The Four-Dimensional Compliance Risk Assessment

In the 1990’s I developed a three-dimensional framework for compliance and ethics (C&E) risk assessment/management.  Since then the framework has evolved and my current way of addressing risk centers largely on identifying and analyzing intersections of the following four areas:

*) Substantive risk areas.

*) Geographical factors.

*) Different “parts” of a company.

*) Mitigation.

An example of this approach is to consider the risk of corruption (substantive risk area) in your organization’s Eastern European region (geographical factors) for your sales team (part of the company) in light of current training, due diligence, and other controls (mitigation). This type of analysis facilitates understanding of an organization’s legal risks in a way that is granular enough to allow for efficient identification of appropriate enhancements to compliance controls.

Substantive risk areas 

In analyzing antitrust risks at a company one should first identify the different types of antitrust legal standards that could reasonably be viewed as risk causing for the company. This should entail more than simply collecting criminal (and in some cases, civil) law statutes, as we have often seen companies do in risk assessments.  Rather, one should also include, among other things, consideration of different types of horizonal restraints, including price fixing, bid rigging and division of territories. And one should also determine whether vertical restraints should be part of the inquiry. For companies with any degree of market power the laws relating to dominance need to be considered.  Especially important are emerging areas that may be a surprise to others in the company.  In antitrust for example there are newly emerging employment issues, such as non-poach agreements, wage fixing and non-competes.  These may catch HR people off-guard.

Similarly, for the corruption risk area, one should generally assess risks not only of FCPA violations but also domestic bribery, commercial bribery and possibly lobbying, among other areas.

Note that some risks at a company may have been covered in prior assessment processes – formal or informal.– and need not be repeated.   Indeed, one important facet of a risk assessment in some instances can be to identify what is and is not “in scope.”

Finally, in my view, too few companies address ethics (as opposed to compliance) risk. Generally, this entails conduct that does not constitute a violation of law but, rather, issues of right and wrong that could create significant reputational harm and/or lead to legal liability.  Conflicts of interest sometimes fit this bill and so might other risk areas. Note however, that while an area may start as “only” an ethical issue, when companies go too far governments can react quickly with laws and regulations hurting the company’s business.

Risk capacity and risk motivation

The consideration of risk areas should often be based partly on key facts concerning relevant markets/business.  For instance, with antitrust, one might enquire what market power the company actually has.  While conduct like price fixing and market allocation are violations even when the parties lack any market power, if the company perceives that it can control markets this could increase the risk of anticompetitive conduct happening. This and similar lines of inquiry can be viewed as the capacity to engage in risky conduct. 

On fraud and corruption, one should determine whether given the nature of the commerce at issue it is relatively easy or hard to cheat.  (We sometimes ask in assessments if there is anything “worth stealing.”)  If the company has a local agent who is a close friend of a government minister in a high-risk country this certainly enhances the ability to implement an effective bribe. 

Also relevant here is the motivation to engage in risky conduct.  For   example, this might be based in part on how employees are compensated and incented.  Does compensation and eligibility for promotion encourage undue risk taking?  This is a reason why the compliance officer needs a say in the incentive system. 

Pressure to perform would fit into this risk factor, as a motivation.  So might determining if there are parts of the company where particular risks are not sufficiently understood/appreciated.

Geographic factors

There are two general aspects to this dimension.

*) Do local cultures/norms tolerate or even encourage wrongdoing?  

*) Do local cultures help to prevent wrongdoing?

With both, the inquiries should include due consideration of local legal standards and applicable norms. Note that this can cut different ways.  A culture that favors hiring family members (thus creating possible conflicts of interest) may also be one that highly values workplace safety.  And due attention should also be given to determining what units of assessment should be used. E.g., in some instances using continents would be fine for this but in others one should use a narrower focus, such as countries or even smaller units with distinct characteristics.

Different parts of the company

The third dimension of our framework concerns different “parts” of the company. “Parts” can include, among other things, business units, subsidiaries, staff functions and individual positions (including part-time ones).  This dimension can also sometimes overlap with geographic factors discussed above.

With many criminal laws this dimension should include high-level managers, positions involving sales or other sources of revenue.  But many other parts of a company should be considered as well, as should independent agents and other third parties. For example, the Sears company got caught in a criminal case involving bankruptcy fraud that was propagated by its own legal department.  No business unit or department is immune from compliance risk.   

Mitigation

The fourth dimension of this framework is mitigation. Here, one determines how the various analyses of risk standards, geographic considerations and different parts of the company interact to :

*) Validate aspects the Program or

*) Indicate room for improvement. 

Another example can be drawn from the antitrust area, as follows:

Antitrust

• What are the risks (e.g. bid rigging)?
• What are local variants (e.g., does the company deal in commodities with only a few competitors who know each other well)?
• What are risky parts of business (based on nature of commerce)?

What is the current mitigation?

• Has the effectiveness of the mitigation been evaluated to see how well it is working? (just listing compliance steps is not enough)
• What additional/different mitigation is recommended based on the above?

There are also other mitigation questions one might ask, such as: Do the people who can help mitigate or manage the risk know what they need to do and have the relevant training?  But not every rish assessment needs to cover this.

Risk assessment is an essential step in creating an effective compliance program.  It has to be more than just sitting at a computer listing statutes.  The approach given above provides a blueprint for developing a real sense of what the company’s compliance and ethics risks may be, and how to address them.