Viewpoint Home Viewpoint Home SAI Global Compliance

Jeff Kaplan
Kaplan & Walker, LLP

Mr. Kaplan has worked in the compliance field since the early 1990's, developing, implementing, improving and assessing compliance programs for companies in nearly every major business area. In addition to his role as Chair of the Law & Business Ethics Advisory Board, he is a member of Kaplan & Walker, LLP, a law firm based in Princeton, NJ and Santa Monica, CA, and is an Adjunct Professor - Markets Ethics and Law at the Stern School of Business of New York University. He is also co-editor of Compliance Programs and the Corporate Sentencing Guidelines (West Pub.); co-publisher of ethikos magazine; and a frequent speaker on compliance and ethics issues at ECOA and SCCE, PLI, and the Conference Board.
Jeff Kaplan's Recent Entries





Learn more about other SAI Global advisors »

SAI Global Compliance

«
»


Ten Features of Effective C&E Risk Assessments: Part 1

by Jeff Kaplan, Jun 01, 2009

The 2004 revisions to the Corporate Sentencing Guidelines codified what was already well known to C&E practitioners: that risk assessment should be the foundation of an effective C&E program.

But what exactly should a C&E risk assessment entail? In this series of postings, I’ll explore what I believe are ten features of effective risk assessment, which are:

  • Determine where to focus one’s efforts
  • Assess the causes of risk
  • Educate interviewees so they can contribute in a meaningful way
  • Measure net, as well as gross, risk
  • Use your current risk assessment to lay the groundwork for future ones
  • Assess ethics, as well as compliance, risks
  • Give sufficient attention to public information
  • Use assessments to help one’s board oversee the program
  • Assess third-party risks
  • Assess risks from the economic downturn


    • To start with the first of these, companies should make an initial determination of the optimal scope of the risk assessment process given their specific needs. This will indeed differ for each company – meaning that risk assessments, like other C&E program elements, really should be tailored to company needs to be effective. An off-the-shelf approach, by contrast, is almost certain to be at least partly wasteful.

    Among other things, one should first take stock of what risk-related information one already has. For instance, a company with a mature EH&S compliance program may already have all the EH&S risk information it requires – and any further effort in this area likely to be seen within the company as pointless, which can imperil the entire risk assessment (and even cast doubt on the thoughtfulness of the overall program).

    This need-based approach impacts risk assessment methodology as well as subject matter focus. That is, to understand risks and causes, interviews often preferable. To prove (e.g., to senior management) the need for additional mitigation, surveys are often preferable. Of course, some risk assessments use both.

    I’ll provide more detail in my next post.

    Have a comment?