Viewpoint Home Viewpoint Home SAI Global Compliance

Jeff Kaplan
Kaplan & Walker, LLP

Mr. Kaplan has worked in the compliance field since the early 1990's, developing, implementing, improving and assessing compliance programs for companies in nearly every major business area. In addition to his role as Chair of the Law & Business Ethics Advisory Board, he is a member of Kaplan & Walker, LLP, a law firm based in Princeton, NJ and Santa Monica, CA, and is an Adjunct Professor - Markets Ethics and Law at the Stern School of Business of New York University. He is also co-editor of Compliance Programs and the Corporate Sentencing Guidelines (West Pub.); co-publisher of ethikos magazine; and a frequent speaker on compliance and ethics issues at ECOA and SCCE, PLI, and the Conference Board.
Jeff Kaplan's Recent Entries





Learn more about other SAI Global advisors »

SAI Global Compliance

«
»


Ten Features of Effective C&E Risk Assessments: Part 2

by Jeff Kaplan, Jun 22, 2009

A second feature of effective C&E risk assessments concerns the nature of the information that one seeks through the process. That is, while a traditional risk assessment generally attempts to develop information about risk impact, information about the causes of risks may in fact be more useful. (Risk likelihood information is a focus of both traditional risk assessments and what I am calling in this series effective risk assessments.)

Of course, knowing about impact is still important. But unlike risk likelihood – where a broad data gathering effort may be necessary to gain a real understanding – generally the law department is a sufficient source of information on impact. For instance, one doesn’t need to conduct a survey or a lot of interviews to know that the impact of a competition law violation could be high.

By contrast, understanding the causes of C&E risks is generally anything but straightforward and often involves a distinctly “local” effort. Moreover, such understanding can be necessary to attaining/maintaining program efficacy – the very point of a risk assessment. For instance, the risk assessment might determine that a given company policy is insufficiently understood or appreciated by employees in a certain business unit, suggesting the need for enhanced training or communications on that subject in the unit in question. By contrast, if a type of violation is likely to be willful, one would presumably consider using the “harder edge” compliance tools – e.g. audits or other controls – to address those risks.

More generally, this type of “cause” information can help identify how to mitigate risk through the five most “risk-variable” C&E program elements: written standards, training/other communications, auditing and other forms of checking, oversight and other controls. (Note that the other C&E program elements – such as encouraging reports of violations – tend to vary less by type of risk, although there are exceptions). Indeed, one way to gauge the success of a risk assessment process is by measuring the extent to which it actually helps one enhance the efficacy of these five elements in a risk-sensitive manner.

A third feature of an effective C&E risk assessment is tied closely to the second: one should educate interviewees enough so that they can contribute in a meaningful way to the process. This is less of a concern for the parts of interviews that entail looking backward – i.e., asking about prior violations and near misses at the company and in one’s industry. But looking forward is anything but easy, and presenting a framework of “risk causing factors” – either in the interview or through a pre-interview “invitation” document (or both) – can help make this part of the effort meaningful.

Risk causing factors include internal pressure, external pressure, incentives/temptations, misunderstanding/failure to appreciate standards and culture (organizational, regional and industry.) Understanding these will help interviewees identify information relevant to both the likelihood and causes of specific C&E risks. Presenting this framework can have the added benefit of serving as a general form of C&E awareness for interviewees.

Have a comment?