Suggestions for Starting a Regulatory Compliance Risk Assessment

Ed. Note-today we have a guest post by our colleague Mary Shaddock Jones, who has recently joined the world of private practice.

You have just been asked to perform a regulatory compliance risk assessment in all of the countries that your company currently operates.  Seems like a daunting task.  How do you proceed?  Here are a few suggestions to get you started:

1. Risk Assessment– I believe that you can use the Enterprise-wide Risk Management (ERM) Framework to identify, analyze, respond to and monitor critical regulatory compliance risks on a country by country basis.  For the purposes of this exercise- you are required to identify the legal (statutory) and regulatory requirements in each country which your company currently does business.  There could be thousands of different legal and regulatory requirements.  I believe that the key is to first consider the requirements that could significantly affect the company’s ability to meet its missions and goals.
2. Identifying Key Legal/Regulatory Risks– In order to determine the “Key” risks (i.e. those which could significantly affect the company), you need to “divide” the company into various “risk centers” and identify the “risk owners” within each risk center.  For instance, if your company is required to import vessels/equipment into a foreign country to perform work, then one significant risk to the company is the inability to import the vessels/equipment if the person responsible for doing so fails to follow the proper legal/regulatory requirements.  As a result, one of the “risk centers” could be the vessel/equipment regulatory compliance department.  If your company manufacturers tennis shoes in the U.S. but imports the various components of the shoes from foreign countries.  A breakdown in the importation of the individual component could have a significant impact on the company’s ability to sell its tennis shoes.  As a result, one of the “risk centers” could be the procurement department.  The point is this- you, as the Compliance Manager have to understand your company’s business processes in each country with sufficient clarity that you can begin to identify the various “risk centers” and “risk owners”.
3.  Identifying Major Steps-  Now that you have identified the various “risk centers”, it is time to meet with the individual risk owners to collectively map out each step in the process unique to the particular risk center.  By doing so, you can next identify what each major activity in the process.  Once the major activities are identified, you can then begin to collect  information as to what laws/regulations apply in each country.
4. Identifying Major Laws/Regulations-   In the scenario presented, your company performs work both in the United States and in several international locations.  First, you need to understand the U.S. laws which apply to foreign business activities, including such things as economic sanctions and boycotts; export controls; anti-terrorism; anti-bribery and corruption to name a few.  Other U.S. laws, such as environmental, employment, trade, tax and anti-trust laws, may also apply. Finally, you will need to consult with knowledgeable counsel in the various countries to identify the local laws which apply to each of the major activities outlined above.
5. Maintaining Privilege- Risk Assessments should typically be performed by legal counsel or at least under the direction of legal counsel so to utilize the attorney-client privilege in order to protect privilege and confidentiality issues which may arise during the risk assessment process.
6. Acting as “Project Manager”– Under the scenario presented, you have been presented with a huge project.  You should approach it with the hat of a “Project Manager” in order to define the project, identify the risks, coordinate the experts both within the company and outside the company who can identify the Key Risks, then collect and organize the information so that it can be presented to Senior Management in a useful format.

Mary Shaddock Jones, Attorney at Law and former Assistant General Counsel and Director of Compliance at Global Industries, Ltd. can be reached via email at  msjones@msjllc.com or via phone at 337-515-8527 .

Join Ms. Jones and myself  for Upcoming Webinar

Tuesday, June 21 at 1 EDT, I am co-presenting on a webinar with Mary Shaddock Jones, on “Supply Chain Relationship Management Under the FCPA and Bribery Act”. The event is co-hosted by Ethisphere and World Check. For information and registration details click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.