Jeff Kaplan: Steve, while you and I have conducted many risk and program assessments for companies over the years - both as a team and separately, for quite a few of these a key challenge was helping the E&C officer persuade management of the need for such a process in the first place. What sorts of information and ideas have you found most useful to E&C officers in making the sale internally for an assessment – risk, program or, as is often the case, a blend of the two?
Steve Priest: I find it most helpful to identify why some members of senior management might not be supportive of the idea of an assessment. The concerns I most frequently hear are: 1. “Why do we need one? Do we think we have an issue? Is it required?” 2. “It will cost too much.” 3. “It will demand too much time and attention. The last thing we need is more consultants/lawyers.” 4. “What happens if we find out real problems, and we are not ready or resourced to fix them?” Perhaps we could address these in turn.
Jeff: Good approach, and as to the first of the four concerns it is important – here and elsewhere in E&C – not to oversell, so one cannot contend that risk or program assessments are truly required as a matter of law (the way, for instance, paying taxes is mandatory). However, a fair reading of relevant legal standards – the Sentencing Guidelines, the DOJ/SEC FCPA compliance guidance and the OECD good practice guidance for anti-corruption compliance programs, among others– is that assessments are clearly expected by the government. This, in turn, means that a company that has not conducted an assessment could, in the setting of an investigation, look like it was putting its head in the sand, and you can readily imagine how being viewed that way could really hurt.
Steve: I agree with you, and as a business guy would also add that it makes sense to understand your risks and how well you are currently doing to mitigate them in order to prioritize, plan and budget. I once worked with a large manufacturer that had about 40 computer based training modules, and 30 of them were on privacy. A total misallocation of resources based on their risks. Which leads us to the cost point. This is really a red herring. Of course we have seen “boil the ocean” assessments done that costs hundreds of thousands of dollars. But assessments can be calibrated to fit budgets and needs.
Jeff: And the same point about calibration is true with time demands, which is the third general source of concern about assessments. Additionally, the time that a company spends on an assessment should not be viewed solely as a cost. That is, both of us have seen how assessment interviews and focus groups – particularly involving business leaders – can themselves elevate the participants’ understanding and appreciation of their respective companies’ E&C programs, and often lead to more active support of programs by these individuals.
So, that’s three down. How do you respond to the final hurdle – about a company’s possibly finding problems that they may not be prepared or resourced to address?
Steve: This offers great psychological insight into a company. There are some people who have a “what you don’t know can’t hurt you” mindset. We’re the ones who didn’t want to know the calorie counts of restaurant meals. The corporate equivalent is “we’ll deal with problems when they happen.” And there are others who want to know and consider everything possible that can go wrong. This is a bad approach too, as it results in paralysis in the extreme, but more commonly an undifferentiated approach to risk. These are the people who won’t go swimming for fear of sharks. Even in Lake Michigan. One corporate analog is making all employees take training on all kinds of compliance risks because “they might conceivably face them.”
To more specifically answer your question, if a company is unprepared to address problems it should probably not do an assessment. It is fine if you use the assessment to prioritize—even skeptical outsiders understand that you can’t address everything at once. Use the assessment to prioritize and develop a plan. And sleep slightly better, knowing that you have made a good faith effort to improve your organization’s ethical performance.