Yesterday's updated guidance from the Justice Department speaks directly to the approach published last week, "Identifying Cross-Functional Risk in a Global Environment."
It is impossible to implement effective controls without first properly identifying sources of risk.
"Companies that operate in multiple jurisdictions and possess complex structures, functions and processes across their value chain are challenged to sufficiently meet compliance requirements due to resource limitations, diverse processes and unwieldy organizational design. Controlling and mitigating risk is even harder when there hasn’t been proper identification of potential sources of risks across people, products and locations."
The update directs prosecutors to assess whether a company devotes too much scrutiny to low-risk transactions, such as for gifts or hospitality, and not enough to large payments, such as third-party contracts in high-risk countries. It directs prosecutors to evaluate compensation incentives, and whether a company has oversight of third-party relationships, such as audit rights to scrutinize vendors. “We recognize that each company’s risk profile and solutions to reduce its risks warrant particularized evaluation,” Assistant Attorney General Brian A. Benczkowski said Tuesday in a speech accompanying the release of the guidelines. The guidelines overlook one of the most critical questions in evaluating a company’s compliance program, said Gerry Zack, chief executive of the Society of Corporate Compliance and Ethics, a professional association. Prosecutors should ask how companies have designed controls based on the risks they have identified, Mr. Zack said.