Everyone in the FCPA field knows how to mouth the key words. Practitioners always identify “ongoing assessment” as an essential part of any anti-corruption compliance program. What exactly does that mean?
You can define the responsibility for ongoing assessment narrowly or broadly, depending on how much of a commitment you want to make. It is easy to define an ongoing assessment requirement to just an annual review of a company’s anti-corruption compliance standards and procedures to ensure they are working, or even add a little more such as spot checks and quarterly audits.
I would advise to do more than just the basic requirements. It starts with a “continuous” risk assessment procedure. To do this, I would structure a risk assessment survey and audit process for every country where the company operates. The survey would build on issues identified from the risk assessment and add questions tailored to the specific country’s business environment. The survey would also vary depending on whether the country is categorized as a high-risk, middle-risk or low-risk country from the initial risk assessment. The frequency of the survey would also vary depending on the level of risk – for example, a survey for high-risk countries would be completed on annual basis, middle risk countries would be every two years and low risk countries every three years.
As information is learned through the surveys – changes in third party agents, government regulatory regimes, and other issues – compliance programs and procedures in each country can be tweaked and responsible officers in these companies can adjust their actions accordingly. This process can prevent companies from getting over-taken by events by building a compliance program and then sitting back and avoiding a continuous monitoring and assessment process.
It is easy to say that you satisfy the “ongoing assessment” requirement by checking off the box with a few minor steps. But it is a better practice to make a real commitment to a continuous assessment process which gives the company meaningful information and is reflected in an “organic” compliance program – one that is dynamic and changes with new information.