We all face a number of risks every day. Yet, we do not respond to each and every risk. We engage in risk-ranking our responses. Some are more risk than others and some are more catastrophic than others. So, we engage in risk ranking each day and allocate our time and attention accordingly.
The same applies, or should apply, when managing a compliance program. Resources are limited and compliance officers face a variety of risks. It is important, however, to rank these risks and then allocate time, attention and resources in accordance with these risk rankings.
The Justice Department and the SEC understand exactly how such a process works and expects to see risk-ranking systems incorporated in a compliance program. Once a company engages in risk ranking then the compliance officer is justified in assigning more resources to higher risk and reducing resources to lower risk activities. Assuming that such strategies are applied consistently and documented, there is no way the government will second-guess or recalculate risk ranking procedures.
In the anti-corruption compliance context, risk ranking informs a number of activities: (1) due diligence and monitoring programs for third party agents, distributors, vendors and suppliers; (2) monitoring programs for internal sales staff or other officials who interact with foreign officials; and (3) audit plans for assignment of financial and compliance audits.
By assigning and ranking actors in these situations, a compliance officer can devote more resources to higher risk activities and reduce the amount of resources dedicated to lower risk actors.
The DOJ/SEC FCPA Guidance issued in 2012 emphasized the importance of implementing a risk-based due diligence program as part of a company’s compliance program. Of course, this principle makes sense but it is important for a compliance officer to apply this principle, document the application of the risk ranking system, and devote resources commensurate with the assigned risk. In doing so, the relative treatment of each subject or classes must be conducted in accordance with the assigned risk level.
Whatever risk ranking system is developed for third parties, the system must be simple. In other words, a compliance program’s risk ranking system must not try to address each and every possible factor. For example, a system may assign relative weights for a country in which the third party operates based on the level of corruption, and the amount of revenues for each third party. There are other factors that can be applied but these two are probably the most significant and reliable.
A risk ranking formula is not the end of the inquiry – other sources of information can be used. If a sales official learns that a distributor may be engaged in improper gift-giving or other activities, the compliance officer can elevate a specific third party for auditing notwithstanding a relatively low level of risk. Risk ranking does not mean inflexible rules but only create a good starting point and a way to clear most lower risk third parties from burdensome monitoring and auditing programs.
There are a variety of contexts in which risk ranking can be used to assign proper resources. A proactive audit program should include a ranking of third parties for proactive audits. Once the relative rankings are assigned, compliance and audit officials can begin to assess the number of third parties that should be considered for an audit (assuming that audit rights have been secured).
A risk ranking approach to compliance is implicit in so many activities, but needs to be applied as needed to elevate the effectiveness of a compliance program.