Risk Assessment and Management

How to Protect Compliance Risk Assessments from Unwanted Disclosure

A compliance risk assessment is a basic tool of compliance professionals. It is used to determine where risks and vulnerabilities exist in a company’s compliance with laws. The Federal Sentencing Guidelines, [3] the Resource Guide to the U.S. Foreign Corrupt Practices Act[4] and the OECD Good Practice Guidance,[5] as well as numerous other guidance documents and best practices, mandate that a risk assessment is a necessary first step to have an effective compliance program. Typically a compliance risk assessment (1) catalogues the legal and compliance requirements facing the company; (2) uses information gathering tools such as interviews, surveys, benchmarking, and document and financial transaction review to determine the company’s risks of failing to comply with legal and regulatory requirements; and (3) analyzes those risks to prioritize them according to likelihood, impact, and velocity. But how the risk assessment is conducted can determine whether it stays safely within the company’s confidential information or must be given to prosecutors and plaintiffs’ attorneys.

A risk assessment is a potentially risky undertaking in itself. Suppose, despite all expectations to the contrary, that some significant improper conduct were to come to light in the assessment. The company could be deemed to be on notice of the bad condition. Suppose that the assessment showed control weaknesses that the company had not previously been aware existed. While the results of the assessment are critical, at the end of the process, no one wants to be forced unwillingly to give that report to prosecutors or plaintiffs’ attorneys. Because of the “dirt” that a risk assessment might uncover, it could end up being prosecutor’s exhibit number 1 or plaintiff’s exhibit A in court as they prosecute or sue your company. But unless the document is protected by some form of privilege, it may be disclosed outside the company in the event of criminal investigations or private litigation. Critical steps should be taken during the risk assessment to protect it from disclosure.

This document is only available to subscribers. Please log in or purchase access.