Compliance

Compliance A Library of Resources for Growth-Oriented Entrepreneurs Risk Assessments

INTERNATIONAL CENTER FOR GROWTH-ORIENTED ENTREPRENEURSHIP 2016 Edition Dr. Alan S. Gutterman

Compliance: A Library of Resources for Growth-Oriented Entrepreneurs 2016 Edition published in 2016 by the International Center for Growth-Oriented Entrepreneurship (www.growthentrepreneurship.org) and copyrighted © 2016 by Alan S. Gutterman (www.alangutterman.com). All the rights of a copyright owner in this Work are reserved and retained by Alan S. Gutterman; however, the copyright owner grants the public the non-exclusive right to copy, distribute, or display the Work under a Creative Commons Attribution-NonCommercial-ShareAlike (CC BYNC-SA) 4.0 License, as more fully described at http://creativecommons.org/licenses/by-ncsa/4.0/legalcode. About the Center The International Center for Growth-Oriented Entrepreneurship (www.growthentrepreneurship.org) engages in and promotes research, education and training activities relating to entrepreneurial ventures launched with the intent to achieve significant growth in scale and value creation through the development of innovative products or services which form the basis for a successful international business. In furtherance of its mission the Center is involved in the preparation and distribution of Libraries of Resources for GrowthOriented Entrepreneurs covering Entrepreneurship, Leadership, Management, Organizational Design, Organizational Culture, Strategic Planning, Governance, Compliance, Finance, Human Resources, Product Development and Commercialization, Technology Management, Globalization, and Managing Growth and Change. About the Author Dr. Alan S. Gutterman is the Founder and Executive Director of the International Center for Growth-Oriented Entrepreneurship and the Founder and Executive Director of the Business Counselor Institute (www.businesscounselorinstitute.org), which distributes Dr. Gutterman’s widely-recognized portfolio of timely and practical legal and business information for attorneys, other professionals and executives in the form of books, online content, webinars, videos, podcasts, newsletters and training programs. Dr. Gutterman has over three decades of experience as a partner and senior counsel with internationally recognized law firms counseling small and large business enterprises in the areas of general corporate and securities matters, venture capital, mergers and acquisitions, international law and transactions, strategic business alliances, technology transfers and intellectual property, and has also held senior management positions with several technology-based businesses including service as the chief legal officer of a leading international distributor of IT products headquartered in Silicon Valley and as the chief operating officer of an emerging broadband media company. He received his A.B., M.B.A., and J.D. from the University of California at Berkeley, a D.B.A. from Golden Gate University, and a Ph. D. from the University of Cambridge. For more information about Dr. Gutterman, his publications, the International Center for Growth-Oriented Entrepreneurship or the Business Counselor Institute, please visit www.alangutterman.com and/or contact him directly at [email protected].

Compliance: A Library of Resources for Growth-Oriented Entrepreneurs Contents PART I

COMPLIANCE

Preface Chapter 1

Legal and Regulatory Basis for Compliance Programs

Chapter 2

Elements of Effective Compliance Programs

Chapter 3

Compliance Audits

Chapter 4

Risk Assessments

Chapter 5

Records Retention

Chapter 6

Contract Management

Chapter 7

Internal Investigations

Chapter 8

Disclosure Controls and Procedures

This is a Part or chapter from the Library and you can get copies of other Parts and chapters by contacting the International Center for Growth-Oriented Entrepreneurship (www.growthentrepreneurship.org) at [email protected]. The Center also prepares and distributes other Libraries of Resources for Growth-Oriented Entrepreneurs covering Entrepreneurship, Leadership, Management, Organizational Design, Organizational Culture, Strategic Planning, Governance, Finance, Human Resources, Product Development and Commercialization, Technology Management, Globalization, and Managing Growth and Change. Attorneys acting as business counselors to growth-oriented entrepreneurs who are interested in forms, commentaries and other practice tools relating to the subject matter of this Part or chapter should also contact Dr. Gutterman at the e-mail address provided above.

Compliance: A Library of Resources for Growth-Oriented Entrepreneurs (2016) Part I – Compliance

PART I COMPLIANCE Preface

In today’s business world, all companies, regardless of their size, business model and scope of activities, are required to understand and comply with a plethora of laws and regulations, including common law legal relationships with employees, creditors, and landlords; various licensing requirements imposed by federal, state, and local governments; intellectual property rights; employment laws; federal and state tax laws and regulations, including the reporting obligations imposed under such laws; domestic and foreign laws regulating technology transfers and the form and content of many common commercial relationships; federal and state statutes relating to antitrust and unfair competition; governance rules and regulations; federal and state laws relating to privacy and data security; federal and state securities laws; and federal and state statutes relating to consumer protection and other matters. Recognizing the various legal and regulatory requirements that must be understood and satisfied, it is imperative for companies to create and faithfully administer appropriate compliance programs. The chapters in this Part lay out the general procedures for establishing and operating an effective legal and regulatory compliance program and dig deeper into the details of several key specific compliance topics and activities. The Part begins with an overview chapter that introduces the relevant laws and regulations, including a discussion of the federal sentencing guidelines and other governmental regulations and policies relating to compliance programs. The next chapter on Compliance Programs identifies the legal and business reasons for establishing a compliance program and describes the steps to be taken to launch and maintain such a program, including monitoring and auditing systems and guidelines to be followed by the board of directors and the executive team of the company in meeting their compliance oversight obligations. The chapter also provides essential information on how to organize the compliance function and the commonly agreed elements of an effective compliance program. The chapters on Compliance Audits and Risk Assessments cover the general procedures for conducting compliance audits and risk assessments. Given the complex legal environment that applies to every business organization, it is essential for companies to develop processes and procedures to conduct voluntary and self-analytical legal and compliance audits on a regular basis. In fact, a number of federal and state laws and regulations, as well as the agencies responsible for their enforcement, specifically require companies to assume responsibility for policing their own conduct and compliance and to report any potential misconduct to the appropriate authorities. In light of this trend, internal compliance audits have taken on significant importance, and establishing adequate procedures for such audits is an essential part of the company’s overall compliance program, which should include appropriate monitoring and auditing systems (e.g., periodic reviews of company business practices, procedures and policies), internal

1


controls for compliance with standards of conduct and special legal requirements imposed on the business, and internal or external compliance audits. The chapter on Compliance Audits describes the steps to be taken to conduct effective audits including the tools that can be used to collect and analyze information relevant to evaluating the efficacy of the company’s compliance programs. The chapter on Risk Assessments discusses the role of risk assessments in the overall compliance process and describes how an effective risk assessment should be conducted. Risk assessment refers to the company’s process for identifying and addressing business risks that is faces in conducting its activities. Such an assessment must address all of the threats to management’s ability to achieving the company’s objectives, including those in the areas of operations, financial reporting and compliance with laws and regulations. The process of risk assessment includes identifying the risks, estimating the significance of the risks, and then selecting methods to manage them.

The chapter on Records Retention covers the general procedures for establishing and administering a records retention program. Records retention is an important, if not essential, element of any legal compliance program. In fact, it is impossible for any company to establish and maintain a compliance system without a comprehensive records retention program that is respected throughout the company and demanded by its senior managers. Records retention relates to the management of the entire life cycle of documents and other records created or received during the course of the day-to-day operations of a company. Various types of records are subject to specific legal requirements relating to retention, storage and destruction and every company needs to be mindful of these requirements and establish policies for ensuring compliance. Moreover, records contain the information necessary for the business of the company to functional effectively and thus it is important from a strategic perspective to adopt and follow procedures that allow managers and employees to quickly find and access the information that they need in order for perform their roles for the company. The chapter describes the steps to be taken to launch and maintain such a program, including the essential elements of the program, policies and procedures, identification and storage of records, establishment of records retention schedules, records destruction procedures, and staffing and administration of the program. An overview of relevant laws and regulations is also included along with a discussion of specific records retention requirements. The chapter on Contract Management covers the processes and procedures that companies may implement in order to manage the negotiation, execution, performance, modification and termination of contracts with various parties including customers, vendors, distributors, contractors and employees. While businesspeople often dismiss contract preparation as “lawyer’s work” that has little or nothing to do with the important aspects of the working relationship between the contractual parties, contracting is actually one of the crucial activities in determining the success of any business arrangement. The chapter describes the essential steps in the contracting process, including organizational processes for review and approval of proposed contracts, and discusses various issues pertaining to management and oversight of the contracting process and measuring the performance and efficacy of that process. The chapter also includes a brief summary of some of the basic principles of contract law.

2


The chapter on Internal Investigations covers the general procedures for conducting internal investigations. The term “internal investigation” can be understood to include all of the activities engaged in by companies to collect and evaluate information relating to the purported wrongdoing and the results of any such investigation can be used to fulfill the responsibilities imposed on companies under various federal and state laws to police their own conduct and compliance and report any potential misconduct to the regulatory authorities that oversee the enforcement of such laws. Investigations must be conducted carefully and managed by experienced lawyers and compliance professionals. Specifically, precautions must be taken to manage the expense of the process and reduce disruption to business operations. In addition, care must be taken in structuring and conducting internal investigations to maximize the likelihood that the results of the investigation will be eligible for protection under the attorney-client privilege and that the work-product doctrine is available to protect the impressions collected during an investigation. The chapter describes the steps to be taken to conduct effective investigations and information obtained during the course of an investigation can be protected from unwanted disclosure. The chapter on Disclosure Controls and Procedures is intended primarily for executives, directors and senior managers of public companies that are subject to various rules and regulations in the federal Securities Exchange Act of 1934, as well as pronouncements by the Securities and Exchange Commission, that impose strict obligations with respect to disclosure controls and procedures. Specifically, such companies must establish and maintain disclosure and internal controls; periodically evaluate the effectiveness of such controls; and provide investors with reports on the effectiveness of such controls and certifications from senior management regarding such controls. In order to meet their obligations under these requirements, and provide adequate protections for senior managers—particularly the CEO and CFO, public companies must develop a procedural framework for collecting and evaluating information regarding their businesses to determine the scope and timing of disclosures to the investment community. Internal controls must also be established to monitor the effectiveness and efficiency of the operations of the business, ensure that information in financial reports is accurate and support the company’s efforts to comply with applicable laws and regulations. The chapter covers the applicable regulatory framework, establishment of disclosure controls and procedures and creation and management of a disclosure committee.

3


Chapter 4 Risk Assessments Setting the Stage

All companies, regardless of their size and the industries in which they operate, are facing greater challenges with respect to identifying and managing the internal and environmental risks that are related to their day-to-day activities. While larger companies are particularly focused on the risks associated with corporate governance issues, founders and executives everywhere should be concerned about the potential adverse impact of natural disasters, litigation or government investigations, physical infrastructure and facilities risks, terrorist attacks, unforeseen changes in customer requirements, the entry of new competitors or introduction of new technologies, credit and market risks, breakdowns in internal controls, and security breaches that can lead to financial losses and reputational damage. All this means that companies must integrate risk management into their overall strategic business planning effort to reduce and manage uncertainties in the environment in which they operate. In order to do this, companies must embrace risk assessment processes that allow them to benchmark, or compare, the risk areas and compliance activities of their company against firms of similar size engaged in comparable operational and business activities. The output of these processes then becomes the basis for designing effective compliance programs and setting operational priorities for everyone in the workplace.

Key Topics Covered Key topics covered in this chapter include the following:     

The importance and definitions of risk assessments Best practices for conducting risk assessments Activities in the risk assessment process Choosing between in-house risk assessments or outsourcing Risk management techniques for emerging companies

Learning Objectives After reading this chapter, you should be able to: 1. 2. 3. 4. 5.

Identify and understand the risks that are the greatest concerns for corporate executives. Recognize factors that are strong indicators of increased risk. Explain operational risk and its various categories. Explain the activities associated with an effective risk assessment process. Understand and apply “best practices” for conducting risk assessments.

§4:1

Risk management—a corporate imperative for the executive team

All companies, regardless of their size and the industries in which they operate, are facing greater challenges with respect to identifying and managing the environmental risks that are related to their day-to-day activities. It is becoming routine practice for larger companies to create a corporate risk manager position and to have that position report directly to the chief executive officer. Surveys indicate that risk management will

4


continue to be a major concern for corporate executives in the years to come and the areas that are of most concern seem to fall into the following categories: 

 

 

Corporate governance issues, including the impact of the federal Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”) and the growing interest and active intervention in corporate governance among specific states in the United States and in foreign countries.1 In addition to the costs of actual liability for violation of corporate governance laws and regulations, companies are being forced to invest substantial amounts in compliance programs in order to satisfy the requirements of financial exchanges and business partners who themselves are heavily regulated. Natural disasters (e.g., hurricanes, flooding and earthquakes) in the United States and in foreign countries where companies have substantial assets and/or are engaged in a high volume of business activities. Higher levels of litigation that can result not only in liability for claims made against a company but also in substantial additional expenses to defend against the lawsuits even if the company is ultimately found not to be liable. Companies are being sued for all sorts of potential claims ranging from products liability to mismanagement of employee benefit plans and the number of active lawsuits that larger companies may be defending at any point in time generally runs into the hundreds. Physical infrastructure and facilities risks, including the rising costs of maintaining aging facilities and the potential damage to products, property and humans that may occur as the company operates over public roads and railways. Governmental regulation, apart from the corporate governance issues referred to above, that carries higher costs of compliance which will ultimately cause companies to raise the prices of their products and services and risk loss of market share to competitors.

The list above is by no means all inclusive and companies must also anticipate the possibility of terrorist attacks, unforeseen changes in customer requirements and the entry of new competitors or introduction of new technologies. In addition, as companies do more and more business outside of the United States they are exposed to local risks in each foreign country where they are operating including a unique set of laws and regulations and the possibility that changes in the political environment will have a negative impact on foreign companies. Finally, while new communications technologies have revolutionized the way that business is conducted they also create new potential hazards—the risk that a business can be shut down by natural disasters that disable the communications infrastructure and potential liability for theft of personal information that has been entrusted to companies for safekeeping. Fortunately the increase in risk has been accompanied by the development of new tools to manage those risks. Even small companies can establish systems to collect and analyze information regarding potential events that may result in losses and insurance companies are working with their customers on enterprise risk management (“ERM”). In fact, a 1

For further discussion of the Sarbanes-Oxley Act of 2002 and corporate governance challenges in general, see “Governance: A Library of Resources for Growth-Oriented Entrepreneurs” prepared and distributed by the International Center for Growth-Oriented Entrepreneurship (www.growthentrepreneurship.org).

5


number of providers offer in-person and online courses on various aspects of ERM and companies should seriously consider having all of their top managers participate on a regular basis. Companies can also purchase sophisticated software tools that purport to provide integrated solutions for internal audits, financial controls management, risk management, information technology and governance/compliance. Among other things, the software allows companies to document, track and report on compliance policies and procedures and establish and maintain a standard library of industry specific laws and regulations. Viewed properly, risk management is part of the company’s overall strategic business planning effort to reduce and manage uncertainties in the environment in which the company operates. §4:2

Importance of risk assessments

Risk assessment refers to the company’s process for identifying and addressing business risks that is faces in conducting its activities. Such an assessment must address all of the threats to management’s ability to achieving the company’s objectives, including those in the areas of operations, financial reporting and compliance with laws and regulations. The process of risk assessment includes identifying the risks, estimating the significance of the risks, and then selecting methods to manage them. Auditors and others have identified a number of factors that they consider strong indications of increased financial risk. Therefore, management should be aware of their existence and increase its control mechanisms when the following factors exist:         

Changes in the organization’s regulatory or operating environment; Changes in personnel; New or revamped information systems; Rapid growth of the organization; Changes in technology affecting production processes or information systems; New business models, products or activities; Corporate restructurings; Expansion or acquisition of foreign operations; and Adoption of new accounting principles or changing accounting principles.

There are a number of different definitions of “risk.” For example, Webster’s Collegiate Dictionary refers to risk as the “possibility of loss or injury” and the Project Management Institute has defined the term as an uncertain event or condition that, if it occurs, has a positive or negative effect on the company impacted by the event or condition. 2 A common element in both definitions is the inability to predict with certainty whether an identified risk will indeed occur and the difficulty to determine the magnitude and timing of any loss or injury. While some risks may be impossible to manage or mitigate, in general risk assessment assumes that it is worthwhile to attempt to identify and analyze the risks confronting a company and invest resources in strategies that will hopefully provide the company with some degree of control over the impact that the risks might have on its operations and survival. 2

Project Management Institute, A Guide to the Project Management Body of Knowledge (3d ed. 2004).

6


Risk assessment is primarily concerned with what are generally referred to as operational risks (also sometimes called transaction risks), which are risks of loss or injury to the company from inadequacies or failures relating to processes, systems or people (e.g., fraud or error). Operational risks can arise from internal and external factors and can be found in every major business activity of the company. Operational risks may be broken down into various categories such as credit and market risks, reputation risks, strategic risks and compliance risks. For example, credit and market risks include an unforeseen adverse decline in the liquidity of a key customer that must be addressed by changes in underwriting policies and collection systems to avoid significant losses and higher costs of servicing that customer. Reputation risks include the possibility of security breaches that result in the loss of confidential information and the loss of confidence of customers and other business partners. Strategic risk increases when the company fails to invest in the resources necessary for collection and analysis of all of the information needed to make proper and informed decision about major new investments. Finally, compliance risks include failure to comply with legal and regulatory requirements applicable to the company’s products and services which leave to civil and/or criminal penalties. Rather than posit a definition of “risk assessment,” it is more useful to focus on the various activities associated with an effective risk assessment process:  







Identify the risks that are most relevant to the company and develop a short description of the key characteristics of each risk so that it can be analyzed and strategies created for mitigating or eliminating them. The identified risks should then be put through qualitative and quantitative analysis in order to determine which of those risks are most likely to occur and the potential impact of their occurrence on the company. For example, it may be highly likely that an identified type of loss may occur; however, the magnitude of the loss may be so small that the company decides not to invest heavily in prevention. The company should make an attempt to define its “risk appetite” to determine which types of identified risks are most problematic for the company and thus appropriate targets for mitigation activities. A company’s risk appetite is the level of risk that is considered acceptable and may vary depending on the point of reference—financial, legal, operational or reputational. The next step is risk mitigation, which involves developing compliance programs and internal controls designed to reduce risks to levels consistent with the company’s risk appetite. Assuming scarce resources, risk mitigation includes decisions about while areas of risk should be given the highest priority during a given period of time. The final piece of a risk assessment program is establishing benchmarks for measuring the effectiveness of the company’s risk mitigation efforts and procedures for continuous risk assessment to identify and manage new risks that may arise as the activities of the company and its external environment changes.

Certainly the primary goal of a risk assessment process is to identify and manage the risks that may confront the company and reduce the actual instances of loss or other injury to the company. In addition, however, the existence of a risk assessment process

7


has become an essential element of overall compliance procedures. Risk assessment is an activity that compliments the efforts of the company with regard to compliance audits and establishing and administering effective compliance programs. Risk assessment is a valuable tool for prioritizing compliance program initiatives and investment of resources in compliance (i.e., budgeting) and for creating a strategy for improving the effectiveness of compliance programs so as to reduce the “risk of loss” associated with material violations of laws and regulations. The presence of a risk assessment program is also an indicator a good faith efforts to comply with application laws and regulations that can be used in civil or criminal proceedings to avoid liability or reduce penalties imposed under the Sentencing Guidelines. For example, the Sentencing Guidelines effectively mandate that organizations periodically assess the risk of criminal conduct and take appropriate steps to reduce the risk of criminal conduct identified through this process.3 Apparently the potential benefits of risk assessment have been embraced in the business community and periodic risk assessments are now commonplace activities in a majority of the larger companies based in the United States. A number of important questions must be considered and answered when designing a risk assessment program. For example, key risk areas must be identified and then an effort must be made to prioritize those risks to determine which areas should be addressed first and how much time and effort should be put into each of the areas that are placed on the list. The composition of the internal risk assessment team should also be carefully evaluated along with the question of whether the risk assessment process should be managed internally or turned over to a qualified outside party. The structure and sequencing of the risk assessment process must be decided upon and responsibility should be allocated among the participants for creating the necessary evaluation tools. In addition, of course, the form of the report that is the end product of the risk assessment should be agreed upon in advance and the report should be appropriate in scope and detail for several potential recipients including the board of directors and regulatory agencies. Finally, the frequency of the risk assessments should be decided upon and steps should be taken to ensure that responsible parties within the company stay abreast of new developments to ensure that the company’s risk assessment process continues to conform to the requirements of the Sentencing Guidelines and standards laid down by the courts and various federal and state regulatory agencies. A proper risk assessment should focus on the entire range of legal and ethical risks confronting the company and should cover all of the laws and regulations, domestic and international, to which the company is subject as a result of its business activities. The goal of the risk assessment process is to identify and quantify the risk areas relating to the company and use that information to develop, administer and monitor compliance programs. In order for a risk assessment to be effective the tools described herein with respect to conducting a compliance audit must be used and the results thereof can be factored into the risk analysis. Companies may also perform internal audits; however, those audits are more limited than a full-blown risk assessment in that internal auditors concentrate on testing internal controls, particularly in the finance and accounting area, while the risk assessment is much broader. The results obtained by the internal auditors 3

USSG § 8B2.1(c).

8


can and should be integrated into the overall risk assessment since the purpose of internal controls is similar to that of compliance programs and procedures. In fact, risk assessment is one of the essential elements of internal control along with the establishment of the control environment; control activities; accounting, information and communication systems; and self-assessment or monitoring. Public companies subject to Sarbanes-Oxley are expected to implement and administer a formal risk assessment process as part of their internal controls. §4:3

Best practices for conducting risk assessments

As the number of companies conducting risk assessments has increased notice can be taken of emerging best practices that can be used to design new programs and improve effectiveness of programs that are already in place. One respected group with substantial experience in the risk assessment area has suggested the following guidelines4: 

       

The risk assessment process should cover all areas in which there is a material risk of potential misconduct including areas that are unique to the company’s industry as well as risks associated with failing to complying all of the material federal, state and local laws and regulations applicable to the company’s business. While the risk assessment process should be sufficiently broad to address all material risks it must also be done in context and recognize the limitations imposed by the company resources that are available for the assessment and for remedial measures. The risk assessment process should include collection and analysis of relevant industry information and data regarding the company’s history with respect to the identified risk areas. An attempt should be made to involve managers and employees from all levels within the company’s organizational structure since many risks, and solutions, are best identified at lower levels of the organization. Each risk area should be given a measurement for “likelihood” and “severity” and an effort should be made to quantify each risk area to gauge the potential loss or injury to the company. The risk assessment should be conducted in a defensibly objective manner and properly documented in anticipation of sharing the process and outcomes with regulatory authorities. The risk assessment process should be institutionalized and assessments should be conducted on a regular basis. The outcome of the risk assessment process should be used to benchmark the company’s compliance programs against the processes used by similar firms and the standards laid down by regulatory agencies and the courts. Any deficiencies in the company’s compliance programs identified during the risk assessment process should be promptly addressed through remedial actions and procedures should be implemented to monitor and evaluate the effectiveness of such remedial actions.

The discussion is based on “Framework for Conducting Effective Compliance and Risk Assessments,” Association of Corporate Counsel InfoPAK (Sponsored by Corpedia, Inc.) (August 2008), 10-16. 4

9


§4:4

--Cover all major areas of potential misconduct

A proper risk assessment process should cover all major areas of potential misconduct not just those areas that appear, at least initially, to have the greatest likelihood of a high impact risk to the company. This means that in addition to identifying risks that are systematic to the “average company” the parties conducting the assessment must also look at risks that are unique to the company’s industry as well as risks associated with failing to complying all of the material federal, state and local laws and regulations applicable to the company’s business. In addition, the risk assessment must go beyond the “letter of the law” to include ethical issues that might suddenly emerge as threats to the company’s overall image and reputation. Finally, when putting together the list of risk areas an effort should be made to predict risks that might reasonably arise at some point in the future due to foreseeable changes in the law or attitudes regarding the acceptability of what might currently be considered “common” business practices. §4:5

--Examine risk in the context of the company’s resources

While the scope of the risks that should be assessed should be quite broad, consideration must also be given to the actual context of the company’s resources and the ability of the particular company to acquire and deploy the resources necessary for preventing or mitigating risks in every possible area. For example, as part of the assessment process an examination should be made of the controls, processes and procedures that are currently in place to ensure compliance including the knowledge and abilities of those managers and employees responsible for compliance activities. If deficiencies are identified the assessment process must develop recommendations for improvement and a reasonable estimate of the costs associated with closing any gaps in the risk management framework of the company. This information is essential for making decisions about what remedial actions can and should be taken. §4:6

--Use industry information and company history

When identifying and assessing risks and designing risk prevention and mitigation procedures, consideration should be taken of available industry information and historical data on the company’s own experience with compliance issues and actual losses and damages. It is useful to know and understand the problems that have been faced by competitors and to evaluate the steps that they have taken to improve their compliance programs in specific areas since presumably the company is more likely to be confronted with similar problems at some point in the future. Data should be collected on actual compliance failures and on cases where competitors were able to avoid losses and damages after an initial surprise that uncovered a gap in their controls and procedures. Review of the company’s actual compliance history is important to understand what steps have already been taken to improve its controls and procedures since regulators will closely scrutinize what the company has done to prevent problems that have already arisen from arising again in the future.

10

§4:7


--Include managers and employees from all organizational levels

Participants from every level of the organizational structure of the company—executives, managers and employees—should be included in the risk assessment process to ensure that all relevant risks are identified and that sufficient information is collected and analyzed to evaluate the risk and design control and procedures that will be accepted by the people most involved with the risk areas. This means identifying the leaders of all functional departments as well as those persons with responsibility for overseeing business units and project teams and making sure that they are actively involved in the risk assessment process. They should be sure that employees reporting to them have opportunities to provide their input on areas of concern since many risks are best identified at lower levels of the organization. A variety of tools should be used to collect information including written surveys, individual interviews and workshops and focus groups. Another advantage of having a wide range of company personnel involved in the risk assessment process is that allows the company to measure the level of employee knowledge regarding compliance issues and rules and controls that have already been implemented in the company’s existing compliance programs. If the assessment reveals that employees are having trouble understanding the issues and rules that have been put in place remedial action, such as increased training, can be taken. §4:8

--Analyze both the impact and likelihood of the occurrence of a risk

Each risk should be analyzed to determine the potential impact on the company if an adverse event happens and the likelihood of the occurrence of an adverse event. For example, a particular event might be catastrophic to the company; however, the likelihood of occurrence may be extremely remote (e.g., a missile launched by a foreign government hits and destroys the company’s main manufacturing facility). On the other hand, a company that uses a large number of trucks to deliver its goods is quite likely to have costs for parking violations; however, this should not be a substantial loss for the company. Most companies that conduct risk assessments use some sort of weighting or rating system that quantifies both the “likelihood” and the “severity” of the various risks on the assessment list and this allows them to make informed decisions about where they should allocate their resources in the compliance area. §4:9

--Quantify each risk area

In addition to measuring the “likelihood” and “severity” of each risk area, as described above, the risk assessment process should quantify each risk area to obtain a more precise measure of the potential loss or injury to the company. This facilitates the creation of a ranking of the risks confronting the company that can then be used to allocate financial resources and personnel toward bolstering of internal controls and compliance programs. For example, if the quantified measure of a particular risk area is $1 million and allocation of $50,000 toward improved compliance activities in that area is likely to reduce the quantified measure to $300,000 then it would appear that the investment is worthwhile although a comparison must obviously be made to similar proposals for other risk areas. Comparisons to quantified measures included in prior risks assessments can

11


also be used to demonstrate how effective changes in compliance program have been over a particular time period. §4:10 --Document the outcome of the risk assessment process

The methodology of the risk assessment, as well as the results and the remedial actions taken, should be carefully and clearly documented to create a record of the company’s good faith efforts to maintain and continuously improve its compliance programs and procedures. This record can be used as an affirmative defense in the event of a subsequent civil or criminal action and also provides guidance to company personnel on actions that should be taken to ensure compliance programs are run properly. It is particularly useful for the record to show how the company modified its compliance programs to address specific shortcomings identified during the risk assessment. §4:11 --Conduct the risk assessment in a defensibly objective manner The entire risk assessment process should be conducted in a manner that is defensibly objective in order for the results to be treated seriously by regulators and other stakeholders at some point in the future. Among other things, this means making sure that all applicable risks are identified and analyzed fairly and objectively without bias or any attempt to cover up a problem out of fear that disclosure may have an adverse impact on the financial and business of the company and/or the career of parties associated with the particular risk. The company should not be afraid to refer to superior practices of other firms in the company’s industry and should not ignore problems that have continuously arisen in the past. One way that companies seek to enhance the objectivity of their risk assessments is to turn to independent outside parties to conduct the assessments and deliver the results to the executives of the company. §4:12 --Conduct risk assessments on a regular basis Risk assessments must become a permanent part of the company’s compliance activities and plans should be made for conducting risk assessments on a regular basis. Industry practice should be consulted to determine the frequency of the assessment; however, in most cases an assessment should be done annually and rarely is it advisable to do an assessment less frequently than every two years. In many cases a follow-up review for a particular risk area may need to be done before the next full risk assessment is conducted. Conducting risk assessments on a regular basis demonstrates commitment to the process and also ensures that the company has access to timely information that can be used to monitor and, if necessary, modify its controls and compliance programs. §4:13 --Benchmark the company’s compliance programs One of the measures used in the Sentencing Guidelines for gauging the effectiveness of a company’s compliance program is how it stacks against “accepted or applicable industry practice.” Accordingly, one of the goals of the risk assessment should be to benchmark, or compare, the risk areas and compliance activities of the company against firms of

12


similar size engaged in comparable operational and business activities. Admittedly, detailed information on other firms is often hard to find; however, there are publicly available sources for information on compliance programs of various organizations. §4:14 Risk assessment process

An effective risk assessment begins with careful planning and it is important for the company to adopt a standardized and well documented process that is clear to everyone involved and which will be respect by everyone within the company and by relevant external parties including regulatory agencies. The risk assessment process should be comprehensive and cover all of the material risk areas throughout the organizational structure of the company. The goals and purposes of the risk assessment should be set at the beginning and should include an objective analysis and ranking of the company’s risk areas and concrete recommendations regarding risk mitigation activities that can be implemented in order to preserve the value of the company and sustain the company’s business operations. The steps that should be taken in the risk assessment process may vary depending on the size of the company and its prior history in conducting risk assessments. For example, the organizational profile described below should be created during the company’s initial risk assessment; however, once the work on the initial profile has been completed it is not necessary to replicate all of it in subsequent periods although it should be carefully reviewed to determine whether updates are necessary in light of changes in the company’s business activities and/or the relevant legal and regulatory environment. The sections below describe the key steps that many organizations take in order to carry out their risk assessment processes. Risk assessment is a demanding exercise; however, the information generated can provide a fascinating picture of the company’s operational activities and allow the directors and members of the executive team to make good and reasoned decisions about how the company’s compliance activities should be structured and supported. Members of the risk assessment team should expect to conduct interviews with a wide range of persons from throughout the organizational structure of the company; collect information using written surveys and questionnaires; review company policies and documentation relating to internal control activities; inspect and evaluate the company’s key business processes; and obtain and review data on risk assessment and mitigation activities of other firms in the company’s industry. §4:15 --Purposes and uses of the assessment Before investing significant time, money and other resources in a risk assessment consideration must be given to designing the process and making sure that everyone involved is on the same page with regard to fundamental issues such as the end product of the process, the audience for the information and results generated by the assessment, the proposed uses of the results of the assessment, and the form and content of the reports that will be created during the assessment. In general, the primary goal in conducting formal risk assessments on a regular basis is to ensure that the company has an effective compliance and ethics program; however, the assessment should also be used as a tool for

13


ensuring the company is setting the appropriate priorities for its compliance activities and focusing on those particular areas that are of greatest concern in light of the company’s business activities. The initial risk assessment will necessarily be quite broad but as time goes by the process will focus on a narrower set of areas that are particularly problematic while the risk assessment team remains vigilant about new risks that may not have been evaluated in previous periods. There are generally several different target audiences for the report that comes out of the risk assessment process and the report should be prepared in a way that ensures that each of the audiences receives the information that they need in order to discharge their responsibilities and provide support for the company’s compliance activities. The most common target audiences for the report include the board of directors and, in particular, the audit or other committee of the board to which responsibility for oversight of compliance activities has been delegated; the members of the company’s executive team; and the company’s internal and external legal advisors. Other potential audiences for the report include the company’s internal audit group and human resources department; the company’s insurance carriers and underwriters; and the company managers and employees. It is important to identify each target audience well before the report is written since the nature of the audience is an important factor in deciding what type of information should be collected during the assessment for analysis.

As noted above, the primary purpose of the risk assessment report is to provide the board of directors and members of the executive team with sufficient information to create and modify the company’s compliance programs and processes. In addition, the report is often used to design training programs for managers and employees to educate them about the legal requirements associated with those risk areas that have been identified during the assessment as being most problematic. A risk assessment also allows companies to make smarter decisions about purchasing insurance coverage that can reduce their potential exposure to losses that might be suffered should a covered event occur. Finally, an assessment may identify a product line or customer relationship that has become too risky in relation to the company’s other business activities and this information may be the catalyst for divestment activities. The form and content of the risk assessment report is a function of the various matters discussed above—purpose, audiences and uses—and the desire to maintain the confidentiality of the information collected and, if possible, preserve all available attorney-client or work product privileges in connection with information that might later be relevant in the context of a governmental investigation or civil or criminal litigation. Participants in the risk assessment process will be drawn from all parts of the organization and few of them will have a workable understanding of how records regarding their work on the assessment should be prepared to reduce the risk that they might someday be used against the company. In general, participants should be admonished to keep their writings clear, concise and neutral and to be mindful that what they record might easily be taken out of context. Particular care should be taken when writing about potential problems that “could” happen at some point in the future since comments on these issues might be construed as preexisting knowledge of the problem

14


and thus raise issues about whether the company acted appropriately to resolve the problem if it somehow arises at a later date. In order to create greater uniformity in the way in which actual and potential risks are described and ranked participants should be given templates that should be used as the exclusive means for recording results and impressions. The information collected during the assessment process should also be protected by limiting distribution of report drafts and other documents. §4:16 --Planning the assessment process

A risk assessment is a complex undertaking and should be approached with the same level of planning as any other major project undertaken by the company. It is essential to identify the members of the risk assessment team and make sure that they have a formal plan in place for conducting the assessment that addresses all risk areas identified at the outset and also is flexible enough to include new areas that might be identified once the assessment has begun. As with any team activity the success or failure of the risk assessment is closely linked to the choice of the team leader. He or she must have a good working knowledge of the key compliance issues and training in the methodology and processes that need to be used in order for the assessment to be effective. Possible candidates inside the company include the general counsel; the chief compliance or ethics officers; the director of risk management, if such a position has been created; or the top manager of the human resources function. Some companies designate one of the persons listed above as the “executive head” of the assessment project and allow him or her to appoint a team leader who will be assigned to the project on a full-time basis and report back up to the person who made the appointment.5 The composition of the risk assessment team should align smoothly with the scope of the risk areas that are to be assessed and members are typically drawn from all parts of the organizational structure of the company. If the general counsel or chief compliance officer are not appointed as the team leader they should still be part of the team and subject matter experts from both the legal and compliance departments should also lend their support. In addition, each major functional department and business unit should be represented on the team, preferably by the department or unit head. Gaps in substantial legal knowledge and/or assessment methodology may be filed by external parties including outside attorneys and accountants and consultants that specialize in assessment techniques. Once the risk assessment team is in place, attention turns to creating a plan for the specific assessment that must be conducted. If the company has not performed a comprehensive risk assessment in the past all of the steps described below should be completed including creation of an overall company profile, identification of all actual and reasonably foreseeable risk areas, analysis of each identified risk area and ranking of those areas by reference to the magnitude of potential harm to the company, and the preparation of the risk assessment report and the recommendations for appropriate remedial actions. On the other hand, if the company has been regularly conducting risk For discussion of staffing the compliance team, see the chapter on “Elements of Effective Compliance Programs” in this Library.

5

15


assessments for a number of years the scope of the project may be limited and the available resources may be focused on those areas that have been problematic in prior assessments and on the analysis of new risk areas that have been identified since the last formal assessment. In any case, plans must be made for all necessary and appropriate surveys, interviews and inspections and the team leader should prepare a schedule for the assessment that include specific milestones for completion of each of the interim activities that lead up to the final assessment report. §4:17 --Preparing an organizational profile A risk assessment cannot be complete or effective unless the assessment team has a thorough understanding of the business activities of the company, its organizational structure and the external environment in which the company is current operating and is likely to operating in the foreseeable future. It is therefore important, particularly for the initial risk assessment, to complete an organizational profile of the company that includes a comprehensive review and description of the company’s products, services and markets; its strategy and supporting core competencies (i.e., competitive advantages); the competitive environment in which it operates; and the legal and regulatory factors applicable to its operations. Special areas of interest might include unionization among the company’s workforce and international operations. The organizational structure of the company should be included in the profile along with description of the activities of each functional department and business unit. Historical information on compliance and litigation issues should also be part of the profile. Much of the data for the profile may already be available in the company’s strategic and business plans; however, additional research may be necessary to uncover relevant information on risk areas. If the executive team is considering a change in the company’s business strategy, such as introducing new product lines and/or entering new markets, the organizational profile should include an analysis of such changes so that the risks associated therewith can be evaluated as part of the overall assessment process.6 While the organizational profile should be comprehensive and generally can be quite lengthy this is also the time for the risk assessment team to take a step back and attempt to create a preliminary picture of the risk profile confronting the company or the specific business unit that is the subject of the assessment. One way to do this is to go through a short list of relatively simply questions such as the following:    

6

What is the overall mission/purpose of the company and what are its current major goals and objectives? What are the major concerns relating to the ability of the company to attain its goals and objectives? Have there been changes in external factors such as laws and regulations? Have the terms of any of the company’s material contracts changed?

For further guidelines on preparing the organizational profile see the discussion on collecting information to perform a compliance audit in the chapter on “Compliance Audits” in this Library.

16



         


Are any of the company’s material contracts up for renewal or in danger of early termination against the will of the company? If a contract is not renewed (or terminated against the will of the company) is a contingency plan required and, if so, is there one? Have there been changes in key personnel during the past year? Has there been high staff turnover in the past few years? Is the company’s staff well trained and properly motivated? Are the company’s business processes simple and routine or complex and nonroutine? Are the company’s procedures and processes documented (i.e., procedure manuals)? Has the company failed to accomplish major goals and objectives in the past and, if so, why did the failure occur? Have there been changes in information systems in the past year? Has the company taken on new activities and/or has there been any major restructuring of the company’s internal organizational structure? Does the unit have a contingency plan if there were a major disruption in provision of services (e.g., all staff on leave of absence, information systems crash, a permanent loss of facilities or key personnel, all paper records destroyed)? What risks have increased or decreased during the past year and why has this occurred (e.g., major changes in industry-applicable technology and/or competitive environment)?

At this point the most important thing to try and do is identify each of the events or circumstances that might interfere with the company’s ability to achieve its principal goals and objectives. These risk events will be the subject of more thorough analysis as part of the actual risk assessment; however, it is useful to make a preliminary estimate of the likelihood of the event, the damage or injury to the company should the event occur, the steps that can be taken to manage the occurrence and impact of the event and the cost and feasibility of eliminating (or substantially reducing the likelihood) of the event. §4:18 --Identifying and ranking risk areas Using the information in the organizational profile the members of the risk assessment team should identify all of the risk areas associated with the company’s business activities. Every business is confronted by day-to-day operational risks such as the possibility that a shipment of supplies will be delayed or a large check from a customer will not arrive. The focus of the risk assessment, however, is on risks that might lead to allegations of misconduct against the company or compliance miscues that might expose the company to governmental investigations or civil or criminal proceedings. The risk assessment must also focus on ethical lapses that while not illegal may nonetheless cause substantial damage to the image and reputation of the company. Identification of risk areas is best done by analyzing each of the significant business processes within the company to pinpoint the specific legal and ethical issues that might arise as those processes are carried out by the involved managers and employees. For example, an analysis of the company’s information technology assets and processes will typically generate a list of risk areas that includes security breaches; system failures; external

17


events (e.g., natural disasters, terrorism or widespread power outages); misguided technology investments (e.g., obsolete software, incompatibility with existing systems or failure to correctly define business requirements and specifications); problems with systems development and implementation; and capacity shortages. Some of the risk areas will be truly company-specific, such as mistakes relating to technology investment, while other areas like software obsolescence and external events will be on the list of every firm in the company’s industry.

Once all of the risk areas have been identified an attempt should be made to rank all of them based on their “severity,” which is determined by the maximum potential adverse impact on the company in the event that there is a violation of law or other misconduct in the particular area. Certainly civil and criminal penalties which may be assessed in a governmental investigation or a lawsuit must be considered; however, other consequences should also be factored into the analysis including such things as the costs of defending and perhaps settling an investigation or lawsuit before penalties are assessed; a sharp decrease in the company’s stock price and/or financial performance (i.e., revenues and earnings); loss of employees, customers, vendors and other business partners; loss of privileges to engage in business activities with governmental agencies; damage to the company’s intellectual property and other assets; increased future compliance costs due to additional governmental scrutiny; increased cost of capital and difficulties in obtaining financing and credit; and harm to the company’s image and reputation due to adverse media coverage. In some cases the company may be forced to abandon key elements of its business model (e.g., divestiture of facilities and/or product lines) and select and implement costly new business strategies. Risk areas can be grouped into ascending categories such as “minor,” “moderate” and “severe” or can be given a numerical potential severity rating on a scale from 1-10 with 1 being the least severe and 10 being the most severe. If possible, reference should be made to the practices of peer companies in rating similar risk areas. §4:19 --Collecting and analyzing information Identification and ranking of risk areas is an important step in defining the risk environment confronting the company; however, the true story can only be learned by actually collecting information from throughout the organization that allows the risk assessment team to ascertain the true level of loss or damage exposure for each of the risk areas. Information collection tools include interviews with the members of the executive team and senior and mid-level managers in each of the functional departments and business units; written surveys of employees; group meetings with employee groups to supplement the feedback obtained in the survey; visual inspections of business processes throughout the organization, including training programs on compliance and ethics issues; and review of documentation pertaining to the company’s compliance policies and procedures and internal controls. While the primary goal of the information collection and analysis is to determine the likelihood of misconduct and violations of law this is also the time to verify that all of the relevant risk areas for the company have been identified and analyzed. When collecting the information the risk assessment team should be mindful of data that might ultimately mitigate or aggravate the loss or damage associated

18


with a particular risk area. Another important issue to consider is the level of awareness within the organization regarding specific risks and the relevant legal and regulatory requirements. Many companies are expanding the information collection process to include key business partners. For example, in order to get an accurate picture of the risks associated with the company’s supply chain relevant data must be obtained from key vendors.

Generally, the best way to get started is to use a simple risk assessment questionnaire that poses several basic questions in key risk areas such as human resources, information technology, compliance (i.e., laws and regulations), internal controls, asset and revenue management, consumer impact and business processes. Each area will have its own unique risk factors and the questionnaire should call on the user to rank those factors from high to low. The questions should be customized to take into account the company’s specific business activities. For example, the risk assessment questionnaire for a financial services company should include questions relating to industry-specific regulations (e.g., broker-dealer registration requirements, trading requirements and rules relating to safeguarding of client assets). Other questionnaires can be used to delve more deeply into specific risk areas such as the overall organizational control environment; major contractual arrangements; human resource; information systems; and operations (e.g., purchasing, accounts payable and inventory controls). Each risk area has its own unique set of compliance issues; however, as a general matter the information collection process for each area should focus on the following essential elements of an effective compliance program7:             

7

Written institutional code of ethics and conduct; Explicitly stated compliance policies and procedures; Training for all employees on code of ethics and compliance policies and standards; Training for affected employees on laws and regulations pertaining to their specific job responsibilities; Designation of a responsible company officer with appropriate powers and expertise relating to compliance issues; Adoption/provision of adequate procedures, resources, and systems to permit compliance; Maintenance of a process to allow anonymous reporting of alleged noncompliance and protection for employees who lodge reports; Regular monitoring and auditing to test compliance; Mechanisms to enforce rules and discipline rule violators; Management commitment to take corrective actions and follow up to ensure effectiveness of corrective actions; System to communicate corrective actions and follow up undertaken; Adequate Board-level oversight of compliance function; and Mechanism to communicate the impact of policies and procedures to the creators and enforcers of the policies and procedures. For further discussion, see the chapter on “Elements of Effective Compliance Programs” in this Library.

19


The information to be collected, and the analysis to be performed, for various risk areas may actually be prescribed by statute or regulation. For example, the Privacy Rule and Security Rule contained in Title II of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), which governs use, disclosure and retention of health data, mandates that covered entities perform an accurate and thorough assessment of the potential risk and vulnerabilities to the integrity, confidentiality, and availability of health data which should include an analysis of how the data flows into, through and out of the organization; how it is used; who receives it; and why it is disclosed.8 §4:20 --Ascertaining likelihood or probability of risk events The process of identifying and ranking risks by reference to the severity of the potential loss or injury if the risk event actually happens does not provide the company with a realistic picture of its risk profile. This occurs only after the information described above is collected and analyzed and the risk assessment team is in a position to make a reasoned estimate of the likelihood or probably of each of the identified risk areas. The risk assessment team will take into account various factors including the scope and strength of relevant compliance programs and procedures; the effectiveness of internal controls; the company’s organizational culture, particularly the amount of emphasis on ethical behavior; and the level of training and education of managers and employees. Companies commonly rate the likelihood or probably of risk events using a rating scale of 1-5 broken out as follows: 1 – Rare; 2 – Unlikely; 3 – Possible; 4 – Likely; and 5 – Almost Certain. Events that have happened in the past, either to the company or to similar firms in the company’s industry, are more likely to be assigned ratings of 3-5; however, mitigating factors such as implementation of strong compliance procedures may reduce the likelihood to 2 or even 1. §4:21 --Compiling final ranking of risk areas In order to prepare a useable ranking of risk areas that can be used to identify necessary changes in the company’s compliance programs and procedures the risk assessment team must assign final risk scores to each risk area that take into account both the potential severity of the risk event to the company and the likelihood or probably that the event will actually occur. The simplest way to compute a risk score is to multiply the potential severity score for the event (i.e. 1-10 on a numerical scale with 10 being the most severe or damaging) by its likelihood/probability rating (i.e., 1-5 on a numerical scale with 5 being highly likely). For example, if an event poses a moderate level of severity to company (e.g., a potential severity score of 5) and its likelihood falls into the “possible” range (e.g., a likelihood/probability rating of 3) then its risk score would be in the range of 15. All risk areas would be ranked from highest to lowest based on their risk scores so that decisions can be made as to what actions are appropriate for each of the areas in light of the available resources. Risk areas with the highest risk scores (e.g., high likelihood and severity) would demand the most attention while risk areas with the lowest risk scores (e.g., low likelihood and severity) would simply be monitored and re-evaluated 8

See 45 C.F.R. § 164.308(a)(1)(ii)(A).

20


from time-to-time to determine whether there has been a material change in the risk score. Risk areas that fall into the middle of the pack demand some sort of active attention from the company and are likely to be chosen for changes in compliance programs and special focus in future risk assessments. Companies generally cannot exert much influence on the level of severity of a particular risk area; however, they can work proactively to reduce the likelihood/probability of a highly severe risk area to the point where it is manageable. §4:22 --Preparing final risk assessment report One of the byproducts of the risk assessment is generation of a written report that describes the key steps in the assessment process, the material findings of the assessment team and the recommendations from the team for actions that should be taken in order to mitigate or eliminate material risk areas. The report is not only important as a roadmap to be followed inside the company it also can be used as evidence to show to third parties that the company has an effective risk assessment program in place that it follows regularly. For example, the report can be provided to regulatory agencies to demonstrate that the company has policies and procedures in place that meet or exceed the requirements under the Sentencing Guidelines. Among the most common elements of the risk assessment report are an identification and brief description of the most important risk areas; a compilation of the risk scores for each risk area including appropriate documentation to support the conclusions arrived at regarding likelihood/probability and severity; recommendations for actions to be taken to reduce risk exposure, each of which should be supported by a specific mitigation action plan that identifies the persons responsible for carrying out the plan, the actions to be taken and the schedule to be followed in executing the plan; a comparison of the results of the current risk assessment to prior years; and an analysis of how the company’s risk assessment processes and compliance programs compare to like firms in the company’s industry. The report should be carefully prepared so that the results cannot easily be misinterpreted in the event the report is later involved in a governmental investigation or other litigation. The risk assessment team may come up with a wide range of ideas for risk mitigation plans; however, the company rarely has the resources to implement all of the plans at one time and it is therefore necessary to prioritize the responses to fit with the available budget and the specific areas of greatest concern. Options vary depending on the specific risk area. For example, risks in the information technology area might be addressed by investing in and deploying new systems and technological solutions; contingency planning; creating new policies and procedures and/or modifying existing policies and procedures; strengthening internal controls; recruiting new personnel with necessary experience and skills to address a particular problem; insurance; and creating and enforcing new performance benchmarks. Each risk mitigation action plan should be closely monitored and responsible parties should be required to prepare and deliver regular reports to management personnel on implementation of the plans and how effective they are in addressing the identified problems. The responsible parties should also understand that the plans will be an important part of how their overall contribution to the company is evaluated.

21


§4:23 In-house risk assessments or outsourcing The discussion of the risk assessment process set out above implicitly assumes that the assessment will be done “in-house” by company personnel. While most large companies take this approach, a significant minority chooses to outsource the project to outside experts such as law firms, audit firms and consultants with specialized expertise in conducting risk assessments and using the various tools that are commonly deployed in the assessment process to collect and analyze information. Obviously this is an important choice and companies should carefully consider the pros and cons of each approach before making a decision. Smaller companies with limited financial resources are more likely to opt for turning the risk assessment project over to internal personnel. The rationale is that the assessment can be done with less expense and that the managers and employees assigned to the assessment know the company better than outsiders and can collect and analyze the information more quickly and without concern about disclosing sensitive information to outsiders. Critics of this approach maintain that most in-house risk assessments do not meet the minimum standards for “best practices” due, in large part, to the lack of expertise in the increasingly complex methodologies used in the risk assessment area and the lack of experience of managers and employees in conducting the interviews, survey and inspections that are such a large part of an assessment and in effectively analyzing the data generated by those activities. Another potential drawback to an in-house risk assessment is a lack of objectivity that may result in ignoring or minimizing risk areas for political reasons or because it is known in advance that mitigation may be needed at a cost that is untenable given the resources available to the company at that time. Advocates of using outside experts including, of course, the experts themselves argue that outsourcing effectively eliminates all of the disadvantages associated with an in-house risk assessment. For example, outside experts have the experience necessary for effective use of all of the information collection and analysis tools referred to above and they can not only collect more data but also interpret it in ways that yield higher quality results upon which decisions can be made by the directors and members of the executive team. Outside experts, particularly lawyers, are also much more familiar with the strategies that are most likely to preserve the confidentiality and security of the information collected during the assessment including the ability to prepare risk assessment reports that are clear and concise and which do not contain ambiguities that might be used against the company in the future. Finally, outside experts bring an independence to the process that eliminates the harmful effects of bias that exist during an in-house assessment and it can be expected that outside experts are more likely to provide objective measures of risk severity and likelihood/probability. §4:24 Risk management techniques for emerging companies The risk assessment process described above is generally suited for larger companies that have the resources available to undertake a comprehensive process of identifying,

22


assessing, analyzing and measuring specific risks. Emerging companies typically lack the resources and patience to implement a complex risk management system and are generally more focused on growth strategies, product development and forging new business relationships; however, some form of risk assessment and management process must be integrated into the operational activities of these firms lest they suddenly find that all of their hard work is in jeopardy due to failure to take fairly simple preventive measures. One suggested method for emerging companies is performing a “layers of protection analysis,” or “LOPA,” to determine whether the company has taken sufficient action to protect itself against adverse consequences of certain events.

The process for a LOPA depends on the particular risk, hazard or accident of concern to the company and the level of detail that the company is willing to commit to in carrying out the initial LOPA and subsequent assessments. A good example, which is certainly relevant to emerging companies from the time that they begin to expand their number of employees, is the LOPA that might be used in order to reduce the likelihood that the company will be harmed by illegal or unethical employee behavior. In that situation, a company may set a goal of establishing a reliable system for preventing, detecting and correcting employee behavior that is illegal, unethical or otherwise incompatible with the values that the company wishes to project to its stakeholders. In order to achieve this goal the company may establish three layers of protection which can be regularly evaluated under LOPA—prevention, which focuses on the initial selection and ongoing training of employees; internal detection and correction, which includes procedures designed to uncover and resolve problems at an early stage; and external detection and correction, which includes information obtained from outside of the company that identifies potential or actual legal or ethical problems that may eventually cause material damage to the company. The first layer, referred to as “prevention,” attempts to reduce the likelihood of employee behavior problems by making sure that employees are carefully selected and properly trained and that incentives are provided to employees to increase the likelihood that they will performed in the manner expected. Among the elements that should be included in this layer are the following: background checks; comprehensive interview and preemployment assessment procedures; new employee orientation programs; compliance training and awareness programs; policies, procedures and employee codes of conduct; control systems; performance evaluation procedures and reward systems tied to compliant behavior; and consistent communication from top management regarding the importance of legal and ethical behavior coupled with appropriate behavior by top management. The second layer, referred to as “internal detection and correction,” includes various tools and procedures for continuous internal monitoring of employee behavior to identify, and quickly resolve, potential issues before they escalate. Among the elements in this layer are the following: compliance monitoring; internal audits; risk assessments; employee questionnaires; ethics hotlines; and prompt and thorough investigation of potential issues followed by clear and effective corrective actions, including necessary modifications to prevention strategies in the first layer. Finally, the last layer, “external detection and correction,” relies on information from external sources to identify issues that may have not been picked up internally. In some cases the

23


information is voluntarily solicited by the company, as is the case when external consultants are brought in to audit the company’s compliance procedures. In other cases the information comes in the form of queries from governmental agencies or complaints received from customers, business partners, investors, or public interest groups.

The ideal situation for any company is to strengthen the first layer—prevention—to the point where a minimal amount of resources will need to be invested in the other two layers and the risk associated with a major problem is substantially reduced. The efficacy of the prevention layer can, and should, be constantly measured by reference to how much time and effort is expended on correction in the second and third layers and lessons learned from dealing with problems that arise should be integrated into the preventive element in the form of training and modifications to reward systems. Not covered here, yet also important, is the implementation of crisis management procedures that can be used in the event that prevention, detection and correction are not sufficient to avert a major incident. Summing Up 1. The risks that are the greatest concerns for corporate executives include corporate governance issues, which not only expose companies to the costs of actual liability for violation of corporate governance laws and regulations but also force them to invest substantial amounts in compliance programs; natural disasters (e.g., hurricanes, flooding and earthquakes) in countries where companies have substantial assets and/or are engaged in a high volume of business activities; higher levels of litigation that can result not only in liability for claims made against a company but also in substantial additional expenses to defend against the lawsuits even if the company is ultimately found not to be liable; physical infrastructure and facilities risks, including the rising costs of maintaining aging facilities and the potential damage to products, property and humans that may occur as the company operates over public roads and railways; governmental regulation that carries higher costs of compliance which will ultimately cause companies to raise the prices of their products and services and risk loss of market share to competitors; terrorist attacks, unforeseen changes in customer requirements and the entry of new competitors or introduction of new technologies; and cyber-attacks that disable a company’s communications infrastructure and expose companies to potential liability for theft of personal information that has been entrusted to them for safekeeping. 2. Management should be prepared to increase the company’s control mechanisms whenever there are changes in the organization’s regulatory or operating environment; changes in personnel; new or revamped information systems; rapid growth of the organization; changes in technology affecting production processes or information systems; new business models, products or activities; corporate restructurings; expansion or acquisition of foreign operations; and/or adoption of new accounting principles or changing accounting principles. 3. Risk assessment is primarily concerned with what are generally referred to as operational risks (also sometimes called transaction risks), which are risks of loss or injury to the company from inadequacies or failures relating to processes, systems or people (e.g., fraud or error). Operational risks can arise from internal and external factors and can be found in every major business activity of the company. Operational risks may be broken down into various categories such as credit and market risks, reputation risks, strategic risks and compliance risks. Credit and market risks include an unforeseen adverse decline in the liquidity of a key customer that must be addressed by changes in underwriting policies and collection systems to avoid significant losses and higher costs of servicing that customer. Reputation risks include the possibility of security breaches that result in the loss of confidential information and the loss of confidence of customers and other business partners. Strategic risk increases when the company fails to invest in the resources necessary for collection and analysis of all of the information needed to make proper and

24


informed decision about major new investments. Compliance risks include failure to comply with legal and regulatory requirements applicable to the company’s products and services which leave to civil and/or criminal penalties.

4. The activities associated with an effective risk assessment process include identifying the risks that are most relevant to the company and developing a short description of the key characteristics of each risk so that it can be analyzed and strategies created for mitigating or eliminating them; defining the company’s “risk appetite” to determine which types of identified risks are most problematic for the company and thus are appropriate targets for mitigation activities; risk mitigation, which involves developing compliance programs and internal controls designed to reduce risks to levels consistent with the company’s risk appetite; and establishing benchmarks for measuring the effectiveness of the company’s risk mitigation efforts and procedures for continuous risk assessment to identify and manage new risks that may arise as the activities of the company and its external environment changes. The scope of the process, and required investment, depend on the size of the company and its stage of development and available resources, and companies must decide on the level of sophistication of risk management procedures, how much of the process should be outsourced and the appropriate internal management structure for the risk management activities. 5. Recognized general guidelines for conducting effective risk assessments include covering all major areas of potential misconduct; examining risk in the context of the company’s resources; using industry information and company history; including managers and employees from all organizational levels; analyzing both the impact and likelihood of the occurrence of a risk; quantifying each risk area; documenting the outcome of the risk assessment process; conducting the risk assessment in a defensibly objective manner and on a regular basis; and benchmarking the company’s compliance programs.

25