Where’s Your Sanctions Risk Assessment? (No Seriously, it’s Required!)

Let’s pull out your sanctions-specific risk assessment, shall we?

Wait, you don’t have one?

Ah, don’t worry, there are lots of folks in that boat.

Many companies don’t have a sanctions-specific risk assessment. But you don’t want to be in that boat because it exposes your company to enormous risk.

Getting Along: Enterprise Risk and Compliance

This article first appeared on the Diligent Insights blog found here.

If you’re renovating your house, a general contractor is critical. He or she oversees the project and knows what needs to be done to execute the vision. But if the pipes aren’t fitted correctly, the general contractor may not see it until water seeps into the newly laid white oak floors. A general contractor is just that — general. They need the assistance of plumbers and electricians — specialists — to get a real view of the risks to the build.

The same is true in the relationship between enterprise risk (also known as integrated risk) and compliance. There’s currently a debate about whether compliance should be subsumed into a singular risk function. While compliance risk is part of a complete risk function, it needs to be separate and its risk assessment process independently managed.

Compliance Risk Is Distinct

Corporate compliance departments typically deal with a narrow, yet critical, set of risks. These include bribery, antitrust, trade compliance, data privacy, modern slavery, conflict minerals and/or money laundering. In short, the laws managed by compliance have enormous penalties when things go wrong. It’s not uncommon to see fines in the billions and the imposition of a corporate monitor for several years when companies act unethically. This subset of challenges needs its own department, budget and risk monitoring.

Five Best Practices

Enterprise risk management can easily work effectively with the compliance function to ensure compliance risk is understood and responded to appropriately. Here are five best practices to ensure smooth sailing…

Do I Need a Risk Assessment or Program Assessment?

Recently I noticed something interesting. At Spark Compliance, we’ve got this nifty software that tells us when various companies visit our website, and which pages people review. Nearly everyone who looks at the Risk Assessments page also looks at the Program Assessments page. In addition, I’ve recently had potential and current clients call me asking about risk assessments, when it’s clear based on their goals that they actually need a program review, and vice versa.

To a certain degree, the confusion makes sense. Both assessment types reveal areas of potential deficiency of controls and evaluate how risk is being managed. But the goal of the two activities are significantly different.

The US Department of Justice and other regulators endorse and expect risk assessments to be performed regularly, and that program reviews take place on a systematic basis. How do you know which activity you need right now? First of all, evaluate the goal of the assessment.

The Goal of a Risk Assessment

The goal of a risk assessment is to evaluate the risks facing the business. This evaluation uncovers the major compliance-related risks, then ranks them based on the likelihood that the bad thing will happen, and on the impact that the bad thing could cause. The likelihood is then reduced by the mitigating activity already in place. This may include having policies in place, training being performed, and other controls that manage risk.

The Goal of a Program Assessment

The goal of a program assessment is to…

VIDEO: Top Ten Mistakes Compliance Officers Make when Performing Risk Assessments

A couple of weeks ago I gave a webinar with Compliance Line that has created a huge amount of buzz. It’s topic was the Top Ten Mistakes Compliance Officers Make when Performing Risk Assessments, and people were so engaged we couldn’t get to most of the questions! If you didn’t have the chance to see it, you can watch it HERE. In it, we explore the top ten mistakes (and what to do to fix them!). We look at:

1. Taking on too many risks at once

2. Tackling too many regions/business units

3. Creating document disasters

4. Religious adherence to the interview outline

5. Questioning knowledge instead of activities (this one is my favorite)

6. Not using a repeatable methodology

7. Throwing away the current program plan

8. Letting every score be medium

9. Using red/yellow/green on the heat map (ooh, this one is controversial!)

10. Shoving the report in a drawer

Risk assessments can be difficult, but they don’t have to involve self-sabotage. Find out how to make them better. View the video HERE.

p.s.: Don’t miss our next webinar on The Top Ten Third-Party Risk Management NIGHTMARES (just in time for Halloween!). Get more information and sign up HERE.

Risk Assessment Top Tips Series Part 2: Avoiding Document Disasters

There are two basic places to find information for your risk assessment: documents and interviews. Ensuring that you have the right documents and that you efficiently review them will make the process much smoother. This sounds easy, but is deceptively so. Wasting time reviewing documents is practically de rigueur. But it doesn’t have to be if you plan correctly.

This is the second in our Risk Assessment Top Tips series. The first one on scoping your risk assessment for success can be found HERE. Like many steps in the risk assessment process, document collection and review has pitfalls that can be avoided. Following you’ll find top tips to ensure that your review goes well.

Top Tip One: Create a Document Inventory Before You Start Review

Many people dive right into the documents without taking the time to create an inventory sheet. An inventory is simply an Excel sheet or Word table that lists information such as:

  • The document’s title

  • The author/department to which it applies

  • The risk or sub-risk to which it relates

  • The date of the document

  • The most pertinent parts/salient points of the document

Don’t start reviewing until you’ve set up a system to do it effectively. If you start reviewing before you start your system, you’ll end up re-reviewing documents, possibly three or four times.

Top Tip Two: Assign each Document a Number

Assign each document a number. If you’re working with hard copy documents, write the number on the front page. If you’re using electronic documents and you’re able to, save the documents in your system or SharePoint with the number in the title. It will help you to find the most critical documents later.

Be sure to add a column to your document inventory table that lists the number of each document so you can access them easily.

Top Tip Three: Add a Column for Interviewees…

Risk Assessments Made Easy Course Awarded 2.4 CEU Credits by the CCB

I’m delighted to announce that the Compliance Certification Board has approved the Risk Assessments Made Easy course for 2.4 non-live credit hours! That means that you can complete your risk assessment easily and get 2.4 credit hours as well! The CEUs count toward the CCEP, CCEP-I, CHC, and a number of other certifications. Even more reason to join! Find out more at https://www.compliancekristy.com/risk-assessments-made-easy.

Risk Assessment Top Tips Series: Scoping for Success

The word “risk” appears 56 times in the 20 pages of the DOJ’s guidance on the evaluation of corporate compliance programs. That’s more than twice per page. The phrase “risk assessment” appears eight times, and “risk-based” four. The DOJ instructs prosecutors to evaluate whether a risk-based approach was taken with respect to training, third-party due diligence, integration into enterprise risk, and the program as a whole.

How can you prove a risk-based approach without a written risk assessment?

Answer: you can’t. When a prosecutor arrives and begins questioning the compliance and management team on how decisions were made, the prosecutor will expect that the answers will flow from a documented, well-thought-out risk assessment. Indeed, “Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction.”

Risk Assessment Isn’t Just Meant to Protect from Prosecution

Hands up anyone who has all the financial, human, temporal, and technological resources they need to run their program with maximum effectiveness. Right. A risk-based approach is critical because it allows you to allocate limited time and money to the highest-risk areas of the business. If there isn’t a proper evaluation of the risks facing the business, there can’t be a systematized, defensible way of designing your program.

Top Tips for Risk Assessment Success

This is the first in a series of blog posts that will reveal top tips for performing a successful risk assessment. The basic flow of any risk assessment is the same: (1) scoping, (2) document collection, (3) interviews, (4) regulatory review/benchmarking, (5) choosing a methodology and evaluating risk, (6) writing the report and creating the heat map, and (7) applying the risk-based approach to the rest of your program. The steps may be the same, but the way you execute them makes all the difference.

Scoping: The Most Important Step

If a risk assessment isn’t properly scoped, it is likely to fail. It will either spiral out of control and be unmanageable or not properly capture the risks facing the business. Getting the scope right will enable you to ask for the right documents, set up the right interviews, review the correct regulatory guidance, benchmark against the right sources, evaluate risk correctly, and apply the right risk-based approach to the rest of your program. Scoping sounds easy, but frequently isn’t.

There are two basic types of risk assessments. The first reviews multiple types of risk against each other. For instance, a multi-subject risk assessment may evaluate the company’s bribery risk against its trade sanctions, antitrust/competition, data privacy, and modern slavery risk. The second type reviews one type of risk in-depth, such as bribery or money-laundering.

Following you’ll find five top tips for scoping your risk assessment. The first two Top Tips relate solely to multi-subject risk assessments, the third solely to single-subject risk assessments, and the last two apply to both types.

Top Tip One: Don’t Go Outside the Scope of Your Program (if you can help it)…

NEW COURSE: Risk Assessments Made Easy – Filming NOW!

In April, we did a survey asking what areas of a compliance program you wanted to learn about most. Overwhelmingly, the top answer was an in-depth class on how to perform risk assessments. Good news! We listened and are currently filming the online course, “Risk Assessments Made Easy.” In this course, you’ll learn:

  • How to properly scope your risk assessment to set you up for success

  • Tips and tricks for document gathering so you don’t miss important information – or get swamped with an impossible number to review

  • How to choose the best interviewees, and how to ask questions effectively to suss out risk

  • A robust methodology that you can apply immediately to produce a strong and defensible assessment

  • Information on creating mitigating strategies and a roadmap for implementation of your recommendations for program improvement

Most importantly, you’ll receive templates to help you every step of the way through your risk assessment. You can use the course to perform single-risk assessments or to review multiple risks facing your program. The course will be out by the end of June. Stay tuned!

Your Step-by-Step Guide to Developing a Risk-Based Due Diligence Process

This is a guest post by Ramsey Kazem, East Coast Vice President, Spark Compliance Consulting.  He can be reached at rkazem@sparkcompliance.com.

Last spring, the Department of Justice issued a guidance document, which outlines the specific factors prosecutors consider in evaluating a company’s compliance program and deciding whether to bring charges, negotiating plea agreements, or offering leniency in assessing penalties.  The guidance makes clear that a “well designed compliance program should apply risk-based due diligence to [a company’s] third-party relationships.”  That is, a company must have a process in place to perform an appropriate level of due diligence before engaging a new third-party.  This process must be current, effective, and risk-based.

While the expectation is clear, the process by which a company meets this expectation is not as straightforward.  As with most things in compliance, there is no one-size-fits-all solution to satisfying this standard.  Indeed, a company must develop an approach to third-party due diligence that fits the company’s size, structure, industry, geographical presence, and risk profile.     

So how does a company go-about designing a third-party due diligence process that will meet the expectations described in the DOJ’s guidance document?  In this two-part series, we will share some guidelines and best practices for undertaking this effort.  In this part I of the series, we will discuss how to define the scope of a third-party due diligence program.  In part II, we will explain how to develop a risk-based process to effectively screen the in-scope third-parties for compliance-related risks.

Defining the Scope of a Third-Party Due Diligence Program

The first step in designing a third-party due diligence program is to define the scope of the program…