Performing effective risk assessments can be a difficult art to master. The very phrase—“compliance risk assessment”—can encompass a wide range of risks: anti-bribery, whistleblower retaliation, data privacy breach, workplace harassment, anti-competition, product safety, and much more.
What are the risks of poor risk due diligence? What are the risks that compensation schemes will lead sales agents to bribe their way to a performance bonus? What are the risks that internal controls won’t detect bribery payments or data privacy breaches? That complexity must now become permanent fixture of corporate compliance and risk management programs. More risks will emerge in the future, whether they come from business operations, government regulation, or external forces.
In order to protect us from loss of reputation, high fines and criminal charges, astute risk and gap assessments are imperative, following an efficient methodology, and embracing flexibility to meet whatever new risk is barreling up the audit committee’s agenda.
Areas to focus on in risk assessment:
To assess the risks around proper due diligence of third parties, the compliance function may need to enlist the procurement or accounting departments; they would have a list of all parties that received payments from the company. In a decentralized enterprise, the IT department may need to help “normalize” data that different divisions collect in different formats.
The risks associated with your company’s personnel require special attention: if corporate bribery is going to take place, the human element will necessarily be involved. When assessing risks your personnel might pose, you will need, again, to ask the right questions: Who interacts with government officials? Who sells products or gets business? Who controls funds leaving the company? Who is operating in the most corrupt environment? Who is in the best position to detect problems? Who is collecting, maintaining, distributing and storing personal data? Grouping the organization’s personnel as such will allow you to better identify which groups are most exposed, and to what levels of risk. Agents in frequent contact with government officials must be given extra care, as they can receive bribe requests in return for winning business opportunities. Personnel under pressure to make large sales may succumb and cut corners on compliance. Line-level accounting personnel, on the other hand, may be aware of improper payments. The HR staff has access to data privacy information which needs to be protected. Identifying such weaknesses will help put in place a more accurate risk assessment as well as more efficient remedial mechanisms. If you have not signed the Integrity Pledge of the Integrity Initiative yet and had access to our self-assessment tool, it is high time you do this now.
Evaluating geographical risk implies understanding where you operate; how much business you do in each area, the type of business you conduct in each area, how much data your import and export, and the level of corruption in that particular area. How aware are you about cross-border privacy rules?
Knowing your customer is key to mapping out your risk matrix. If you are delivering services or goods to a public entity, you are dealing with a high risk customer that could potentially bring your business under the scrutiny of anticorruption laws with global jurisdiction such as the US FCPA or the UK Bribery Act, which prohibit offering and giving bribes to foreign government officials. The coverage of applicable persons is broad and includes government officers and employees, consultants and agents acting on behalf of foreign governments, employees of public international organizations (like the World Bank, ADB or UN), and officials and employees of state-owned enterprises. If your customer does not fall under the definition of foreign officials, you must still consider whether your customer would present any risk as “private-to-private” bribery is also punishable under certain legislation with global jurisdiction such the UK Bribery Act and may also be punishable under local law in the country where the crime was committed. For instance, in a given tender or project you should ask whether a potential customer may operate corruptly, whether there is anything suspicious about the tender or project, etc. In addition, more and more countries and regions are implementing data privacy protection laws and regulations, which means that the protection of data in the interaction with clients becomes very important.
In conclusion, risk assessments present compliance professionals / Data Protection Officers with the complicated task of tailoring the assessment of every risk to its specific details. If you need assistance, contact us at the Integrity Initiative Inc. – contact email@example.com or firstname.lastname@example.org
by: Henry Schumacher