Conducting a Risk Assessment

Conducting a Risk Assessment

Posted on 10-31-2017



What is a Risk Assessment?

A risk assessment is a review undertaken to help an organization understand its business and manage the related strategic, operational, financial, and/or compliance risks. In the compliance context, U. S. regulators expect companies to conduct periodic and/or targeted assessments in order to assess and address the legal and regulatory risks that the company faces in its operations and/or activities. A well-devised risk assessment process assists companies in identifying specific vulnerabilities and provides the opportunity to mitigate those risks that are most likely to occur. When undertaken as part of a corporate compliance program, the risk assessment can help business leaders effectively manage and mitigate the organization’s legal and regulatory risk.

Why Conduct a Risk Assessment?

Government regulators increasingly expect companies to undertake a risk assessment process to ensure that the underlying elements of the compliance program are appropriate to the size and complexity of the organization as well as the type, scope, and location of the business venture and its activities. The U.S. Sentencing Guidelines, U.K. Bribery Act of 2010, and the Organisation for Economic Co-operation and Development (OECD) guidelines all have identified the risk assessment process as an essential step in developing a strong compliance program and implementing adequate procedures, particularly with regard to anti-corruption and anti-bribery efforts. The U.S. Department of Justice and the Securities and Exchange Commission clearly stated their expectation, in their joint November 2012 Resource Guide, that corporate compliance programs should be tailored to the “company’s specific business and to the risks associated with that business.” The tailoring process requires periodically assessing the organization’s specific activities, undertakings, ethical culture, industry, and business sector in order to identify relevant risks and gaps in the management of those risks. Particularly for companies operating in a complex, fast-moving and increasingly interconnected environment, it is essential to have a dynamic, risk-based corporate compliance program that evolves with the internal and external environment.

Scoping the Risk Assessment

When scoping the risk assessment, legal and/or compliance professionals should consider the jurisdictions in which the company operates, the range of company products and services, the entity structure of the organization (including owned or operated entities, joint ventures, and other partnerships in which the company has a majority or controlling interest), government touchpoints, third-party relationships, the sales/ business model, strategic business initiatives, and global expansion plans.

The risk assessment should be used to understand the organization’s overall risk profile as well as to identify and prioritize the concerns that threaten short- and long-term compliance with applicable laws. Depending on the size and complexity of the operations, a company may choose to conduct an enterprise-wide risk assessment to understand the baseline risk profile and then conduct more focused assessments of specific activities and/or jurisdictions based on identified risks and strategic priorities.

The risk assessment should consider current and potential compliance risks, including systemic, organizational, or industry-specific risks and any other unique risks. In its guidance to the U.K. Bribery Act of 2010, the Ministry of Justice suggests reviewing five categories of risk: country, sectoral, transaction, business opportunity, and business partnership risk. For example, a country-specific anti-corruption risk assessment might consider the perceived level of corruption in a jurisdiction, whether there is transparency in governance, and/or legislative support of anti-corruption laws.

The assessment should also consider how existing operations and internal controls contribute to risk, such as inadequate procedures and/or poorly applied internal controls. By reviewing these categories of risk, the company will be able to identify areas of the operation that pose the greatest risk of non-compliance with legal obligations and/or company policy.

After assessing whether there is a regulatory compliance risk, the company should determine the level of likelihood that criminal conduct will occur as well as the nature and seriousness of the possible criminal conduct. The likelihood analysis should consider the nature of the business and the history of prior misconduct in the organization or within the industry sector. Government regulators expect that the compliance program will address the most serious conduct that is likely to occur.

Who Conducts the Risk Assessment?

The risk assessment can be conducted internally, by external resources, or through a combined effort. Some companies engage external professionals in order to ensure there is an unbiased review of the compliance risks and the company’s practices; other organizations may supplement internal reviews with periodic assessments by external specialists who can assess the compliance risks and/or program gaps in light of best practices and enforcement trends.

Prior to beginning the risk assessment, the company should consider whether there is a strong need to preserve the attorney-client privilege regarding the assessment findings, particularly if there is concern about potential misconduct or ongoing or threatened litigation, and/or if regulators have indicated the industry or sector is under scrutiny. Management may wish to consult with legal counsel regarding the benefits of preserving the attorney-client privilege and how to preserve the privilege.

Regardless of who conducts the assessment, senior management should communicate with key stakeholders and departments regarding the importance of the risk assessment process to the organization and ensure that the risk assessment team has adequate resources. In assessing whether the risk assessment process is appropriate and/or proportionate to the organization’s size and complexity, senior leaders should consider whether the scope of the assessment and the resources allocated towards it compare favorably with other internal assessment processes.

Performing the Risk Assessment

There are four basic steps in conducting the risk assessment: (1) gather and review information, (2) interview key stakeholders, (3) review and evaluate identified risks, and (4) document and report the findings and recommendations for enhancement of the compliance program.

Gather and Review Information

To begin, the risk assessment team will want to gather key information about the business operations and practices as well as existing compliance materials. In particular, the risk assessment team should gather information about the company structure and locations, industry sector, client base, third-party engagement, policies and procedures, systems and controls, training protocols, audit reports, and compliance monitoring. These materials will assist the team in ensuring that the risk assessment is appropriately scoped by identifying relevant business practices and related risks that may impact compliance obligations.

Interview Key Stakeholders

For the second step, the risk assessment team should develop targeted questionnaires and/or surveys based on the organization’s operations and the identified compliance risks. A successful assessment will use open-ended questions to elicit objective information about areas of concern and opportunities for enhancement of the organization’s compliance risk management.

The team should identify key stakeholders who have knowledge of the company’s operations, its actual practices, and the compliance culture. This target list will vary based on the business sector, size of the operations, and scope of the risk assessment, but should include individuals across the operations, including business team personnel, legal, finance, internal audit, and the senior manager responsible for compliance oversight. The risk assessment team should also consider the best format for eliciting actionable information. While focus groups, group interviews, and surveys may capture information from many participants in a short period of time, individual interviews may allow employees to be more candid, to provide more details and context, and/or to describe evolving or emerging issues.

Review and Evaluate Identified Risks

The third step is to review the findings and evaluate the compliance risk in light of the relevant laws, company policy, and other applicable standards. Particularly for companies with global operations, it is important to understand the impact of international standards and extra-territorial laws on these operations. If needed, the risk assessment team should consult with subject matter experts and internal or external legal counsel for the local jurisdiction to ensure a full understanding of best practices, the legal framework, and the regulatory environment.

Document and Report the Findings and Recommendations for Enhancement of the Compliance Program

The final step in the risk assessment process is to document and report the findings and develop recommendations for enhancement of the compliance program. The risk assessment team should carefully compile its findings—including the risk profile, red flags, priority risk areas, and recommendations—in a comprehensive, practical report. In order to facilitate the implementation of appropriate program enhancements, the risks should be ranked according to the likelihood of occurrence as well as potential severity and impact. The report should also identify any areas requiring further assessment and a timetable for updating the risk assessment. The full report should be presented to the general counsel and/or chief compliance officer for consideration of appropriate program enhancement actions. A summary report can be prepared for other key stakeholders, including senior management, the board of directors, and relevant business units and departments.

Building on the Risk Assessment

Once the company understands the specific compliance risks, red flags, and priority risk areas, the risk assessment findings can be used to improve management of compliance risk. The U.S. Federal Sentencing Guidelines advise companies to use the assessment to “design, implement, or modify” the compliance program. The OECD also advises that the risk assessment should be the basis for effective internal controls. Similarly, in its guidance to the U.K. Bribery Act of 2010, the Ministry of Justice suggests that program priorities, resources, and controls should be based on the results of a risk assessment.

The risk assessment findings should also be used to develop an appropriate risk-based auditing, monitoring, and response program, including:

  • A risk-based audit plan of specific transactions, business units, processes, countries, and/or market sectors
  • Real-time monitoring to identify and address compliance program gaps on an ongoing basis -and-
  • Protocols for monitoring and assessing the implementation of risk mitigation plans

By implementing appropriate auditing and ongoing monitoring processes, the company will have another method by which to identify compliance risks and/or improper practices.

Updating the Risk Assessment

After an initial (baseline) risk assessment is completed, periodic risk assessments should be conducted—either annually or on a schedule proportionate to the organization’s risk profile. The risk assessment is a preventive measure and should be a regular and systemic part of compliance efforts rather than an occasional, ad hoc exercise cobbled together when convenient or after a crisis. Enforcement trends and government priorities change rapidly, so it is vital to stay upto-date by conducting regular assessments. In this way, the organization can demonstrate that the compliance program adequately and effectively addresses the changing risks facing the business.


Organizations should document the compliance program enhancements implemented as a result of the risk assessment. Additionally, the findings from periodic risk assessments should be used to assess the effectiveness of the compliance program improvements. Remember that the risk assessment is just the start of the risk management process: the ultimate goal is to use the assessment findings and analysis to reduce or mitigate compliance risk to protect the organization from government scrutiny and enhance the profitability of the enterprise.

Stephen R. Martin is a partner in Arnold & Porter’s Denver office and focuses his practice on global compliance matters, risk assessment and management, and advising companies in connection with corporate internal and governmental investigations.

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Commercial Transactions > General Commercial and Contract Boilerplate > Compliance Programs and Risk Assessment > Practice Notes

For a list of items that should be reviewed when conducting a risk assessment, see


RESEARCH PATH: Commercial Transactions > General Commercial and Contract Boilerplate > Compliance Programs and Risk Assessment > Checklists

For a set of seven benchmarks to follow in setting up a compliance and ethics program, see


RESEARCH PATH: Commercial Transactions > General Commercial and Contract Boilerplate > Compliance Programs and Risk Assessment > Practice Notes

For sample guidelines for a corporate compliance program, see


RESEARCH PATH: Commercial Transactions > General Commercial and Contract Boilerplate > Compliance Programs and Risk Assessment > Forms

For details on creating a compliance program, see


RESEARCH PATH: Commercial Transactions > General Commercial and Contract Boilerplate > Compliance Programs and Risk Assessment > Practice Notes

For an outline of a proposed approach to developing and implementing a compliance program, see


RESEARCH PATH: Commercial Transactions > General Commercial and Contract Boilerplate > Compliance Programs and Risk Assessment > Checklists