attorney’s work product, created in preparation for litigation, from involuntary disclosure. It is a broad privilege and applies to materials that the attorney prepared or were prepared at the direction of the attorney. These materials may include witness interview notes, investigative reports, questionnaires, memoranda, notes, and compliance reviews. But, unlike the attorney-client privilege, it is a qualified privilege. This means that even if the work product doctrine applies, the party trying to get the risk assessment report can still get it if they meet certain requirements, such as proving they cannot get the information any other way.
For the work product doctrine to apply, the following requirements must be met: (1) the materials or communications are of a nature that qualifies for protection, (2) they are prepared or obtained in anticipation of litigation, and (3) they were prepared by or for an attorney.[25] Additionally, each state typically has its own rules governing how work product is handled in a trial. Attorneys should be familiar with the local rules where work product is created because federal courts often look to state rules in deciding localized cases.
The true difficulty usually comes in showing that the risk assessment was prepared in anticipation of litigation. The anticipation of litigation must be more than a remote possibility.[26] Most courts break the “anticipation of litigation” into two aspects: causation and reasonableness. Generally courts look first at whether the report was created because of potential or actual litigation or for some other purpose. Compliance risk assessments are generally prepared in order to create an effective compliance program, not because there is litigation on the horizon. Risk assessments may find issues that may become subject to criminal investigation or litigation, but that is a remote possibility, not a likelihood. And the order of causation is wrong. The need for an effective compliance program is what caused the company to order a compliance risk assessment in the first place. If litigation or a criminal investigation results from being discovered during the risk assessment, it is a result, not a cause. Many courts withhold from protection “documents that are prepared in the ordinary course of business or that would have been created in essentially similar form irrespective of the litigation.”[27]
The First Circuit addressed this issue en banc in U.S. v. Textron, Inc.[28] In that case, the court was addressing whether the IRS could force the production of a risk assessment of Textron’s tax liabilities prepared by the company’s in-house tax attorneys. Textron had waived its attorney-client privilege when it showed the work to its auditors. But—as noted above—disclosure of work product to a third party doses not necessarily waive the work product protection.[29] When Textron refused to produce the risk assessment because they claimed that it was attorney-work product, the court had to decide whether the work product doctrine applied in that situation. The court said the work product doctrine did not apply because the risk assessment was prepared for the financial statements, which is a reason other than potential litigation. Textron had to give up its tax liability risk assessment to the IRS. Many commentators have opined that the Textron case also stands for the proposition that the argument for work product doctrine protection is weaker if the work is done by in-house counsel.[30]
The enforceability of work product protections may depend on the circuit where the lawsuit takes place.[31] In some instances, attorney assessments do not lose work product status because they are used in the making of a business decision.[32] While these assessments must still be prepared in anticipation of litigation, the D.C. Circuit Court of Appeals held, “a document can contain protected work-product material even though it serves multiple purposes.”[33] Assessments are less likely to be considered “work product” if they do not sufficiently intertwine facts and statements with legal opinions, or else contain the reports and opinions of non-attorneys. To minimize this deficiency, attorneys ahould manage and prepare as much of the report as possible.
In a high-profile General Motors case regarding the internal investigation of the delay in recalling an engine switch,[34] the court determined that the work product doctrine applied to protect interview memoranda prepared from interviews conducted by outside counsel in light of a pending DOJ investigation and in anticipation of civil litigation. Because all witnesses were informed that the interviews were to gather information that outside counsel would use to provide legal advice to General Motors, the court held that the interview memoranda produced from those interviews would be considered classic attorney work product.
Courts then look at how reasonable it was to expect litigation at the time the work was prepared. The remote possibility of litigation is not sufficient. In general, the company must have identified some claim or some set of facts that would cause them to anticipate litigation. The claim need not have already been filed, but there must be some basis to anticipate that litigation could occur. For example, courts have held that an investigation by a regulatory agency is sufficient to reasonably anticipate litigation. But, “It is not enough to trigger work product protection that the subject matter of a document relates to a subject that might conceivably be litigated.”[35]
Crafting an assessment as work product is just one half of the battle. Procedural and evidentiary requirements may cause the work product protection to be waived during litigation, even if the assessment has met all of the other requirements. Similar to attorney-client privilege, the party who does not want the assessment disclosed must show it is work product. Once work product protection is established, the party seeking production of the document must show there is a substantial need for the materials, and that the information it contains cannot be obtained in another way.
What You Can Do
To protect your compliance risk assessment report from future discovery, here are some suggestions:
-
Do use attorneys to protect attorney-client privilege of the risk assessment report. Be careful of using in-house counsel unless you feel comfortable that the attorney can demonstrate that they are primarily doing legal work and their leading the risk assessment effort cannot be construed as non-legal work. Use of outside counsel generally has lower risk in protecting privilege.
-
Do have interviewers and investigators instruct those from whom they are gathering information that this is being done at the direction of counsel in order to collect information on which counsel will rely in giving legal advice to the company.
-
Do adopt clear policies to provide guidance on when counsel should direct a risk assessment.
-
Don’t rely on the work product doctrine unless an external investigation is underway or litigation is reasonably actually anticipated. A suspicion that the risk assessment may uncover issues that could be the subject of a criminal/regulatory investigation or civil litigation may be insufficient to establish that the risk assessment is being conducted “in anticipation of litigation.”
-
Do keep the risk assessment confidential. Don’t let it be shared with anyone outside the company and keep distribution within the company on a need-to-know basis, preferably with senior level employees.
-
Do distribute the report only in a hard copy, paper version. Electronic copies tend to wander too much, especially as email attachments.
-
Don’t provide the report to anyone without the express written permission of the legal department. Each hard copy may also be marked with the name of the recipient to discourage scanning or copying.
-
Do mark the report, “privileged and confidential, attorney-client communication.”
-
Do include legal opinions in the risk assessment report.
-
Do keep to a minimum any separate, written materials used in writing the report. And keep legal opinions out of that separate, written material.
-
Do notify your attorney immediately and determine the appropriate process to assert the privilege if your company receives a subpoena or discovery request that might arguably cover the risk assessment report.