[Return To Selected Articles]
September/October 2000 - By Jeffrey M. Kaplan
Thinking Inside The Box: Risk Analysis In Three Dimensions
Among the many path-breaking aspects of the corporate Sentencing Guidelines’ articulation of effective compliance programs is the emphasis on systematic, prospective risk analysis.
Prior to the Guidelines, internal compliance efforts often had a largely
retrospective character. For example, after the well-known prosecutions of electrical contractors in the 1960s for price fixing, many firms developed compliance efforts aimed primarily at the antitrust area. Similarly, the foreign corrupt payment scandals of the 1970s led to compliance efforts devoted to this field of law, and the insider trading and government procurement fraud cases of the 1980s had a similar important but limited impact on the development of policies and procedures. Like
the French government building the Maginot Line (the famously unsuccessful World War II strategy which used World War I type defenses), the approach in each of these instances was effective only to defend against the dangers of the past.
A need to review risks
The Guidelines "step one," however, requires compliance efforts to be tailored to the particular risks a non-compliant company faces, an unquestionably future looking formulation. Similarly, virtually all
articulations of effective compliance programs by government agencies since the Guidelines implicitly or explicitly require an effort by companies to review risks in a meaningful way.
But neither the Guidelines nor any other pronouncement provides much guidance on how a company should go about the critical task of risk analysis. That is the topic of this article.
Two analyses with one review
The first thing that should be said about risk analysis is that the process
allows one to undertake a review that is equally important to the development of a compliance program: that is, inventorying existing compliance mechanisms.
For those who have worked in this field for any length of time, the following experience has become commonplace. Company management and their advisors insist that they are starting from ground zero in the compliance field and have no compliance program components. However, upon digging deeper one discovers that numerous
compliance-related functions already exist. (This is like Moliere’s Bourgeois Gentilhomme who, upon being taught about the form of speech called "prose," was delighted to discover that he had in fact been speaking prose all his life.)
The task then becomes not so much building a program completely from scratch but supplementing existing compliance elements and creating an overall program architecture in which such elements exist. Thus, while undergoing a process of analyzing
risk, one should also inventory existing compliance policies and procedures.
The three-dimensional matrix
One organizing device for the analysis (of both risks and existing program elements) is a three-dimensional matrix. The first axis of the matrix consists of legal risk areas. There are many obvious areas for inclusion here, such as antitrust, employment-related laws, and anti-corruption-related statutes, to name but a few. For these and other legal areas a good starting
point can be a pre-existing generic list. (One example is found in Kaplan, Murphy, Swenson, Compliance Programs and the Corporate Sentencing Guidelines, [West 1993] Appendix 6A.)
However, in constructing this aspect of the matrix, two points should be kept in mind. First, many topics (such as antitrust) encompass numerous different issues. Thus, one must think in terms of conduct categories within such broad ranges of law—for example, price fixing, price discrimination, etc.
Second, starter lists should be treated as nothing more than a point of departure. It is essential that a company fully develop its own customized list of possible risk topics from as many sources as it reasonably can.
A discussion with a company’s law department is often the best place to begin this process. Other staff departments—such as human resources, finance, audit, and security—may have important sources of risk-related information, too, as might key line employees and also
outside consultants (e.g. lawyers). A variety of documents bearing on risk—such as litigation files, customer complaints and many others—should be examined as well.
In reviewing such sources of information it is important, of course, not to limit one’s inquiry to actual past incidents of non-compliance (i.e., the "Maginot Line" approach). Rather, the appropriate inquiry is far more wide reaching—fields of law that have a reasonable likelihood of impacting the corporation
through wrongful acts of employees and agents.
The second axis of the three-dimensional matrix consists of business lines within the company. Here, too, it is important to use substance over form. Thus, one should be concerned less with formal organizational divisions than with different types of business activity—such as sales and production.
One must also consider important sub-categories and not conduct the review simply utilizing broad business
activity categories. For example, telemarketing might be a category of sales that for risk purposes is analytically distinct from others. Production relating to government contracts will likely generate its own set of risks, as will production in foreign countries.
Adding ‘compliance functions’ to the matrix
The third axis consists of ‘compliance functions.’ The most obvious of these are: (1) assignment of responsibility, (2) developing standards, (3) communicating standards,
(4) auditing and monitoring, and (5) personnel-related measures (meaning not only the Guidelines’ requirement of ensuring that no employees with propensities for criminal activity are hired or promoted, but also that the overall mix of incentives for employees does not encourage non-compliance).
A full compliance program requires other functions, too, such as means for employees to report violations, investigations and adequate discipline. However, while occasionally these may vary
somewhat by risk areas (for example, in the sexual harassment field) or by business activity (e.g., with operating nuclear power plants), for the most part the analysis for such functions cuts across all aspects of the matrix.
Working inside the box
Having thus constructed the three-dimensional matrix the next step is utilizing it. What does a company do with this large "box"?
Essentially, the task is to look into each "sub-box" (meaning the various
intersections of the lines from each axis) to determine the following: (1) whether, given the nature of the company’s risks within an area of business activity there is a need for a compliance function in that sub-box; (2) if so, does the existing compliance function—if any—serve that need; and (3) if not, what type of compliance function is necessary to meet the risk?
Several (real-life) examples may help illustrate how this process works:
• A company with a consulting arm
has general confidentiality policies but these fail to address the prohibition of trading in the stock based on inside information of the company’s clients (as opposed to the company’s own stock). This is a typical example of a company having some compliance function in a given area but not enough of a one, given the risks arising from a particular business activity.
• A company has antitrust compliance policies and training but not another key antitrust "compliance
function"—auditing—for its sales force. This illustrates how a seemingly small omission—i.e., a single missing "sub-box"—could be catastrophic, given that (1) by far the highest fines under the Sentencing Guidelines have occurred in the antitrust field, and (2) the Antitrust Division of the Department of Justice is on record as stating that auditing is a key component of effective antitrust compliance programs.
• A "new economy" start-up company develops a
general computer-use policy, but the policy fails to address the risks of defaming competitors via the Internet. This could be a potentially harmful omission, given that employees in new economy firms are often inexperienced and lack an understanding of the risks of defamation that one typically develops over the course of time.
• A bank establishes guidelines for marketing complex derivative financial instruments but fails to assign adequate responsibility for ensuring that those
guidelines are maintained. (In this case, the bank’s compliance failure led to fines and civil settlements of hundreds of millions of dollars.)
Building a three-dimensional risk analysis matrix can seem to be a daunting task. However, once a company moves down this path the effort tends to go quickly.
Moreover, a non-systematic approach to risk analysis itself risks missing significant potential trouble spots. And, under the Sentencing Guidelines, a single
such miss can have catastrophic consequences.
Jeffrey M. Kaplan is the executive editor of ethikos and a partner at Arkin Kaplan & Cohen LLP, New York, New York.
Reprinted from the September/October 2000 issue of ethikos
© 2004 Ethikos, Inc. All rights reserved.
[Return To Selected Articles]