Many compliance officers are terrified of waking up and finding that they did not fulfill an obligation under a law they never heard of. How can any person be expected to know about all laws? The answer is that they can’t. No person in the world would be expected to know the ins and outs of all bribery laws, much less all the laws managed by the typical compliance team.

This is the second of two blog posts exploring how to manage competing laws and making decisions in a multi-national world. In Part 1, we explored the challenges of competing laws and revealed the best way of structuring your program to respond to them. In this blog, we’ll discuss ways to get help to ensure you know about the laws affecting your program, as well as how to document your decision-making to meet regulatory expectations.

Where to Get Help

There are several ways to get help so you can sleep at night. These include:

Enlist the Help of Local Compliance Champions

Choosing a local compliance champion has myriad benefits. The person can be your eyes and ears on the ground, give training in the local language, and assist in ensuring that the compliance program is rolled out effectively in their region. In addition to these tasks, assign the local compliance champion the job of…

In the times that we’re in, who doesn’t want to pandemic-proof their compliance and risk program? Join me on Tuesday, July 28th at 11:00 a.m. Eastern as I reveal how to pandemic proof your program with Lockpath’s Director of Industry Solutions, (NAVEX Global) Sam Abadir.

In this lively webinar you’ll learn:

• Three risk assessment areas to address during this stage of the pandemic

• How to advocate for compliance when budget cuts are being discussed

• Why third-party risk management is so critical for sustainable recovery and how you can adjust your process

• And much more!

CLICK HERE to register. Thanks so much for joining us!

I’m delighted to announce that the Compliance Certification Board has approved the Risk Assessments Made Easy course for 2.4 non-live credit hours! That means that you can complete your risk assessment easily and get 2.4 credit hours as well! The CEUs count toward the CCEP, CCEP-I, CHC, and a number of other certifications. Even more reason to join! Find out more at https://www.compliancekristy.com/risk-assessments-made-easy.

If Compliance were a food, it would be alphabet soup. FCPA, OFAC, UKBA, CCPA, GDPR, DPA, DOJ, SEC, AML, SFO, SDN… the list goes on. This gaggle of letters tangles many a compliance officer. Deciphering the meaning of each acronym is tough enough on its own. Creating a program that meets the requirements of all of them is much more challenging.

One of the questions I am asked most frequently is how to manage a multi-national program effectively. There are many considerations for doing this, and each one must be weighed based on the company’s individual circumstances. Nevertheless, there are ways to approach running a multi-national program that produces more effective compliance programs.

This is the first of two blog posts exploring how to manage competing laws and making decisions in a multi-national world. In this blog, we’ll explore the challenges of competing laws, and reveal the best way of structuring your program to respond to them.

The Problem of Competing Laws

Bribery, money laundering, invasions of privacy, modern slavery, and unethical conduct take place within every country in the world. These challenges are universal, and therefore, all or nearly all countries create laws to reign in and punish these behaviors. The problem is that each country tries to manage these challenges differently – sometimes drastically differently. This leads to competing obligations for the compliance department.

Two Approaches to Handling Multi-National Programs

Generally speaking, there are two approaches to managing international programs. One is to choose a regional approach, creating an overarching program implemented with regional differences. The other is to choose the strictest law with the harshest penalties and create the global program framework around those requirements.

The Problem with the First Approach

The problem with the first approach is…

The launch of Risk Assessments Made Easy has been more popular than we ever could have dreamed.

Special launch pricing ends tomorrow night. Saturday the course will more than double in price. If you think you might perform a risk assessment in the next 12 months, you'll save your company hundreds of dollars by purchasing now.

Don't miss out on your chance to save! Click HERE for more information: https://www.compliancekristy.com/risk-assessments-made-easy

“He did WHAT? Are you kidding me? How did this happen? How can we stop it from ever happening again? Change the policy immediately. Shut down access to the system. Suspend everyone on the team right now! This is a disaster.”

In Compliance, our job is to put controls and processes in place that reduce the likelihood of misconduct, then investigate when things go wrong, then change the systems and controls when we find that one is lacking. However, when something goes wrong, too often we stampede to respond with ill-thought-through plans, panicking instead of looking critically at what went wrong in an individual case. It can be difficult to stop to consider whether the situation was caused by a rogue employee or whether there truly was a deficiency that needs to be addressed.

Why we overreact

According to behavioral economist Andy Reed, overreaction is a natural human instinct. Reed states that humans are instinctively risk-averse and frequently are overly influenced by what has just happened instead of looking at long-term patterns. We may fear that…

The word “risk” appears 56 times in the 20 pages of the DOJ’s guidance on the evaluation of corporate compliance programs. That’s more than twice per page. The phrase “risk assessment” appears eight times, and “risk-based” four. The DOJ instructs prosecutors to evaluate whether a risk-based approach was taken with respect to training, third-party due diligence, integration into enterprise risk, and the program as a whole.

How can you prove a risk-based approach without a written risk assessment?

Answer: you can’t. When a prosecutor arrives and begins questioning the compliance and management team on how decisions were made, the prosecutor will expect that the answers will flow from a documented, well-thought-out risk assessment. Indeed, “Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction.”

Risk Assessment Isn’t Just Meant to Protect from Prosecution

Hands up anyone who has all the financial, human, temporal, and technological resources they need to run their program with maximum effectiveness. Right. A risk-based approach is critical because it allows you to allocate limited time and money to the highest-risk areas of the business. If there isn’t a proper evaluation of the risks facing the business, there can’t be a systematized, defensible way of designing your program.

Top Tips for Risk Assessment Success

This is the first in a series of blog posts that will reveal top tips for performing a successful risk assessment. The basic flow of any risk assessment is the same: (1) scoping, (2) document collection, (3) interviews, (4) regulatory review/benchmarking, (5) choosing a methodology and evaluating risk, (6) writing the report and creating the heat map, and (7) applying the risk-based approach to the rest of your program. The steps may be the same, but the way you execute them makes all the difference.

Scoping: The Most Important Step

If a risk assessment isn’t properly scoped, it is likely to fail. It will either spiral out of control and be unmanageable or not properly capture the risks facing the business. Getting the scope right will enable you to ask for the right documents, set up the right interviews, review the correct regulatory guidance, benchmark against the right sources, evaluate risk correctly, and apply the right risk-based approach to the rest of your program. Scoping sounds easy, but frequently isn’t.

There are two basic types of risk assessments. The first reviews multiple types of risk against each other. For instance, a multi-subject risk assessment may evaluate the company’s bribery risk against its trade sanctions, antitrust/competition, data privacy, and modern slavery risk. The second type reviews one type of risk in-depth, such as bribery or money-laundering.

Following you’ll find five top tips for scoping your risk assessment. The first two Top Tips relate solely to multi-subject risk assessments, the third solely to single-subject risk assessments, and the last two apply to both types.

Top Tip One: Don’t Go Outside the Scope of Your Program (if you can help it)…