I made a trip to a neighborhood grocery store yesterday. More than ever before, that involved an assessment of risks. And hand washing, lots of hand washing. And social distancing, though some of my fellow shoppers seemed not to share the conclusions I had drawn from my risk assessment.
Did my behavior change as a result of my risk assessment? Yes. I went to a store that typically has fewer shoppers than some of my old regulars – the big-box store or hypermarket that carries everything, or the one three blocks from my house. Did I face exposure? Potentially, but I believe I undertook “adequate procedures” to reasonably mitigate that risk. I haven’t left the house other than to walk my dog, excepting grocery trips, in a week. And I bought just enough to keep my, and my spouse’s, bodies and souls together (and clean) for about a week.
I would posit that the Spring Breakers in Florida this year also undertook a risk assessment, but perhaps either made unsupported assumptions or drew unwarranted conclusions. Or, as is often the case in the corporate world, their appetite for risk was very different from mine. Unfortunately, the results of their decision not to change their behavior have resulted in news reports of COVID-19 diagnoses for at least some of them and potentially their loved ones.
So, how does all this impact those of us in practically assessing corruption risk? In our opinion, there are three important lessons that certainly existed pre-virus, but are increasingly stark now given that risk assessment has suddenly changed for each of us:
- Your risk assessment is only as good as the data it is fed, including assumptions.
- Risks are dynamic and change as rapidly as the business environment.
- We are all connected – risk assessment must accurately take into account the actions and behaviors of third parties.
In assessing risks before heading out to the grocery store, I looked at the currently available information on the spread of COVID-19 in my region, as well as the possibility of asymptomatic infection. I also took into account the state of my pantry and whether my wife and I really needed more in the fridge than what was already there. I coupled these considerations with the level of traffic in that particular store at that time of day (data that Google actually presents in a helpful bar chart).
This is how our clients weigh factors in their corruption risk assessments ranging from the ubiquitous CPI score of their relevant geography to adverse media about their business partners. There has been much written about corruption risk factors; it is not (yet) a science, but careful attention to the factors, and clear assessment of the quality of the data available to measure those factors, are critical core competencies for today’s compliance personnel.
In fact, the risk factors themselves have changed over time. Initial attempts to measure risk focused almost entirely on geography, whereas now multi-factor analysis is the norm. For example, one relatively interesting “new” factor considers how decentralized a company’s operations are. All other things being equal, greater decentralization equals greater corruption risk – this factor appears, for example, in ISO37001 as well as in a very interesting overview paper written by Dr. Eduard Ivanov of the International Anti-Corruption Academy.
Today’s regulators also underscore the importance of robust data analytics. For example, in the DoJ 2019 publication “Evaluation of Corporate Compliance Programs,” they suggest the following questions to prosecutors considering compliance risk assessments:
“What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?”
I don’t believe I’ve ever given more forethought to a grocery trip than this one. Two or three weeks ago, I had never really worried about forgetting anything, as the convenience and risk of making another trip wasn’t a big deal. I didn’t dig out an airline amenity kit hand sanitizer bottle and put it in my car before this past week. And thanks to that law firm that handed out hand sanitizer pens at the FCPA conference that one year….
Similarly, corruption risks change – my peers and I used to present on how some industries are exposed to greater corruption risks than others. And which industry did we say was relatively lower risk? Retail. Needless to say, we don’t use retail as an example of a low-risk industry anymore. Nothing is permanent – thus, risk assessments should not be “one and done.”
I’m a Good Driver
As I often told my daughter when I was teaching her to drive, I’m less worried about your driving skills than I am about your ability to protect yourself from others whose abilities may be in question. And I definitely noticed that some of the shoppers in the grocery store had very different thoughts about how to measure six feet than I did. Of course, it has often been remarked on in compliance circles that most corruption prosecutions involve actions perpetrated by third parties.
These three lessons are most powerful when merged – regular, periodic risk assessments based on good data and good assumptions, including robust third party management, will go further than any one lesson on its own and allow you to be resilient, no matter what unprecedented challenge you are facing. And current technology, where artificial intelligence and machine learning are combined with natural language processing, enables the achievement of the overall objective – to mitigate and rapidly respond to emerging risks so we can make quicker, safer decisions for ourselves, our communities and today’s world.