FCPA Compliance and Ethics Blog

December 8, 2011

Risk Management – More than just Risk Assessment

Filed under: compliance programs,FCPA,Risk Assessment — tfoxlaw @ 1:26 am

In an article in the December edition of the ACC Docket, entitled “Disciplined and Practical Risk Management”, Jim Jackson, General Counsel of Medair, discussed risk management in the non-profit arena, focusing on his experiences on this issue during his tenure at Medair. Medair is an entity which “brings life-saving relief and rehabilitation in disasters, conflict arenas and other crisis by working alongside the most vulnerable in Africa, Asia and other areas with extraordinary need.” This relief and rehabilitation includes the areas of “health, nutrition, water, sanitation, hygiene and shelter.” After becoming involved with the non-profit in 2010, he instituted a risk management system which included a risk assessment program and linking of this risk assessment “into what we do and to manage that effectively.” His approach is one that can be used for any risk portfolio which a company may carry, including an anti-corruption risk based upon the Foreign Corrupt Practices Act (FCPA).

Risk Assessment

Jackson believes that many risks are similar across different organizations, both for-profit and non-governmental organizations (NGOs), like Medair. Therefore, by reviewing other risk assessment programs, it was possible for him to create a measurement of risk for his client. The risks for Medair include “revenue stream, portfolio fulfillment, staff security, attracting and retaining staff, fraud and business continuity.” To determine the specific risks for each, Jackson led a series of interviews. He cautioned that it must be the “right people in the room.” That is, the ones with the experience who can answer the questions related to risks the entity faces. After feedback from the interviewees, Jackson pared the initial list into a “more specific set of causes of risk and the precise areas to monitor and track.”

From this exercise, Jackson developed “probability and impact definitions and then labeled and described the specific risk.” They are as follows:


Probability Rating Assessment
Greater than 10% Very Likely
Less than 10% Possible
Less than 5% Unlikely
Less than 1% Rare


Priority Rating Impact Rating
1 Critical
2 Significant
3 Moderate
4 Insignificant

Risk Management

However, the risk assessment and ranking is only the first step. Jackson said that “ongoing communication is key to the effectiveness of risk mitigation.” For Medair, this communication begins when it charts its risk assessments using the above metrics at the quarterly meeting of the Executive Leadership Team (ELT), where risk “mitigation strategies are also analyzed for effectiveness.” These strategies include “making sure that resources are allocated to mitigation actions”, and the all parts of the organization are in communication with each other regarding these actions. All of this is then reviewed at the next quarterly ELT meeting. However, for Jackson the primary key is that risk management must be linked to the organization’s purpose and goals. Your company must to be disciplined; it cannot simply develop a risk assessment and then not use it to look at risk generally. As important as systems are, they must be “practical and linked” to what your company does.

The Medair risk management system provides an excellent example of the tools available to the compliance practitioner. The Department of Justice identifies a risk assessments and its use in a minimum best practices program. Further your risk assessment should inform your compliance program and not vice-versa. The Medair method of assessing risk and then managing from that assessment provide an example of an ongoing process for an overall risk management process for a company under the requirements of the FCPA.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Blog at WordPress.com.