This is the second in a series of postings by Jeff Kaplan on compliance and ethics (C&E) programs and cost. The first examined the growing costs of C&E program failures. In this and succeeding posts I’ll explore non-costly ways to achieve C&E program successes.
One of these is to build C&E risk assessment into other functions. Conducting a C&E risk assessment is, of course, foundational to having an effective C&E program, but many companies have failed to construct this foundation – partly out of concern for cost. Ironically, this failure may lead to unnecessary C&E program expenditures – i.e., to overshooting the mark in terms of effort. (A common example of this is providing training to too many employees – a cost issue that will be discussed more in a future posting.)
Moreover, frequently much (although not necessarily all) of what is needed can be accomplished by building risk assessment features into other C&E functions. For example, in conducting training of a company’s senior management, the trainer might not only address generally each major area of risk (e.g., corruption, competition law, etc.), but use the occasion to solicit information about the company’s specific risks and the sufficiency of its remediation for that area. This can itself be a form of risk assessment. (One should, of course, solicit information of this sort in a more confidential way, too – such as through interviews or questionnaires. However, the training can make managers’ risk assessment feedback, regardless of how it is sought, more informed and hence more useful.)