What Is a “Risk Assessment”and How Do You Perform One? – Part 2

By October 6, 2018 No Comments

This article is a continuation of our most recent corporate governance series. If you missed part 1, you can read it here.


The first time a company conducts a risk assessment, it should seriously consider doing it with the assistance of an “expert” and the oversight of a lawyer, in-house or outside. Also, document that the process is LJN’s The Corporate Counselor February 2008 being undertaken in order to provide legal advice to the company, because a first-time “Risk Assessment” can uncover serious legal problems that you may want to cloak with the attorney-client privilege. After the first “Risk Assessment” has been done, the ongoing changes and updates to it can be done through your compliance department or risk management office.

In conducting a first-time “Risk Assessment,” we typically envision a three step process.

Step One: Information Gathering: The first step consists of “information gathering” designed to achieve a thorough understanding of the company’s operations and its legal regulatory environment and identify all risk areas. This step itself involves three separate but overlapping parts: first, an initial, detailed consultation; second, the collection and review of appropriate company documents and data; and third, interviews and/or surveys of appropriate personnel.

(a) Consultation: Start with a consultation between the expert and a designated individual or group at the company. The designated company person(s) should have, or should be able to arrange for consultations with the persons who have, a thorough knowledge of the company’s: organization; methods of operation; financial controls; identity of key personnel; the various types of data and documents the company has; and its current compliance procedures.

One cost-saving point: Since your written Risk Assessment will be continuously updated and revised, your compliance and/or risk management person(s) should work closely with the “expert” the first time around to learn the process so that they can do later updates themselves. Retain an “expert” who is willing to teach your people how to do it themselves.

(b) Data and Document Collection: The second part of this process involves collecting appropriate documents and data. Get supporting materials for your identification and assessment of risk areas. Some of these documents (such as the current compliance program materials) can be readily identified. Other materials will require discussion in the consultation process to identify (and collect). You, as in-house counsel, will already know the statutory and regulatory regimes you have to address, but you may not know the actual business as well as you think.

(c) Interviews/Surveys: Based on the initial consultation activities, the third part of the data gathering process involves interviewing and/or surveying appropriate personnel who represent the critical areas of the company’s structure and operations. These interviews or surveys are conducted to ensure a complete understanding of the company and its operations, and also to learn which compliance procedures work, which ones do not work and why, and to identify as many loopholes and risk areas within the procedures as we can. Quite often, the persons most intimately involved with the actual day-to-day operations of an institution will be the persons who can most readily identify the loopholes and some previously unidentified problem areas. In order to collect information consistently, a standard interview form can be developed for use during all interviews. For larger companies, consider doing an employee survey to supplement interviews.

Step Two: Evaluation of Risk Categories and Level of Risk: The second step starts with breaking down the risk categories identified into specific components or sub-categories (types of risk) Next, each sub-category should be evaluated to actually assess the risk level associated with it. The risk levels should include an evaluation of the likelihood of a violation in each area and an assessment of the level and type of damage a violation could cause. This step should also include an evaluation of the sufficiency of existing compliance or control procedures. It is usually helpful to prepare tables, or matrixes listing the categories of risk and tracking the steps in the analysis. Standard scoring systems can be established using designations such as “high,” “moderate” or “low,” or a numerical designation, such as 1 to 5. The degree of analysis will, of course, vary, depending on the information collected and the risk categories identified.

Step Three: Analysis, Documentation and Setting of Priorities: The third step in the process will be to prepare a written risk assessment based on steps one and two. This will include two things. First, it will include an analysis of identified risks, presented in a concise manner so as to provide clear guidance to the company in identifying various risk profiles and in tailoring and prioritizing its compliance activities accordingly. Second, it will include a chart of risk areas together with their level of risk and a brief explanation. The aim will be to present the Risk Assessment as clearly as possible so that it can be easily used and efficiently referred to by the compliance officer, senior management, the board and appropriate supervisory personnel.

Finally, based on the final product, the team involved in the process should make recommendations on the priorities in addressing risks during the coming period of time. For example, the team might list five risk priorities it recommends to be the focus of compliance efforts for the coming quarter, or year. The process of analysis and the recommended priorities would then be documented in a report to management and the board. As a best practice, the recommendations should be ratified or approved by either management, the board, or both. The reason for this is twofold. First, it keeps these bodies informed of key issues affecting the company and their oversight responsibilities; and second, having the risks outlined in black and white can have a salutory effect on obtaining the resources necessary to appropriately mitigate the risks.

Our thanks to this article’s authors, Christopher A. Myers and Gregory A. Baldwin of Holland & Knight.

Christopher A. Myers is chair of Holland & Knight’s Compliance Services Team and a member of the firm’s White Collar Defense Team. He is a former federal prosecutor and has experience in a broad range of complex matters affecting heavily regulated industries, including health care, government contracts, financial institutions, real estate, securities and other companies. He has represented clients with respect to matters involving civil and criminal fraud investigations, corporate governance, anti-money laundering, design and implementation of compliance programs, and administrative litigation. Mr. Myers is certified as an Anti-Money Laundering Specialist and as a Certified Compliance & Ethics Professional.

Greg Baldwin practices in the areas of complex commercial litigation and white collar criminal defense. He specializes in the Foreign Corrupt Practices Act, U.S.A. Patriot Act, the Bank Secrecy Act, the Money Laundering Control Act, and OFAC regulations, as well as anti-money laundering and OFAC compliance program development and implementation. Mr. Baldwin is a Certified Anti-Money Laundering Specialist.

Holland & Knight is a global law firm with more than 1,150 lawyers in 17 U.S. offices. Other offices around the world are located in Beijing and Mexico City, with representative offices in Caracas and Tel Aviv. Holland & Knight is among the world’s 18 largest firms, providing representation in litigation, business, real estate and governmental law. Our interdisciplinary practice groups and industry-based teams ensure clients have access to attorneys throughout the firm, regardless of location.

DISCLAIMER: This Corporate Governance article is provided as an informational resource and does not constitute legal advice. The information provided in this article is based on the laws in effect at the time the article was published. Laws related to this article’s topics may change over the course of time. Visitors to this website should not rely upon or act upon this information without seeking professional legal counsel.