Perhaps akin to a summer re-run, here are six points about conducting C&E risks assessments
1. Deploy assessment methodologies that are tailored to key compliance risk areas.
Risk assessment is not alone about measuring corporate culture; an effective assessment process will also examine closely “substantive” areas of law/policy, and this, in turn, necessitates having an analytic framework for each such area, as they do vary.
By way of example, here is an article on how to assess conflicts of interest risks and here is one on competition law risks. (Future articles in this column will explore assessment frameworks for corruption, insider trading and fraud, among other risk areas.)
2. Assess not only compliance risks, but also ethics ones.
The latter can be important to identifying the “risk around the corner” and otherwise maintaining an effective C&E program, as discussed here.
3. Think broadly.
By this I mean that the scope of an assessment should include risks occurring outside the “four walls” of a company. In this connection, here is a piece on the importance of assessing and managing C&E risks in joint ventures.
4. Think small.
For some organizations, a granular focus could be key for effective C&E risk assessment, as described here.
5. Design a mitigation process that ensures maximum use of risk-related information.
Assessment by itself does little good if the information developed is not rigorously put to use in designing and deploying C&E mitigation measures. Here’s a piece on how to avoid having key risk related information getting lost.
6. Recognize the risk implications of having a C&E “record.”
While a prior record might decrease the likelihood for a repeat offense (presumably because it sensitizes employees to the danger of such), it can increase the likelihood of prosecution and the impact of punishment, as discussed here.