Compliance Risk Assessment

The Report of the Ad Hoc Advisory Group on the Organizational Sentencing Guidelines asks the Sentencing Commission to adopt a new guideline defining “effective program to prevent and detect violations of law” as used in USSG ' 82C.5(f). The Report recommends that the definition include conducting ongoing risk assessments as one of its elements. The assessments would have two aspects: 1) a determination of “the scope and nature of the risks of violations of law associated with an organization's activities,” and 2) use of the results of the assessments to “influence the design and implementation of a broad range of features of an effective [compliance] program.”

Whether or not the Commission adopts these recommendations, it makes good sense for organizations to follow them. Compliance programs are likely to be more effective if organizations conduct systematic risk assessments and use the results in designing and implementing their compliance programs.

Identification of the “scope and nature” of the risks of violations an organization faces is an absolutely necessary early step. If an organization's activities create opportunities for money laundering (a topic discussed in the Report), obviously the organization's compliance program must address that risk. Similarly, an organization must attend to the risks of violations of other bodies of law applicable to its operations (eg, securities laws, environmental laws, laws against bribery and other corrupt practices, workplace safety laws, and industry-specific regulatory laws).

Preventive Compliance

To be most useful, however, risk assessment should go beyond mere identification of applicable laws and ways they might be violated by an organization's activities. Preventive compliance resources (eg, direct control systems, training, information dissemination, monitoring, auditing) should be deployed according to the results of a systematic search for any areas of organizational activity that present an elevated risk of violations of law, as compared to other areas. How can an organization identify the areas where additional compliance resources should be deployed?

Extraordinary Pressures

Violations of law within organizations often result from extraordinary pressures on performance. To satisfy their superiors, some people under extraordinary pressure may find it convenient, or even necessary, to cheat. Extraordinary pressure can come form many external sources: stock market expectations (leading, eg, to financial manipulations), new government mandates (leading, eg, to cheating by schools on student test results), fierce new competition when a key patent expires or a competitor launches a successful innovation (leading, eg, to bribery of customer purchasing agents or other improper sales practices, or fraud to hasten regulatory approvals for new products), unexpected problems with raw materials or manufacturing (leading, eg, to shipment of defective products). Extraordinary pressure can also come from internal sources: layoffs (which may lower the morale of remaining employees while compelling them to work harder, faster, more productively), budget cuts (which may make compliance more difficult, or even impossible), and higher performance targets (same). Areas where such factors operate may present an elevated risk of violations.

Newness

Newness may elevate compliance risk. New statutes, regulations, public policies, accounting standards, and other regulators of conduct and creators of incentives, and new interpretations of any of them, may not be fully thought through and so may create unnoticed opportunities for improper gain through cheating. An organization's existing systems for preventing and detecting violations may fail to address those opportunities, but adventurous employees may see them and seek to exploit them. New internally generated organizational activities and new ways of conducting ongoing activities also may warrant special attention. A new management team may need special initial help in ensuring compliance.

Structural Changes

Structural changes (eg, mergers, internal reorganizations) may temporarily disrupt established compliance mechanisms, and introduce windows of opportunity for violations that escape previously applicable controls. Acquisitions may bring within the acquirer's responsibility organizations with cultures and programs less conducive to compliance and, therefore, in need of improvement.

Other Areas

Increased risk may be presented by areas of organizational activity that are not internally transparent, eg, areas that are outside the usual controls administered by the law department, the regulatory department, or the internal auditors. Self-contained areas whose activities or profits “no outsider can understand” or “you don't want to know about” obviously warrant attention. The same concern applies to areas whose reported performance is too good to be true, or too good to be lawful.

Although some of the recent financial scandals appear to have resulted from blatant fraud, others appear to have resulted from very complex, sophisticated transactions in areas where the line between acceptable and unacceptable conduct or between merely unacceptable and criminal conduct may be debatable. A risk assessment should seek to identify areas in which such transactions are occurring.

An organization's own compliance history may identify areas warranting special attention. That history may be reflected not only in past governmental enforcement actions and inspection or audit reports, but also in private lawsuits, customer complaints, quality control reports, external and internal audit reports, and other assessments of performance.

Increased scrutiny may be warranted in areas whose managers have the reputation of not tolerating bad news from subordinates, of not wanting to know the details of how performance targets are achieved, or of resisting compliance-oriented activities. Such scrutiny may be warranted in areas whose reported level of success is inexplicable, and in areas experiencing unexpected failure to meet goals (because ongoing failure may particularly tempt employees to cheat).

An organization can learn from compliance problems at other organizations with similar activities; and some kinds of activities, eg, financial reporting, are common to all organizations. In view of the power of competition to influence conduct, the occurrence of compliance problems at competitors warrants inquiry as to whether similar problems exist in one's own organization. The prevalence of misconduct in financial reporting — eg, in recognition of revenue from sales, in decisions about the capitalization or expensing of costs — may warrant particular attention to that area.

Non-employees

A risk assessment could also draw on the knowledge of non-employees who perform services for the organization, and thus have acquired some degree of familiarity with its people and operations. As part of a risk assessment, outside auditors, lawyers, consultants, and other advisors, and perhaps even Board members, could be asked to identify, on the basis of their knowledge of the organization, any areas of particular concern with respect to compliance, even if they do not know of, or suspect, any specific wrongdoing.

It also may be prudent to take into account trends in scrutiny and enforcement by the federal and state governments. Increased focus by regulatory or other law enforcement agencies (or congressional committees) on particular subjects or types of violations may warrant a corresponding organizational focus on compliance. It is also true, however, that an area of lax enforcement can suddenly become a top enforcement priority if a disaster or scandal occurs. Indeed, persistent laxness of enforcement may have bred organizational acceptance of violations as a way of life, maintained by competitive pressures.

Pros and Cons

Systematic assessments of compliance risk present their own risks: they may intrude unduly on an organization's personnel and operations, and they may be discoverable in legal proceedings against the organization, and so may be used to harm it. Plainly, the design and conduct of risk assessments should take such risks into account.

An assessment must be sensitive to the legitimate interests of an organization's operational units. Compliance personnel must recognize and accept that compliance is not the organization's mission; rather, it is a constraint on the achievement of that mission. Operational personnel must recognize and accept, however, that the constraint is inescapable. Indeed, reinforcing the recognition and acceptance of inescapable constraints is the overall purpose of an organization's compliance program, of which the risk assessment is a part. Although many incentives support the achievement of the organization's mission, the compliance program is a major countervailing force that must push ahead on its own steam, sometimes in the face of considerable resistance. Therefore, it needs effective support at the highest levels of an organization.

A risk assessment can be conducted by, or under the supervision of, in-house counsel, so as to maximize the likelihood of its being privileged. The operational compliance program, whose deployment of resources reflects the risk assessment, presumably is not privileged; but its non-privileged status ought not affect the privilege attaching to the assessment (if conducted by or under the supervision of counsel).

If the element of ongoing risk assessment becomes part of the Sentencing Guidelines, a convicted organization or one negotiating a plea bargain may be forced to waive the privilege protecting its assessment when it presents its compliance program in order to obtain a reduction in the culpability score used for sentencing. That should be a very rare event. Other circumstances in which an organization may want or need to disclose its risk assessment, and so waive the privilege attaching to it, should also be very rare.

The Report of the Ad Hoc Advisory Group on the Organizational Sentencing Guidelines asks the Sentencing Commission to adopt a new guideline defining “effective program to prevent and detect violations of law” as used in USSG ' 82C.5(f). The Report recommends that the definition include conducting ongoing risk assessments as one of its elements. The assessments would have two aspects: 1) a determination of “the scope and nature of the risks of violations of law associated with an organization's activities,” and 2) use of the results of the assessments to “influence the design and implementation of a broad range of features of an effective [compliance] program.”

Whether or not the Commission adopts these recommendations, it makes good sense for organizations to follow them. Compliance programs are likely to be more effective if organizations conduct systematic risk assessments and use the results in designing and implementing their compliance programs.

Identification of the “scope and nature” of the risks of violations an organization faces is an absolutely necessary early step. If an organization's activities create opportunities for money laundering (a topic discussed in the Report), obviously the organization's compliance program must address that risk. Similarly, an organization must attend to the risks of violations of other bodies of law applicable to its operations (eg, securities laws, environmental laws, laws against bribery and other corrupt practices, workplace safety laws, and industry-specific regulatory laws).

Preventive Compliance

To be most useful, however, risk assessment should go beyond mere identification of applicable laws and ways they might be violated by an organization's activities. Preventive compliance resources (eg, direct control systems, training, information dissemination, monitoring, auditing) should be deployed according to the results of a systematic search for any areas of organizational activity that present an elevated risk of violations of law, as compared to other areas. How can an organization identify the areas where additional compliance resources should be deployed?

Extraordinary Pressures

Violations of law within organizations often result from extraordinary pressures on performance. To satisfy their superiors, some people under extraordinary pressure may find it convenient, or even necessary, to cheat. Extraordinary pressure can come form many external sources: stock market expectations (leading, eg, to financial manipulations), new government mandates (leading, eg, to cheating by schools on student test results), fierce new competition when a key patent expires or a competitor launches a successful innovation (leading, eg, to bribery of customer purchasing agents or other improper sales practices, or fraud to hasten regulatory approvals for new products), unexpected problems with raw materials or manufacturing (leading, eg, to shipment of defective products). Extraordinary pressure can also come from internal sources: layoffs (which may lower the morale of remaining employees while compelling them to work harder, faster, more productively), budget cuts (which may make compliance more difficult, or even impossible), and higher performance targets (same). Areas where such factors operate may present an elevated risk of violations.

Newness

Newness may elevate compliance risk. New statutes, regulations, public policies, accounting standards, and other regulators of conduct and creators of incentives, and new interpretations of any of them, may not be fully thought through and so may create unnoticed opportunities for improper gain through cheating. An organization's existing systems for preventing and detecting violations may fail to address those opportunities, but adventurous employees may see them and seek to exploit them. New internally generated organizational activities and new ways of conducting ongoing activities also may warrant special attention. A new management team may need special initial help in ensuring compliance.

Structural Changes

Structural changes (eg, mergers, internal reorganizations) may temporarily disrupt established compliance mechanisms, and introduce windows of opportunity for violations that escape previously applicable controls. Acquisitions may bring within the acquirer's responsibility organizations with cultures and programs less conducive to compliance and, therefore, in need of improvement.

Other Areas

Increased risk may be presented by areas of organizational activity that are not internally transparent, eg, areas that are outside the usual controls administered by the law department, the regulatory department, or the internal auditors. Self-contained areas whose activities or profits “no outsider can understand” or “you don't want to know about” obviously warrant attention. The same concern applies to areas whose reported performance is too good to be true, or too good to be lawful.

Although some of the recent financial scandals appear to have resulted from blatant fraud, others appear to have resulted from very complex, sophisticated transactions in areas where the line between acceptable and unacceptable conduct or between merely unacceptable and criminal conduct may be debatable. A risk assessment should seek to identify areas in which such transactions are occurring.

An organization's own compliance history may identify areas warranting special attention. That history may be reflected not only in past governmental enforcement actions and inspection or audit reports, but also in private lawsuits, customer complaints, quality control reports, external and internal audit reports, and other assessments of performance.

Increased scrutiny may be warranted in areas whose managers have the reputation of not tolerating bad news from subordinates, of not wanting to know the details of how performance targets are achieved, or of resisting compliance-oriented activities. Such scrutiny may be warranted in areas whose reported level of success is inexplicable, and in areas experiencing unexpected failure to meet goals (because ongoing failure may particularly tempt employees to cheat).

An organization can learn from compliance problems at other organizations with similar activities; and some kinds of activities, eg, financial reporting, are common to all organizations. In view of the power of competition to influence conduct, the occurrence of compliance problems at competitors warrants inquiry as to whether similar problems exist in one's own organization. The prevalence of misconduct in financial reporting — eg, in recognition of revenue from sales, in decisions about the capitalization or expensing of costs — may warrant particular attention to that area.

Non-employees

A risk assessment could also draw on the knowledge of non-employees who perform services for the organization, and thus have acquired some degree of familiarity with its people and operations. As part of a risk assessment, outside auditors, lawyers, consultants, and other advisors, and perhaps even Board members, could be asked to identify, on the basis of their knowledge of the organization, any areas of particular concern with respect to compliance, even if they do not know of, or suspect, any specific wrongdoing.

It also may be prudent to take into account trends in scrutiny and enforcement by the federal and state governments. Increased focus by regulatory or other law enforcement agencies (or congressional committees) on particular subjects or types of violations may warrant a corresponding organizational focus on compliance. It is also true, however, that an area of lax enforcement can suddenly become a top enforcement priority if a disaster or scandal occurs. Indeed, persistent laxness of enforcement may have bred organizational acceptance of violations as a way of life, maintained by competitive pressures.

Pros and Cons

Systematic assessments of compliance risk present their own risks: they may intrude unduly on an organization's personnel and operations, and they may be discoverable in legal proceedings against the organization, and so may be used to harm it. Plainly, the design and conduct of risk assessments should take such risks into account.

An assessment must be sensitive to the legitimate interests of an organization's operational units. Compliance personnel must recognize and accept that compliance is not the organization's mission; rather, it is a constraint on the achievement of that mission. Operational personnel must recognize and accept, however, that the constraint is inescapable. Indeed, reinforcing the recognition and acceptance of inescapable constraints is the overall purpose of an organization's compliance program, of which the risk assessment is a part. Although many incentives support the achievement of the organization's mission, the compliance program is a major countervailing force that must push ahead on its own steam, sometimes in the face of considerable resistance. Therefore, it needs effective support at the highest levels of an organization.

A risk assessment can be conducted by, or under the supervision of, in-house counsel, so as to maximize the likelihood of its being privileged. The operational compliance program, whose deployment of resources reflects the risk assessment, presumably is not privileged; but its non-privileged status ought not affect the privilege attaching to the assessment (if conducted by or under the supervision of counsel).

If the element of ongoing risk assessment becomes part of the Sentencing Guidelines, a convicted organization or one negotiating a plea bargain may be forced to waive the privilege protecting its assessment when it presents its compliance program in order to obtain a reduction in the culpability score used for sentencing. That should be a very rare event. Other circumstances in which an organization may want or need to disclose its risk assessment, and so waive the privilege attaching to it, should also be very rare.