There are two basic places to find information for your risk assessment: documents and interviews. Ensuring that you have the right documents and that you efficiently review them will make the process much smoother. This sounds easy, but is deceptively so. Wasting time reviewing documents is practically de rigueur. But it doesn’t have to be if you plan correctly.

This is the second in our Risk Assessment Top Tips series. The first one on scoping your risk assessment for success can be found HERE. Like many steps in the risk assessment process, document collection and review has pitfalls that can be avoided. Following you’ll find top tips to ensure that your review goes well.

Top Tip One: Create a Document Inventory Before You Start Review

Many people dive right into the documents without taking the time to create an inventory sheet. An inventory is simply an Excel sheet or Word table that lists information such as:

• The document’s title

• The author/department to which it applies

• The risk or sub-risk to which it relates

• The date of the document

• The most pertinent parts/salient points of the document

Don’t start reviewing until you’ve set up a system to do it effectively. If you start reviewing before you start your system, you’ll end up re-reviewing documents, possibly three or four times.

Top Tip Two: Assign each Document a Number

Assign each document a number. If you’re working with hard copy documents, write the number on the front page. If you’re using electronic documents and you’re able to, save the documents in your system or SharePoint with the number in the title. It will help you to find the most critical documents later.

Be sure to add a column to your document inventory table that lists the number of each document so you can access them easily.

Top Tip Three: Add a Column for Interviewees…

I’m delighted to announce that the Compliance Certification Board has approved the Risk Assessments Made Easy course for 2.4 non-live credit hours! That means that you can complete your risk assessment easily and get 2.4 credit hours as well! The CEUs count toward the CCEP, CCEP-I, CHC, and a number of other certifications. Even more reason to join! Find out more at https://www.compliancekristy.com/risk-assessments-made-easy.

The word “risk” appears 56 times in the 20 pages of the DOJ’s guidance on the evaluation of corporate compliance programs. That’s more than twice per page. The phrase “risk assessment” appears eight times, and “risk-based” four. The DOJ instructs prosecutors to evaluate whether a risk-based approach was taken with respect to training, third-party due diligence, integration into enterprise risk, and the program as a whole.

How can you prove a risk-based approach without a written risk assessment?

Answer: you can’t. When a prosecutor arrives and begins questioning the compliance and management team on how decisions were made, the prosecutor will expect that the answers will flow from a documented, well-thought-out risk assessment. Indeed, “Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction.”

Risk Assessment Isn’t Just Meant to Protect from Prosecution

Hands up anyone who has all the financial, human, temporal, and technological resources they need to run their program with maximum effectiveness. Right. A risk-based approach is critical because it allows you to allocate limited time and money to the highest-risk areas of the business. If there isn’t a proper evaluation of the risks facing the business, there can’t be a systematized, defensible way of designing your program.

Top Tips for Risk Assessment Success

This is the first in a series of blog posts that will reveal top tips for performing a successful risk assessment. The basic flow of any risk assessment is the same: (1) scoping, (2) document collection, (3) interviews, (4) regulatory review/benchmarking, (5) choosing a methodology and evaluating risk, (6) writing the report and creating the heat map, and (7) applying the risk-based approach to the rest of your program. The steps may be the same, but the way you execute them makes all the difference.

Scoping: The Most Important Step

If a risk assessment isn’t properly scoped, it is likely to fail. It will either spiral out of control and be unmanageable or not properly capture the risks facing the business. Getting the scope right will enable you to ask for the right documents, set up the right interviews, review the correct regulatory guidance, benchmark against the right sources, evaluate risk correctly, and apply the right risk-based approach to the rest of your program. Scoping sounds easy, but frequently isn’t.

There are two basic types of risk assessments. The first reviews multiple types of risk against each other. For instance, a multi-subject risk assessment may evaluate the company’s bribery risk against its trade sanctions, antitrust/competition, data privacy, and modern slavery risk. The second type reviews one type of risk in-depth, such as bribery or money-laundering.

Following you’ll find five top tips for scoping your risk assessment. The first two Top Tips relate solely to multi-subject risk assessments, the third solely to single-subject risk assessments, and the last two apply to both types.

Top Tip One: Don’t Go Outside the Scope of Your Program (if you can help it)…

In April, we did a survey asking what areas of a compliance program you wanted to learn about most. Overwhelmingly, the top answer was an in-depth class on how to perform risk assessments. Good news! We listened and are currently filming the online course, “Risk Assessments Made Easy.” In this course, you’ll learn:

• How to properly scope your risk assessment to set you up for success

• Tips and tricks for document gathering so you don’t miss important information – or get swamped with an impossible number to review

• How to choose the best interviewees, and how to ask questions effectively to suss out risk

• A robust methodology that you can apply immediately to produce a strong and defensible assessment

• Information on creating mitigating strategies and a roadmap for implementation of your recommendations for program improvement

Most importantly, you’ll receive templates to help you every step of the way through your risk assessment. You can use the course to perform single-risk assessments or to review multiple risks facing your program. The course will be out by the end of June. Stay tuned!

This is a guest post by Ramsey Kazem, East Coast Vice President, Spark Compliance Consulting.  He can be reached at rkazem@sparkcompliance.com.

Last spring, the Department of Justice issued a guidance document, which outlines the specific factors prosecutors consider in evaluating a company’s compliance program and deciding whether to bring charges, negotiating plea agreements, or offering leniency in assessing penalties.  The guidance makes clear that a “well designed compliance program should apply risk-based due diligence to [a company’s] third-party relationships.”  That is, a company must have a process in place to perform an appropriate level of due diligence before engaging a new third-party.  This process must be current, effective, and risk-based.

While the expectation is clear, the process by which a company meets this expectation is not as straightforward.  As with most things in compliance, there is no one-size-fits-all solution to satisfying this standard.  Indeed, a company must develop an approach to third-party due diligence that fits the company’s size, structure, industry, geographical presence, and risk profile.     

So how does a company go-about designing a third-party due diligence process that will meet the expectations described in the DOJ’s guidance document?  In this two-part series, we will share some guidelines and best practices for undertaking this effort.  In this part I of the series, we will discuss how to define the scope of a third-party due diligence program.  In part II, we will explain how to develop a risk-based process to effectively screen the in-scope third-parties for compliance-related risks.

Defining the Scope of a Third-Party Due Diligence Program

The first step in designing a third-party due diligence program is to define the scope of the program…

The Department of Justice’s watershed Evaluation of Corporate Compliance Programs Guidance Document made it very clear: a risk-based approach is necessary to avoid “devot[ing] a disproportionate amount of time to policing low-risk areas instead of high-risk areas.”  The Guidance goes on to describe all of the areas where a risk-based approach is required.  Having a risk assessment is just the beginning.  Monitoring the right metrics relating to the risk assessment is critical to judge the health of the program.

In this blog, we’re going to explore metrics relating to risk assessments.  This is Part 8 of our series.  If you haven’t read Part 1, I recommend you go back and start there, as it sets the stage regarding why certain metrics should be chosen.  We’ve already explored metrics that can be used with policies and procedures, which can be found HERE, monitoring and auditing, which can be found HERE, training, which can be found HERE, third-party risk management, which can be found HERE, governance, which can be found HERE, and communications and tone from the top, which can be found HERE. 

What Needs a Risk-based Approach?

The phrase “risk-based approach” is used by many compliance officers, sometimes without an understanding of what it means.  The DOJ Guidance defines several areas in which risks should be managed using a risk-based approach.  These include third-party due diligence, assignment of training, gathering metrics and reporting for the Board, and the allocation of resources (both human and financial).  Without a proper written risk assessment that is effectively monitored, this is impossible.    

The Most Important Question …