Top Menu

When Conducting Risk Assessments There Are No Requirements, But Certainly Some Expectations


A guest post from Cuneyt A. Akay (Greenberg Traurig)

Risk assessment…this is one of the most commonly uttered phrases in the FCPA vernacular.  Many companies understand that assessing their risk is the starting point of designing an effective compliance program.

Perhaps this indicates that companies have a growing awareness of the important of compliance and mitigating corruption risk.  Perhaps it means that the DOJ’s and SEC’s continued messaging around “risk-based” and “risk-tailored” compliance is resonating in corporate board rooms and C-suites.

Whatever the reason, risk assessments are often the first thing clients ask me about.  What are the requirements of a risk assessment?  What is expected from my company?  How do I assess my company’s risk?

Of course, the answers to those questions aren’t found in the FCPA or any of the related case law.  The FCPA doesn’t have a risk assessment requirement, and I am not aware of any case law that directly addresses risk assessment requirements.  So, we are generally left to interpret guidance issued by the government, parse FCPA case resolution documents, and learn from the experiences of other companies.

Just last year, the DOJ revised the Evaluation of Corporate Compliance Programs (“ECCP”) guidance.  The first substantive topic covered in the revised ECCP is risk assessments.  The ECCP states that risk assessments are fundamental to a “well-designed compliance program.”

What is expected of companies when conducting a risk assessment?  The first point is that risk assessments look different for every company and they may look different for a company at various points in time as operations shift.  The DOJ explains that “location of its operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel, and entertainment expenses, and charitable and political donations” are all risk factors companies should analyze.  Companies may also consider how business operations have changed since the last risk assessment, the current maturity of the company’s compliance program and function, and the resources available, both internally and externally.

So, here is a quick road map to help companies think about risk assessments:


Have a plan.  In other words, what is the scope and methodology of the assessment?  First, determine the scope of the assessment (e.g., conduct an enterprise-wide assessment or focus on a particular business area or location).  Then, establish the methodology to gather the relevant information for the analysis (i.e., which business units to engage, what documents to gather, and what data to utilize).


No company can mitigate every risk and very few companies have the resources to address every risk uncovered in the assessment.  So, it is important to utilize company resources wisely and analyze existing company data to prioritize addressing the higher risk transactions, processes, and business relationships.  This requires understanding the company’s risk profile and then properly allocating the resources available.


You’ve learned about your risks and prioritized the risk areas, now what?  Companies should have a plan to implement the lessons learned from the risk assessment into the ongoing compliance program.  This may mean moving resources to focus on new risk areas that were not previously identified or were lower risk in the past.  The point is to make thoughtful decisions on how to effectuate the information gathered and analyzed from the assessment.


Effective compliance requires a company’s program to be dynamic, not static.  Similarly, as the DOJ states, risk assessment can’t be limited to a “snapshot” in time.  Every company’s risk profile changes over time and that’s why the DOJ suggests “periodic” reviews and updates to the risk assessment.  Does this mean annual, quarterly, or something else?  That depends on the company’s risk profile, changes in operations, and how far along the company is in implementing the compliance program. This analysis often dictates the type (i.e., targeted or enterprise-wide) and frequency of future risk assessments.


Cuneyt A. Akay is an anti-corruption lawyer focused on helping clients comply with the Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act. Cuneyt designs, builds, and implements effective compliance programs for clients around the world. Cuneyt’s experience includes conducting internal investigations, performing compliance risk assessments, handling pre-and post-acquisition compliance due diligence, training staff and third parties on compliance requirements, and assisting in the monitoring and auditing of anti-corruption programs. Cuneyt also hosts the GT ABC (Anti-Bribery & Corruption) Podcast.


Powered by WordPress. Designed by WooThemes