Jeffrey M. Kaplan (email@example.com) is a Partner with Kaplan & Walker LLP in Princeton, New Jersey, USA.
Risk assessment is the topic that never grows old, because the world of compliance and ethics (C&E) risks is, by virtue of human nature, evergreen. Adding to the challenges faced by companies in this area are heightened governmental expectations regarding C&E programs in general and risk assessment in particular. Finally, while denominating simple risk assessments, sometimes companies seek to include in these efforts a substantial program assessment component as well, which raises the bar even more.
This is lot to deal with, and one could write a book on risk assessment (or at least an e-book, as I have done ). But often in dealing with C&E matters, one does not have the luxury of time, and so it is fair to ask: What can one say about risk assessment in a page? For this, I recommend the following three-step process.
First, for all major areas of risk (e.g., corruption, antitrust, fraud), seek to determine the:
Most likely scenario(s) in which a violation could occur.
Types of individuals likely to be involved in creating the risk (e.g., employees by function, business partners, and other third parties).
Places where misconduct is most likely to occur (e.g., in a particular geography or part of the business).
Most likely causes of the risk (e.g., lack of knowledge, lack of appreciation of applicable rules, lack of sufficient process controls, cultural challenges).
Second, use this information to assess the efficacy of C&E program elements that are largely risk-area specific. These are policies and procedures, training and other communications, third-party management, and auditing and monitoring. Note that I stress that these are largely risk-area specific. I do not suggest that they must be entirely so for these purposes. Some, such as training and auditing, have a general dimension too.
Third, assess the efficacy of the largely more general categories of program elements: risk assessment, culture and leadership, resources and autonomy devoted to oversight, incentives and disciplinary measures, confidential reporting and investigation, and analysis/remediation. This is based less on the results of the risk inquiry and more on good practices, but here, too, one must avoid painting with too broad a brush, as some of these elements have specific dimensions as well (e.g., sufficiency of resources with respect to anti-corruption due diligence).