Conducting A Risk Assessment as Part of A Corporate Compliance Program

By Gregory Yawman

Miles & Stockbridge P.C.

Following the application of the Federal Sentencing Guidelines (the “Guidelines”) to business organizations in 1991, public and private corporations adopted corporate compliance programs to prevent and detect criminal conduct by employees. Under the Guidelines, significantly reduced sentences for criminal convictions are possible when a corporation has in place an “effective compliance and ethics program.” UNITED STATES SENTENCING COMMISSION, Guidelines Manual, §8B2.1 (2007). In addition, the Department of Justice Criminal Resource Manual directs prosecutors to consider whether a corporation has an effective compliance and ethics program in determining whether to charge a corporation with a criminal offense. Although the mandatory aspect of the Guidelines was struck down by the Supreme Court in United States v. Booker, 543 U.S. 220 (2005), the Guidelines continue to play an important role in charging decisions and sentencing by courts and prosecutors. The oversight requirements of the Sarbanes-Oxley Act further affirm the significance of compliance programs for public companies.

In 2004, the Guidelines were amended to emphasize the need for an “effective” compliance program. An effective program focuses upon risk assessment as an ongoing requirement, as the Guidelines provide that the organization “shall periodically assess the risk of criminal conduct” and shall take appropriate steps to design, implement or modify its program based on a risk assessment. Guidelines, at §8B2.1(c).

The Guidelines specify that a risk assessment must include consideration of (1) the nature and seriousness of potential criminal conduct, (2) the likelihood that certain criminal conduct may occur and (3) the prior history of the organization. Id. at n.6. With this information, the organization should prioritize its risks to focus on preventing and detecting the most serious and most likely offenses to occur. Finally, the organization must modify its program to address the priorities shown in the risk assessment.

Corporations often struggle to put into practice the requirements of a risk assessment. In many cases, the chief compliance officer or general counsel prioritizes risks intuitively based on his or her familiarity with the corporation’s business and past criminal conduct. While this might result in an accurate assessment, it may not stand up to scrutiny as full compliance with the directive of the Guidelines to conduct a periodic risk assessment.

A method that has been effective for many organizations is to conduct a structured risk assessment process. First, appropriate individuals, such as members of the compliance department, the general counsel’s office or senior management, would brainstorm and create a list of all possible risks of criminal conduct that might apply to the organization based upon the nature of the business and the types of transactions in which it engages. This list would then be organized according to logical groupings – e.g., types of antitrust violations, Foreign Corrupt Practices Act violations and securities laws violations.

Second, appropriate officers and employees would assess the list of risks and assign a numerical ranking to each item in this list, both for likelihood of occurrence and severity of consequences. This could be done through group meetings, individual interviews or written surveys. Group meetings have the advantage of allowing discussion among the individuals and clarification offered by legal counsel. It is crucial that the group meetings or interviews are carefully planned and conducted by one or more individuals familiar with risk assessment techniques, the Guidelines and criminal conduct applicable to corporations. It can also be useful to seek guidance from the company’s auditors and outside counsel familiar with creating and evaluating compliance programs.

The final step is to calculate the risk for each listed item. An accepted method for quantifying risk is to multiply the assigned value for the likelihood of the offense by the assigned value for the consequences of such an offense. See, e.g., U.S. Department of Justice, Office of Justice Programs, National Institute of Justice, A Method to Assess the Vulnerability of U.S. Chemical Facilities (November 2002), available at http://www.ojp.usdoj.gov/nij/pubssum/195171.htm. This simple formula will yield a numerical ranking of risks that will serve as a basis for action steps designed to address the highest ranking risks. Once the risk assessment is completed, it can then be incorporated into the company’s compliance program, to be reviewed periodically by management and the general counsel.