By Elizabeth Junell
Effective compliance programs are like suits of armor protecting an organization from exposure to risk. The world of risk is forever in flux, so some measure of exposure is needed so that a company can know where weak spots in its armor—areas prone to risk—exist. Compliance resources can then be directed to reinforce the suit of armor as the level of exposure dictates.
At the heart of the compliance program is risk assessment. Assessing risk is not a one-time event, nor is it a one-size-fits-all proposition. Rooting out the weak spots in an organization is a process that should occur at various points in a compliance program’s life cycle. To get the right answer each time, the risk assessment should be tailored to include the organization’s specific risk factors. Companies often use a quantitative approach, strictly by the numbers, but balancing quantitative results with qualitative analysis can be beneficial in identifying the company’s true risk profile.
Jurisdictional or business segment revenue is often used to measure corruption and bribery risks in an anti-corruption compliance program. The revenue generated by unit is weighted by other factors to identify the risk profile for the business as a whole. Other factors may include Transparency International’s (TI) perceived corruption risk (or CPI), revenue generated from state-owned entities versus commercial enterprises, headcount by function, and so forth and so on. The key is to include specifically relevant risk factors without over-engineering the process.
While these quantitative measures can be quite telling about exposure to corruption and bribery risk across an enterprise, qualitative interpretation is important for an effective assessment. Qualitative factors are not typically built into a binary process, but they can be crucial to understanding the level of risk inherent to a particular portion of the business. Balancing the two might reveal that an initial assessment of high risk is actually a lower risk. Ultimately, these two sides of the same coin should coalesce to paint a holistic picture that represents the true risk profile of the business.
I observed an excellent illustration of balancing quantitative with qualitative factors while working with a company that generated significantly more revenue from clients in a Middle Eastern country than any other country where it operated. The particular country is typically considered to be a higher-risk jurisdiction, based on TI’s CPI. As a result, the company’s quantitative analysis indicated that its operations in the Middle East had the greatest exposure to corruption and bribery, with countries in Africa and Asia-Pacific following. To stop here would have meant that the company would have directed its compliance resources accordingly, with the Middle East getting the most attention.
When we applied qualitative interpretation, a different story emerged. The company’s largest client by far in the Middle East was a state-owned entity (SOE). Typically, this fact would support the notion that the quantitative assessment was correct in terms of directing compliance resources.
But the SOE had demonstrated to the company that it was also concerned with anti-corruption compliance, and had become more aggressive itself in developing its compliance program. The company also had SOE clients in Africa and Asia-Pacific, but those clients had not demonstrated to the company the same attention to anti-corruption compliance. As a result, the reality for the company was that its business in the Middle East actually presented lower risk of exposure to corruption and bribery than its operations in the other countries, despite the results of the quantitative analysis.
Binary calculation of risk can be very informative, especially when company-specific risk factors are included. But getting the right answer about where to direct valuable and finite compliance resources requires thoughtful analysis of quantitative results. Considering mitigating circumstances that can be substantiated and documented is crucial, therefore, to an effectively executed risk assessment. The moral of the story? Coalesce the two sides of the same coin.
Elizabeth (Beth) Junell is a partner at Ernst & Young’s Fraud Investigations & Dispute Services practice in Dallas. She is a forensic accountant with significant experience in high-profile fraud, investigations and corporate compliance matters in the U.S. and abroad. She specializes in reactive and proactive anti-corruption-related matters for major multinational companies. The views expressed herein are those of the author and do not necessarily reflect the views of Ernst & Young LLP.