The bottom-line: If you do not conduct a risk assessment, then you should start praying. The FCPA Guidance made it clear – conduct a risk assessment and tailor your compliance program to the risk assessment.
In the unfortunate event that your company is involved in an FCPA enforcement action, DOJ and the SEC conduct a thorough review of a company’s compliance program. If the program falls into the “paper program” pile, prosecutors will aggressively investigate potential FCPA violations. On the other hand, if the company can demonstrate an “effective” program which is tailored to the specific risks identified in a risk assessment, the company will have a much better shot at arguing for a declination or a significantly reduced penalty.
Risk assessments look different depending on the company’s size and footprint. A small company will not conduct the same type of risk assessment, nor will it have as comprehensive an anti-corruption compliance program. By contrast, larger companies will have a more formalized risk assessment process.
There are several practical approaches to conducting a risk assessment. The tools for conducting a risk assessment include:
Personal or telephone interviews of key employees;
Surveys and questionnaires of employees; and
Review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices.
For smaller companies, these three tools may be sufficient to develop a good risk profile for the company. The personal interviews are critical because they provide a real-time measure of what is actually occurring in various countries. A country manager and a lead sales/business development employee should be interviewed about current practices with a focus on interactions with foreign officials, third parties and overall compliance culture. Such reviews should include a review of regional/local compliance policies and procedures.
Large companies with more resources can conduct risk assessments with sophisticated and time-intensive tools such as personal, face-to-face, interviews and on-site visits and informal audits. These “deep dive” inquiries could be focused on high-risk countries.
Most companies do not have the luxury of “deep-dive” risk assessments. The Sentencing Guidelines and the FCPA Guidance both take this into account and provide different expectations for big and small companies.
Smaller companies should not be reluctant to conduct a risk assessment. Because of the limitation in resources, small companies can conduct a ore informal risk assessment using the basic tools outlined above. The key to such a risk assessment is to conduct it in good faith and with proper attention to potential risks. Not every stone needs to be turned over, but significant issues and risks should be addressed.
For smaller companies, the risk assessment should be documented — the interviews the documents reviewed, the surveys and questionnaires, and an analysis of the risks. A memorandum setting out the review and analysis should be prepared and maintained as the basis for anti-corruption compliance policies and procedures.