Learn from application measures | Society for Business Compliance and Ethics (SCCE)
CEP Magazine (June 2022)
One of the best ways to learn about compliance and ethics programs is to review the enforcement measures. And some recent actions provide very useful guidance on one of the most important elements of any compliance and ethics program: risk assessment.
I won’t bother to name the companies involved – it just gets me in trouble anyway, and the lessons are clear. Instead, I’ll just describe three of the common themes I’ve noticed when reviewing several recent cases.
First, regulators want us to do more than just identify a broad category of compliance risk. They want us to break down each risk into sub-categories, such as geographic location, type of customer, type of product or service, etc. Taking this more granular approach to a risk sharpens an organization’s ability to identify additional factors associated with a risk. , which contributes to the development of a risk response.
Next, we should maintain appropriate levels of supporting documentation for our risk assessments. Too often, once the risk assessment is complete, the only record kept is the final work product and perhaps some reports associated with the assessment, often limited to a description of the process used. Regulators want to see more evidence of how conclusions were reached in the assessment, from how we determined impact and likelihood, to other important information and data used in the assessment.
Finally, another common theme seems to be the reminder that the risk assessment methodology and process should be subject to periodic independent evaluation. We often think of auditing in the context of specific risk areas. But auditing also has a broader element, where the focus should be on auditing the compliance and ethics program itself. The US Sentencing Guidelines remind us that we should “periodically evaluate the effectiveness of the organization’s compliance and ethics program.” This includes an evaluation of the risk assessment process, with the aim of making continuous improvements.
I chose to focus on the risk assessment process in this column, simply because that’s what I’ve noticed most in some recent enforcement actions. But ongoing review of enforcement actions can provide direction for evaluating the effectiveness of all elements of your compliance and ethics programs. And commands can also provide you with additional support for resources that you will probably request.
1 USSG § 8B2.1(b)(5)(B).