What Is a “Risk Assessment”and How Do You Perform One? – Part 1

By October 6, 2018 No Comments

Government attention to corporate compliance, ethics and governance has vastly increased over the last few years. Massive corporate scandals such as Enron, MCI and others, combined with ongoing fraud and abuse enforcement in the health care and government contracts industries, have created a “perfect storm” of civil and criminal enforcement. The result has been an alphabet soup of acronyms, programs and initiatives suggesting, encouraging, cajoling and, in many cases requiring formal, written codes of ethics and business conduct. Extensive compliance programs, internal control systems, training, auditing and other activities have, in some instances, been imposed on already heavily regulated industries.
This article endeavors to make sense of these standards and provide some practical advice on to best protect your company by focusing on the one common thread found in virtually all of the new statutory, regulatory and enforcement guidance: “Risk Assessments.”


A Risk Assessment is the process of identifying all the areas of statutory and regulatory compliance your company faces, assessing the likelihood of one or more of your employees violating one of those compliance standards, and then prioritizing and tailoring your compliance controls and procedures to ensure that they focus your compliance efforts according to the degree of risk you’ve identified in each area. The end product is a written document, chart, or both that identifies categories of risk and assesses risk in each.

There are five key points to keep in mind about a Risk Assessment. First, it requires senior management support and involvement, because senior management is ultimately responsible for supporting your company’s compliance efforts. Second, the completed risk assessment is not a secret. If it is to achieve its purpose, it has to be communicated within the company to key personnel and the board. So, while it must be comprehensive, it also has to be concise and understandable. Third, it is a process. Even though it’s a written document, it has to be continuously updated to keep pace with the changes in your business (e.g., in products, services, customer base, geographic areas of operation, etc.) and changes in applicable laws and regulations. Even if there are no changes in those areas, it should be reviewed and revised periodically (that is, about annually). Fourth, a Risk Assessment is not a “scoring” exercise designed to come up with one overall “compliance risk score” for your company. Risk Assessments don’t work that way. A Risk Assessment is not designed to determine an institution’s overall risk level for compliance violations, it’s designed to enable the business to identify specific areas of risk within your areas of operations so that appropriate controls and procedures can be designed and applied by the organization to mitigate the risk in those areas. Fifth, and most importantly, a “Risk Assessment” is not an end in itself. It is a only a tool, albeit an essential one, for you to use in assessing your current compliance program’s effectiveness, in identifying its weak spots, and in focusing your compliance controls and procedures on different areas according to the risk assessed in that particular area. Think of it as a tool for prioritizing your scarce compliance resources.


Two reasons. First, your senior management can get sued if you don’t do your compliance program right, and part of your job is to protect them. Second, to put it bluntly, because the government expects your company to, whether you like it or not, and the other part of your job is to protect your company.

Reason number one: Companies must promote an organizational culture that encourages “ethical” conduct. Senior managers have overall responsibility for a compliance program, and they, along with the Board of Directors, can be held accountable for compliance and ethics failures. In a case commonly referred to as the Caremark decision, shareholders filed a lawsuit alleging that Caremark directors bore personal responsibility for their failure to supervise company activity. A Delaware Chancery Judge suggested that “by establishing and maintaining an effective compliance program, board members can protect themselves from personal liability suits.” In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996); see also, Stone v. Ritter, 2006 LEXIS 597, *30-31 (Del. November 6, 2006). Failure to have such a program, on the other hand, may “render a director liable for losses caused by non-compliance.”

Reason number two: From the SEC to the Public Company Accounting Oversight Board to the Department of Justice to the Bank Secrecy Act Anti-Money Laundering Examination Manual to the Health and Human Services Department’s Office of Inspector General to the United States Sentencing Commission (Sentencing Commission), government agencies either strongly recommend or flat out require the companies they regulate to implement “riskbased” compliance and ethics procedures. It is increasingly the case that regulatory agencies are also taking into account companies’ compliance and ethics programs in determining whether to bring administrative enforcement or civil money penalty actions against corporations and other organizations. The DOJ has adopted a formal policy requiring all federal prosecutors to consider a company’s compliance and ethics program when making decisions about whether to bring criminal charges against a company. Prosecutors are trained to use the Sentencing Commission’s Guidelines for Organizations (the Sentencing Guidelines) as the standard for these evaluations. The underpinning of an effective Guidelines program is a well constructed, thorough, written Risk Assessment (United States Sentencing Commission, Guidelines Manual, sect. 8B2.1).


The Sentencing Commission’s Guidelines have incorporated all of the risk-based compliance concepts of most other agencies, so that makes them probably the best place to focus most of our attention. After a two-year study of compliance programs, in 2004 the Sentencing Commission issued its “Amended Guidelines” to clarify and expand its earlier compliance standards. These contain detailed guidance on the elements of an “effective” compliance and ethics program.

While the Amended Guidelines specifically address “criminal conduct,” it is common. and, in the minds of most commentators who take the Caremark decision into account, mandatory . practice to expand the scope of the assessment (and the compliance and ethics program) beyond only criminal conduct to include any regulatory compliance or ethical violations. Identifying risk includes matters that could lead not just to criminal enforcement, but to civil or administrative enforcement as well as private law suits and even damage to reputation. (Note, because the Sentencing Guidelines are specifically focused on the criminal sentencing process, the U.S. Sentencing Commission [the “Commission”] felt it was beyond its mandate to issue rules for evaluating compliance programs in a non-criminal context. However, the Commission has also made clear in commentary that civil law standards and other non-criminal legal and regulatory risks should be addressed in a truly effective compliance and ethics program. “Best practices” for compliance programs would dictate that all legal and regulatory risks be evaluated and addressed.)


The Amended Guidelines state what compliance practitioners have long known: The appropriate starting point for the design, implementation, or modification of a compliance and ethics program is a Risk Assessment. They say that periodically, and no less than annually, the company should assess the risk of compliance violations within the company and design, implement or modify the compliance and ethics program to reduce or mitigate the risk of wrongdoing. There are other elements of an effective compliance program, of course, but none of them can really be accomplished unless the company first identifies and assesses its risk areas. Thus, it’s fair to say that the Risk Assessment is – or should be – the cornerstone of your compliance program.


There are a number of elements that are critical to the “Risk Assessment.” These are:

  • Identification of all of the legal and regulatory regimes that impact the company’s business;
  • Identification of the policies, procedures and controls the company already has in place to ensure compliance with legal and regulatory requirements;
  • Identification of the areas in which the company’s policies, procedures, controls and compliance program elements are not sufficient to ensure compliance with legal and regulatory requirements;
  • Evaluation of the likelihood that legal and regulatory violations will occur;
  • Evaluation of the seriousness of potential violations and the harm to the company that may be caused by the potential legal and regulatory violations identified;
  • Identification of the reasonable steps that can be taken to prevent, deter and detect the identified improper conduct;
  • Evaluation of the prior history of the company and other similarly situated companies (appropriate consideration should be given to prior criminal, civil and regulatory enforcement actions);
  • Prioritization of the identified compliance risks in order to focus the compliance and ethics program on preventing, detecting and deterring the violations most likely to occur and to cause the most harm to the company; and
  • Identification of compliance and ethics program elements most likely to achieve the goal of preventing, detecting and deterring the violations identified as the top priorities of the compliance and ethics program for the coming year.

If it’s not in writing, it wasn’t done. This is the frequent mantra from regulators, enforcement agencies and the DOJ. Thus, to make the risk assessment process effective, and to get credit for it from the government and the courts, your Risk Assessment must be in writing, and you should document each step of the assessment process.

How much documentation? The answer depends on the company. For large, multinational corporations involved in heavily regulated business activities, the “Risk Assessment” should be comprehensive and involve personnel from each business unit and department. They will need to evaluate a broad and complex range of risk exposures, including things like the bribery of foreign officials, financial reporting fraud, insider trading, import and export law requirements, specific industry regulations and many others. For small, purely domestic companies that are not in heavily regulated industries, the process can be much simpler. Many companies find the process easier to monitor and to communicate to both management and the board of directors through the use of tables, or “matrixes” that chart the risks and assign some kind of scoring to enable a numerical prioritization of the risks to be addressed.

Our thanks to this article’s authors, Christopher A. Myers and Gregory A. Baldwin of Holland & Knight.

Christopher A. Myers is chair of Holland & Knight’s Compliance Services Team and a member of the firm’s White Collar Defense Team. He is a former federal prosecutor and has experience in a broad range of complex matters affecting heavily regulated industries, including health care, government contracts, financial institutions, real estate, securities and other companies. He has represented clients with respect to matters involving civil and criminal fraud investigations, corporate governance, anti-money laundering, design and implementation of compliance programs, and administrative litigation. Mr. Myers is certified as an Anti-Money Laundering Specialist and as a Certified Compliance & Ethics Professional.

Greg Baldwin practices in the areas of complex commercial litigation and white collar criminal defense. He specializes in the Foreign Corrupt Practices Act, U.S.A. Patriot Act, the Bank Secrecy Act, the Money Laundering Control Act, and OFAC regulations, as well as anti-money laundering and OFAC compliance program development and implementation. Mr. Baldwin is a Certified Anti-Money Laundering Specialist.

Holland & Knight is a global law firm with more than 1,150 lawyers in 17 U.S. offices. Other offices around the world are located in Beijing and Mexico City, with representative offices in Caracas and Tel Aviv. Holland & Knight is among the world’s 18 largest firms, providing representation in litigation, business, real estate and governmental law. Our interdisciplinary practice groups and industry-based teams ensure clients have access to attorneys throughout the firm, regardless of location.

DISCLAIMER: This Corporate Governance article is provided as an informational resource and does not constitute legal advice. The information provided in this article is based on the laws in effect at the time the article was published. Laws related to this article’s topics may change over the course of time. Visitors to this website should not rely upon or act upon this information without seeking professional legal counsel.