Performing a Risk Assessment for FCPA and UK Bribery Act Compliance

Ed. Note-today we have the second in a series of Guest Posts by Michael Potorti, CPA on the role of an auditor in FCPA/UK Bribery Act Compliance

Companies that are subject to the FCPA and/or UK Bribery Act need to look at their organization as a whole to flag potential areas of non-compliance. Management could tend to be subjective in performing this task so it would be wise to have an outside party work with management to attempt to identify the processes, procedures, cultures, etc. that pose an elevated risk.

All industries are different and each one has particular customs or unique ways of doing business. Certain countries/cultures also have expectations of companies wanting to do business there: these are the facts. However, what was acceptable in the past can suddenly become unacceptable (in the Government’s eyes), especially in the case of the UK Bribery Act, which deals with the bribery of government officials as well as individuals associated with commercial entities.

Here are some ideas when conducting a Risk Assessment:

1) Look at the company as a whole using a Risk Based Approach –
certain subsidiaries within the organization may be of low risk, for example, a US-based subsidiary that does not interact with or does not rely on Foreign officials for sales. Other subsidiaries could be flagged as high risk due to the sole fact that they are located in a country where corruption is rampant. These high-risk entities should be automatically included in your plan on mitigating non-compliance risk.

2) Interview Executive Management, local management, etc. to get their views on where the risks lie –
inquire directly of management on where they feel the areas of risk are. Is it a certain customary procedure that is carried out when dealing with Foreign Governments that makes management nervous? Is the fact that the company uses 3rd Party Agents that have a tarnished reputation? Is doing business in certain countries really worth the risk of potentially large fines and damage to reputation (not to mention the shareholder lawsuits when the company’s stock dips)?

3) 3rd Party Agent review –
a recurring theme in charges brought by the US Department of Justice relates to the use of corrupt 3rd Party Agents. What kind of due diligence does your company do on 3rd Party Agents before you do business with them? Do you know how and to what extent your subsidiaries use these agents in securing business?

4) We do not want to flood the organization with internal controls that have little value –
a result of the Risk Assessment will be the identification of a number of areas that are deficient. Practical and sustainable controls need to be implemented to address (remediate) these deficiencies. However, controls should be designed to target these high-risk areas in order to mitigate risk. Creating a large number of controls and having them implemented company-wide may be overkill, unless there is a real possibility that other parts of your organization could be affected. Automated controls are preferred as they free up your employees to do their daily duties more efficiently and effectively.

A proper Risk Assessment will accomplish the formal identification of risk areas within your organization and define what controls are needed to mitigate risk. It will also set the stage for establishing, implementing and communicating company-wide policies.