A number of compliance thought leaders have written about the importance of good people to an effective compliance program.  Programs just don’t work without the right talent. Smart compliance leaders get that. Once companies figure out the people piece (which is not easy), evaluating the risk environment and regulatory requirements helps companies develop programs to address those areas across different subject matters and business units.

Regulatory guidance tells companies to perform risk assessments—focusing on root cause analysis and steps to mitigate risks—but does not provide a government-endorsed road map for how to do it. For instance, the Department of Justice’s evaluation of corporate compliance programs (evaluation guidance) sets forth eleven sample topics and questions that the fraud section may consider in evaluating a corporate compliance program. The fifth topic is risk assessment, which includes questions regarding the company’s risk management process/methodology, use of information or metrics, and how the process accounts for manifested risks. You get the what and why, but not the how. But you really don’t want the U.S. Sentencing Commission or the Department of Justice (or even the Securities and Exchange Commission) telling a company how to conduct a risk assessment. The government realizes that organizations are different and so processes will vary, and these government entities don’t really have a reason to develop a detailed risk assessment model. But that does not mean there is not thoughtful and credible guidance out there developed by government agencies.