Have you ever sat across from your joint venture partner in Indonesia. Romania or Taiwan trying to explain why the United States Federal Sentencing Guidelines make it so their employees should be provided with anti-bribery training? I have, and it isn't a fun conversation.

The long, strong arm of the FCPA, as Dick Cassin has called it, can create reactive, fear-driven compliance programs that try to protect against enforcement by the local agencies. When a compliance officer visits joint venture partners, agents or companies in the supply chain outside the U.S. or UK, getting buy-in for adherence to standard compliance program elements like anti-bribery training, whistleblower mechanisms, and audit and terminations clauses for cause in contracts can be an uphill battle.

Enter the global ISO 37001 standard. 
ISO 37001 is expected to be finalized next month and available at the end of the year.  As Matt Kelly noted, “U.S. compliance officers can rest easy: this standard is nothing that you are not doing already.” 

Alexandra Wrage added, “Compliance professionals working in jurisdictions with a credible threat of anti-bribery enforcement -- the U.S., UK, Canada, Germany -- will find nothing new in this standard.” 

But that’s just the point -- companies outside of the U.S., UK, Canada and Germany will now have a positive, pro-active standard to adhere to, and the certification to prove it.

Worth MacMurray and Leslie Benton said the ISO standard was developed by businesses for business, and input on the standard was provided by delegates from 40 countries. Businesses are used to the certification process for other ISO standards, and many flaunt their ISO certifications as a competitive differentiator. 

My company has helped other companies prepare for their ISO 27001 certification audits (data privacy and security). I’ve seen supply chain and provider audits from multi-national companies requiring maintenance of ISO 27001 certification from their providers, as it is seen as a baseline requirement for doing business. If the global business community adopts the ISO 37001 certification as a baseline requirement, we'll be in a much better place than we are now.

But what about Alexandra Wrage's argument that an outside auditor cannot fully understand the risks the company faces, and will either rubber-stamp the program or impose his or her own judgments from a less informed position? While these are surely risks, I believe for most compliance officers, certification and re-certification of the compliance program to the ISO standard will be welcome.

The audit requires the provision of resources -- both for the audit itself and for the creation or continuation of the compliance program underlying the certification. You can’t prove you did training without having a training budget and records of attendance. Compliance frequently struggles with the removal of resources when a crisis hasn’t occurred or is far in the past. The annual ISO audit and re-certification process will ensure a basic level of resources and structure for the compliance program, which in many places throughout the world is infinitely more than they have now.

The ISO 37001 standard won't be a panacea for risk or a fool-proof protection against prosecution. But it will be a global standard of what constitutes a “good” anti-bribery compliance program. That's a welcome and exciting development for the compliance world.

The way I see it, many risk assessments are far too backwards-facing making them inaccurate predictors of future risk.  Risk assessments ostensibly help the company to prioritize risks that need greater resources which in turn lessens the focus on those risks that are unlikely to cause big problems.  The trouble is, many companies use unhelpful methodologies and lessons learned from the previous year which fail to give useful forward-looking results.  Following are three problematic areas of focus with suggestions for how to make your annual risk assessment more robust and more likely to create a meaningful roadmap to help prioritize real risk.
 
Problem No. 1:  Compliance Performs the Risk Assessment in a Vacuum
 
In many companies, compliance is tasked with producing the annual risk report and then presenting it to the C-suite or Board without the input of other functions.  Compliance is therefore entirely reliant on their own experiences and the things they have learned during the past year.  This makes the risk assessment limited in scope and understanding.
 
A better way of performing a risk assessment is to involve multiple stake-holders from different areas of the business in order to get a fulsome idea of where each function sees risk, problems and opportunities.  Compliance professionals will do themselves a big favour if they request input from:

• Legal
• Human Resources
• Finance
• Sales
• Marketing
• Audit

Each of these functions will have their own idea of where the greatest risks lie.  You can send representatives of each function a short survey, an email questionnaire or request a 15-minute phone conversation.  You can then take this information into account to create a risk assessment that responds to a more informed view of the business. 
 
This multi-disciplinary approach to the risk assessment not only creates a more balanced risk assessment, but it lays the groundwork for better collaboration between Compliance and the other functions throughout the year when they come across compliance-related issues.  The more Compliance can interact with other areas of the business, the more effective compliance can be. 
 
Problem No. 2: Risk Assessments are Focused on Lessons Learned and Current Laws
 
Many risk assessments are simply updated year-on-year without much thought about the methodology utilized.  Every year the Compliance Department should begin the risk assessment process by determining whether the methodology utilized in prior years still makes sense.  As regulations increase and the scope of risk embraced by compliance expands, risk assessment methodologies and risk categories should be reviewed before the risk assessment is undertaken in order to determine whether the prior year’s methodology and categories are rigorous enough for this year.
 
Once the methodology and risk categories are reviewed, Compliance needs to take a forward-looking approach to the risks the business will face in the upcoming year.  To be effective this requires consideration of multiple things, for instance:
 

• Are there new sales initiatives planned that will create new risk areas or heighten existing risks?
• Are there draft laws or regulations which are likely to come into force which will significantly increase penalties for failure?
• Are there mergers, acquisitions, investments or other activities planned or considered by the business which will require additional compliance-related resources or create greater risk than currently exist?

To be fully effective, Compliance needs to use the answers provided by their discussion with the other functions to complete the risk assessment.  Compliance should also consider talking to outside counsel or reviewing the updates provided by many law firms to help them to plan responses to upcoming regulations.
 
It is tempting to carbon-copy last year’s risk assessment, but a proper risk assessment requires a thorough review of the upcoming year with fresh eyes and potentially new methodology.
 
Problem 3:  Too Much Focus on Metrics
 
Let’s face it: boards and members of the C-suite love metrics.  There is something soothing about providing a graph or Excel report showing an increase in calls to the whistle-blower hotline year-on-year or the completion rate of mandatory training hitting 99%.  But over-reliance on these metrics provides an empty calorie version of the risk assessment.  It may taste good at the time, but ultimately provides no nutrition to carry you through the year.
 
Over-reliance on metrics gives a false sense of understanding about the program and where it is going or how effective it is with respect to critical things like culture. We need to balance the reporting on metrics with things like:

• Survey results regarding culture and perceptions of ethics at the company.
• Case studies where things went well and badly with respect to ethics at the company the previous year.
• Review of human resources complaints or resolution of representative calls to our whistle-blower hotline.
• Review of the engagement survey results in the context of the metrics.
• Review of press coverage of the company in the context of culture and ethics.

Review of these types of materials will help to round-out the metrics discussion with human information which should bring the metrics-related information to life.  Risk assessments that focus entirely on metrics and big data analytics miss the human and culture element, which frequently provide a better diagnosis of the company than any Excel spreadsheet ever could.
 
Conclusion
 
To be effective, risk assessments need to be forward-looking vehicles based on good data and a holistic view of the business.  Compliance can’t do this by itself, and it can’t do this by using only metrics and backwards-looking lessons learned.  Engage with the other functions, focus on what is coming and use human and culture-related information to inform your risk assessment so it will help you through the whole year.

I was recently asked to write an article on what it takes to be a “good” compliance officer.  The question felt enormous.  Should I write about the areas of law a compliance officer is expected to know about?  Should I write about the backgrounds and expertise the compliance officer typically comes from, or qualities that they should possess in order to be effective?  And ultimately, was I a “good” enough compliance officer to even have an opinion about such a subjective idea? It was daunting.
 
I started with the list of things I look for when I hire new compliance officers.  These include:

• Strong internal fortitude
• Capacity to tell the truth
• Great listening skills
• Genuine enthusiasm for the topic of compliance
• Belief in the mission of compliance and ethics
• Natural curiosity about the law and an interest in it
• Desire and capacity to create systems and policies that work
• Capacity for influence, persuasion and communication

As I wrote the piece (which can be viewed here) I began to wonder, how would someone know if they were a “good” compliance officer? Assuming a person has all of the qualities listed above, how would they know if they were effective at the job? 
 
I thought for a long time about a single criterion which could determine whether a person was good or bad at the job. I finally decided that the best way to determine whether a person is a good compliance officer is whether, over time, the business proactively comes to the compliance officer with problems or to ask for advice.  The most successful compliance officers are those who gain the trust of the business and who become integral to its operations. 
 
Luckily for all of us there isn’t a single good/bad barometer, and we can always learn, grow and become more effective.  It can be helpful to ask yourself the question: does the business (or important members of it) come to you to seek your advice, ask for your blessing before the projects start, or tell you what is really going on?  Then congratulations – you’re good!  If you’re finding it hard to answer the question in the affirmative- take heart!  We are all learning how to do the job more effectively.  And that, by itself, means we’re “good” and getting better.