"From ignorance our comfort flows. The only wretched are the wise." These words, written centuries ago by English poet and diplomat Matthew Prior, could be emblazoned on t-shirts worn by the modern day chief compliance officer. After all, those sitting in corporate C-suites who are ignorant of the ethics and compliance risks their companies face certainly sleep better at night than the CCOs whose job it is to know the risks, however "wretched" it might make them.
While CCOs take many paths toward "wisdom" and the knowledge it entails, a formal ethics and compliance risk assessment is quickly becoming an essential route. However, while the term, "risk assessment" is thrown around early and often in ethics and compliance circles, it is often hard to define just what the term means and what should be included in an ethics and compliance risk assessment. Our intent is to provide some practical guidance, including a checklist of issues that should be part of any company's assessment of this kind, regardless of the business sector and geography.
Risk Assessments in Today's Environment
While it may not be immediately clear to companies what specific conduct their risk assessment ought to encompass, one thing is immediately clear: governments, investors and the general public have a very real expectation that these will be conducted on a periodic basis. This is made clear by, among other things, the U.S. Sentencing Guidelines, as well as guidance issued by the U.S. Department of Justice and Securities and Exchange Commission.
When companies are unaware of their risks—or disproportionately allocate resources to low-risk operations at the expense of high-risk operations—they not only waste resources, they leave wide gaps of exposure. A risk assessment benefits a company by (1) providing guidance as to where compliance dollars are best spent; (2) mitigating the chances of future legal and ethical violations; and (3) mitigating the company's loss in the event a violation does occur. This is true particularly because U.S. enforcement agencies consider the frequency and quality of ethics and compliance risk assessments when evaluating a company's compliance program.
Indeed, in the DOJ and SEC's Resource Guide to the FCPA, risk assessments are described as "fundamental to developing a strong compliance program[.]" They can mitigate a company's liability for the actions of an officer or employee who violates the law. Additionally, courts...