Conducting a Risk Assessment

By: Stephen R. Martin ARNOLD & PORTER KAYE SCHOLER LLP

What is a Risk Assessment?

A risk assessment is a review undertaken to help an organization understand its business and manage the related strategic, operational, financial, and/or compliance risks. In the compliance context, U. S. regulators expect companies to conduct periodic and/or targeted assessments in order to assess and address the legal and regulatory risks that the company faces in its operations and/or activities. A well-devised risk assessment process assists companies in identifying specific vulnerabilities and provides the opportunity to mitigate those risks that are most likely to occur. When undertaken as part of a corporate compliance program, the risk assessment can help business leaders effectively manage and mitigate the organization’s legal and regulatory risk.

Why Conduct a Risk Assessment?

Government regulators increasingly expect companies to undertake a risk assessment process to ensure that the underlying elements of the compliance program are appropriate to the size and complexity of the organization as well as the type, scope, and location of the business venture and its activities. The U.S. Sentencing Guidelines, U.K. Bribery Act of 2010, and the Organisation for Economic Co-operation and Development (OECD) guidelines all have identified the risk assessment process as an essential step in developing a strong compliance program and implementing adequate procedures, particularly with regard to anti-corruption and anti-bribery efforts. The U.S. Department of Justice and the Securities and Exchange Commission clearly stated their expectation, in their joint November 2012 Resource Guide, that corporate compliance programs should be tailored to the “company’s specific business and to the risks associated with that business.” The tailoring process requires periodically assessing the organization’s specific activities, undertakings, ethical culture, industry, and business sector in order to identify relevant risks and gaps in the management of those risks. Particularly for companies operating in a complex, fast-moving and increasingly interconnected environment, it is essential to have a dynamic, risk-based corporate compliance program that evolves with the internal and external environment.

Scoping the Risk Assessment

When scoping the risk assessment, legal and/or compliance professionals should consider the jurisdictions in which the company operates, the range of company products and services, the entity structure of the organization (including owned or operated entities, joint ventures, and other partnerships in which the company has a majority or controlling interest), government touchpoints, third-party relationships, the sales/ business model, strategic business initiatives, and global expansion plans.

To read the full practice note in Lexis Practice Advisor, follow this link.

Stephen R. Martin is a partner in Arnold & Porter’s Denver office and focuses his practice on global compliance matters, risk assessment and management, and advising companies in connection with corporate internal and governmental investigations.

Related Content