“To lose one parent may be regarded as a misfortune; to lose both looks like carelessness.”

So said Oscar Wilde. And while he clearly didn’t have compliance programs in mind, his immortal words provide a humorous introduction in these distinctly unfunny times to the topic of how the Department of Justice’s recently revised Evaluation of Corporate Compliance Programs (“the Evaluation”)  has impacted how the Department evaluates companies’ risk assessment measures in investigations and prosecutions.

By way of background, over the years many compliance failures have been risk assessment failures. But risk assessment was not in the original Sentencing Guidelines, which were issued in 1991, although it was added when the Guidelines were amended in 2004.  In 2017 the Department published the first iteration of the Evaluation, which was followed by revised versions in 2019 and this year. In this post I look at aspects of the whole of the discussion of risk assessment in the Evaluation – not just the 2020 additions.

One key aspect of the Evaluation is documentation. Many risk assessments are somewhat informal and not sufficiently documented.  Documenting the risk assessment is useful not only in the event of a government investigation or prosecution but also for self-checking by management and for the board of directors’ periodic review of the program. Therefore, for those companies that haven’t already done so, drafting a risk assessment governance document should be considered.

Having a defined methodology – which not all companies do – is also important under the Evaluation. There  are lots of methodological considerations for conducting risk assessments. Included are:

– Different processes – document reviews, interviews, focus groups, surveys.

– Different substantive approaches – e.g., how important is risk impact (as opposed to risk likelihood)? What are boundaries?  What are likely risk scenarios?

– Finding a way to measure success. What have you learned – not just about newly discovered risks, but getting a better understanding about known ones?

One size doesn’t fit all, but all need to select and deploy a methodology.

A third important area under the Evaluation is resources, with the issue being whether the process enables the company to allocate resources to different program elements in an effective and efficient way.  Note that many companies use the results of risk assessments for auditing and board oversight,  but there are many other program elements that could benefit from such use.

Finally, the Evaluation calls upon companies to adopt a “lessons learned” approach to compliance. This brings us back to the title of the piece, and specifically to the need to avoid the appearance of being careless by failing to prevent a recurrence of a specific type of wrongdoing. While funny in a great comic play, there would be little to laugh about in such a situation in a criminal case.