Register to receive a printed copy(For Lexis Practice Advisor® Subscribers Only)
Lexis Practice Advisor®Free Trial
Learn More AboutLexis Practice Advisor®
By: Stephen R. Martin ARNOLD & PORTER KAYE SCHOLER LLP
A risk assessment is a review undertaken to help an organization understand its business and manage the related strategic, operational, financial, and/or compliance risks. In the compliance context, U. S. regulators expect companies to conduct periodic and/or targeted assessments in order to assess and address the legal and regulatory risks that the company faces in its operations and/or activities. A well-devised risk assessment process assists companies in identifying specific vulnerabilities and provides the opportunity to mitigate those risks that are most likely to occur. When undertaken as part of a corporate compliance program, the risk assessment can help business leaders effectively manage and mitigate the organization’s legal and regulatory risk.
Government regulators increasingly expect companies to undertake a risk assessment process to ensure that the underlying elements of the compliance program are appropriate to the size and complexity of the organization as well as the type, scope, and location of the business venture and its activities. The U.S. Sentencing Guidelines, U.K. Bribery Act of 2010, and the Organisation for Economic Co-operation and Development (OECD) guidelines all have identified the risk assessment process as an essential step in developing a strong compliance program and implementing adequate procedures, particularly with regard to anti-corruption and anti-bribery efforts. The U.S. Department of Justice and the Securities and Exchange Commission clearly stated their expectation, in their joint November 2012 Resource Guide, that corporate compliance programs should be tailored to the “company’s specific business and to the risks associated with that business.” The tailoring process requires periodically assessing the organization’s specific activities, undertakings, ethical culture, industry, and business sector in order to identify relevant risks and gaps in the management of those risks. Particularly for companies operating in a complex, fast-moving and increasingly interconnected environment, it is essential to have a dynamic, risk-based corporate compliance program that evolves with the internal and external environment.
When scoping the risk assessment, legal and/or compliance professionals should consider the jurisdictions in which the company operates, the range of company products and services, the entity structure of the organization (including owned or operated entities, joint ventures, and other partnerships in which the company has a majority or controlling interest), government touchpoints, third-party relationships, the sales/ business model, strategic business initiatives, and global expansion plans.
To read the full practice note in Lexis Practice Advisor, follow this link.
Stephen R. Martin is a partner in Arnold & Porter’s Denver office and focuses his practice on global compliance matters, risk assessment and management, and advising companies in connection with corporate internal and governmental investigations.
For a list of items that should be reviewed when conducting a risk assessment, see
> CHECKLIST – INFORMATION AND DOCUMENTS TO REVIEW IN A RISK ASSESSMENT
RESEARCH PATH: Commercial Transactions > General Commercial and Contract Boilerplate > Compliance Programs and Risk Assessment > Checklists
For a set of seven benchmarks to follow in setting up a compliance and ethics program, see
> U.S. SENTENCING GUIDELINES – BENCHMARK FOR AN EFFECTIVE COMPLIANCE AND ETHICS PROGRAM
RESEARCH PATH: Commercial Transactions > General Commercial and Contract Boilerplate > Compliance Programs and Risk Assessment > Practice Notes
For sample guidelines for a corporate compliance program, see
> SAMPLE CORPORATE COMPLIANCE PROGRAM GUIDELINES
RESEARCH PATH: Commercial Transactions > General Commercial and Contract Boilerplate > Compliance Programs and Risk Assessment > Forms
For details on creating a compliance program, see
> CREATING A COMPLIANCE PROGRAM
For an outline of a proposed approach to developing and implementing a compliance program, see
> CREATING A COMPLIANCE PROGRAM CHECKLIST