The weather themed blog posts continue today. Having looked at risk management and root cause analysis earlier this week, today I want to use our Texas cold snap to consider how to put in place a key element from the Department of Justice’s (DOJ) 2020 Update to the Evaluation of Corporate Compliance Programs (2020 Update), that being risk assessments. One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based upon a risk assessment, to understand your organization’s business from the commercial perspective, how your organization has identified, assessed, and defined its risk profile and, finally, the degree to which the program devotes appropriate scrutiny and resources to this range of risks. Yet the 2020 Update added a new emphasis that risk assessments should not be done no less than annually.
What practical lessons can the Chief Compliance Officer (CCO) or compliance professional draw from the winter wonderland imbroglio the citizens and businesses in Texas find themselves in about now? In the compliance arena, how can you think through a risk assessment process which will allow you think through a dynamic approach to risk assessment but grounded in the reality of doing business on an ongoing basis? I put that question to Russ Berland, Chief Integrity and Risk Officer at Aventiv Technologies, LLC. One of the areas that is under Berland’s purview is the company’s risk register. Berland was one of the few CCO types who had put a risk management solution in place for the outbreak of the Covid-19 pandemic before the March 2020 lockdown started. Berland and his team are passionate about risk management helping Aventiv plan for what is seemingly the unknowable.
Berland said that Aventiv breaks their risk management plan down into four categories. (1) Mature Risks, these are risks in which the risk has happened and the company is dealing with the aftermath, such as the pandemic and office closure. (2) Emerging Risks, these are risks which have recently been identified and need management attention and mitigation plans. (3) Risks Under Mitigation, which are risks which had previously been identified and are the subject of an active mitigation plan and monitoring – these had generally been Emerging Risks earlier, and (4) Risks Under Observation, these are longer term risks which are being evaluated to determine if the company needs to actively address them and develop mitigation plans. This Risk Register is reviewed on a monthly basis to determine risk management effectiveness, determine if any risks need to change categories and look at risks which might be on the horizon.
The beauty of this approach is that it allows you have a framework to not only think through your risks but continually management them, assess risks through your internal controls and keep apprised on new risks on the horizon. You can then use this framework to respond directly to the manner in which the DOJ lays out its thoughts on compliance best practices around. If you live in a geographic location where weather can lead to complete inability to communicate with your multinational organization, I submit that weather is a risk you need to assess, manage and monitor going forward. In Houston we had two 500-year storms and one 1,000-year storm in one 18-month period. We are now in the midst of a 100-year winter storm event.
Moreover, the Aventiv approach also allows you to answer the DOJ queries in the 2020 Update. Having made clear what risks needed to be assessed, the 2020 Update then focused on the methodology used in the risk assess process. It stated:
- Risk Management Process – What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?
- Risk-Tailored Resource Allocation – Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than more modest and routine hospitality and entertainment?
- Updates and Revisions – Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?
The Aventiv approach allows you to demonstrate your well thought out risk management process by demonstrating the methodology “the company used to identify, analyze, and address the particular risks it faces”. It also allows you to demonstrate how “the information or metrics informed the company’s compliance program”. The same approach then demonstrates you are focusing on the risks which are high for your organization. Finally, by reviewing your risks in this manner, you demonstrate that you are updating and revising your risks on a consistent basis and is “based upon continuous access to operational data and information across functions”.
What are the weather-related risks to your compliance program? My personal experience tells me that you can lose power for multiple days now in a bad winter storm. I have friends in Austin this week who went four days without power. How can you communicate with them to make sure they are all as well as they can be if there is no power? Who is assigned that duty on your compliance team?
How is your compliance department going to communicate with your overseas business units or perhaps even those in the US if you literally have no power to your compliance team? Once, while at Halliburton, during the relatively mild Hurricane Rita, I was the last lawyer who had phone service in the Houston Legal Department. We had a major deal going on overseas that needed real time legal support from the Home Office. It came down to me being the only person who had a phone line someone from overseas could call into.
This blog (hopefully) concludes my short series on how weather can inform your compliance program. Weather is a risk that many compliance functions and risk managers do not fully assess and plan for. The Aventiv Technologies risk management protocol provides you a framework to think through how you can assess, monitor and manage many forms of risk as wide and varied as a worldwide pandemic to 100-year snowstorm and cold snap. From my perspective the state of Texas and its power operations, together with the private entity power generators all demonstrated catastrophic failures in risk management by being completely unprepared. Their collective failures all led to unnecessary death and needless suffering. I hope this series has demonstrated ways that you as a compliance professional can prevent some of these same issues for your organization.
On a most humble personal note, I want to thank all the people who reached out to me via email, text, phone, IM, Messenger and all other forms of communications to check on me and send good wishes. I cannot be more lucky to be in such a caring community of friends.
[View source.]