We believe that Risk Assessment is a tool and is one with
which a company should begin to craft its Foreign Corrupt Practices (FCPA) or
UK Bribery Act compliance program. The simple reason is straightforward; one
cannot define, plan for, or design an effective compliance program to prevent
bribery and corruption unless you can measure the risks you face. Both the both
the Principles of Federal Prosecution of Business Organization (US Sentencing
Guidelines) and its section on corporate compliance programs and the UK
Bribery Act's Consultative Guidance list Risk Assessment as the initial
step in creating an effective anti-corruption and anti-bribery program. So far,
in 2011 the US Department of Justice (DOJ) has concluded three FCPA enforcement
actions which specify some factors which a company should review when making a
Risk Assessment.
The three enforcement actions, involving the companies Alcatel-Lucent,
Maxwell
Technologies and Tyson
Foods all had common areas that the DOJ indicated were FCPA compliance risk
areas which should be evaluated for a minimum best practices FCPA
compliance program. In both Alcatel-Lucent and Maxwell Technologies, the
Deferred Prosecution Agreements (DPAs) listed the seven following areas of risk
to be assessed.
1.
Geography-where does your Company do business.
2.
Interaction with types and levels of Governments.
3.
Industrial Sector of Operations.
4.
Involvement with Joint Ventures.
5.
Licenses and Permits in Operations.
6. Degree
of Government Oversight.
7. Volume
and Importance of Goods and Personnel Going Through Customs and Immigration.
In the Tyson Foods DPA, this list was reduced to the
following (1) Geography, (2) Interaction with Governments, and
(3) Industrial Sector of Operations. It would seem that the DOJ did not believe
that Tyson Foods had the same compliance risks as Alcatel-Lucent and Maxwell
Technologies because (a) there limited internal sales market and (b) the fact
it only has 6 food processing plants outside the United States.
These factors provide guidance into some of the key areas
that the DOJ apparently believes can put a company at higher FCPA risk. These
factors supplement those listed in the UK Bribery, Consultative Guidance which
states, "Risk Assessment - The commercial organization regularly and
comprehensively assesses the nature and extent of the risks relating to bribery
to which it is exposed." The Guidance points towards several key risks which
should be evaluated in this process. These risk areas include:
1. Internal
Risk - this could include deficiencies in
-
employee knowledge of a company's business profile and understanding of
associated bribery and corruption risks;
-
employee training or skills sets; and
-
the company's compensation structure or lack of clarity in the policy on gifts,
entertaining and travel expenses.
2. Country
risk - this type of risk could include:
(a) perceived high levels of corruption as highlighted by
corruption league tables published by reputable Non-Governmental Organizations
such as Transparency International;
(b) factors such as absence of anti-bribery legislation
and implementation and a perceived lack of capacity of the government, media,
local business community and civil society to effectively promote transparent
procurement and investment policies; and
(c) a culture which does not punish those who seeks
bribes or make other extortion attempts.
3. Transaction
Risk - this could entail items such as transactions involving charitable or
political contributions, the obtaining of licenses and permits, public
procurement, high value or projects with many contractors or involvement of
intermediaries or agents.
4. Partnership
risks - this risk could include those involving foreign business partners
located in higher-risk jurisdictions, associations with prominent public office
holders, insufficient knowledge or transparency of third party processes and
controls.
Risk Assessment as 'Best Practices'
Both the Consultative Guidance and the recent DPAs
provide guidance to the FCPA compliance practitioner and include ongoing Risk
Assessment as a key component of any best practices program. A
well-managed organization makes an assessment of the risks it faces now and in
the future and then designs appropriate risk management and control mechanisms
to control such risks. However, the key point is that a Risk Assessment is
absolutely mandatory and must be used as a basis for the design of an effective
compliance policy, whether under the FCPA or the UK Bribery Act. If a Risk
Assessment is not used, it might be well nigh impossible to argue that your
compliance program meets even the basic standards of either law.
Visit the FCPA Compliance and Ethics Blog,
hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and
other forms of risk management for a worldwide energy practice, tax issues
faced by multi-national US companies, insurance coverage issues and protection
of trade secrets.
This publication contains general information
only and is based on the experiences and research of the author. The author is
not, by means of this publication, rendering business, legal advice, or other
professional advice or services. This publication is not a substitute for such
legal advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any
action that may affect your business, you should consult a qualified legal
advisor. The author, his affiliates, and related entities shall not be
responsible for any loss sustained by any person or entity that relies on this publication.
The Author gives his permission to link, post, distribute, or reference this
article for any lawful purpose, provided attribution is made to the author. The
author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2011
For more information about LexisNexis
products and solutions connect with us through our corporate site.