Last month we hosted a webinar on anti-bribery and corruption (ABC) risk assessments. This was the first in our series of ABC compliance webinars marking the 10th Anniversary of the UK Bribery Act coming into force. You can listen to the audio recording of the webinar on-demand here.

We have put together a selection of frequently asked questions (FAQs) based on the questions raised in the webinar and our experience of conducting risk assessments and explaining them to authorities. Please let us know if you have any further questions or would like to discuss risk assessments in more detail.

  1. How frequently should risk assessments be conducted?

In France, the AFA recommends assessing each year whether or not the risk assessment needs to be updated. This does not mean that the risk assessment itself needs to be refreshed annually, rather this means reviewing whether or not it needs to be updated.

In the US, the Department of Justice (DOJ) expects “periodic and continuous” reviews. The DOJ will look to see if the risk assessments conducted were limited to a snapshot in time, or whether there has been an evolution of the compliance program, building on lessons learned from misconduct, and enhancements to policies, procedures and controls. Prosecutors will be looking to see evidence of an evolution of policies and procedures that reflect the outcomes of regular, ongoing assessments.

In the UK, the Ministry of Justice guidance on “adequate procedures” indicates that risk assessments must be “periodic”. Whilst “periodic” is not defined the expectation is likely to be that, whilst formal assessments are conducted from time to time, a business continuously identifies and manages risks. This has been emphasised in recent UK DPAs: there has been an increased focus on continuous risk assessment and refinement of the compliance programme. This is moving closer to the US model of ‘continuous’ risk assessments.

There is a fine line between ‘regular’ and ‘continuous’. Any risks identified should continuously be assessed and mitigated, but compliance teams should regularly step back and consider whether the risk assessment accurately reflects the company’s position. Risk assessments should be updated (or at least updates considered) when there is any risk or structural change in the business, for example the acquisition of a new subsidiary.

  1. In practice, how do authorities assess risk assessments?

Authorities will be unlikely to look at the risk assessment in isolation, they are more likely to consider the compliance programme as a whole and whether it is truly risk-based. They will want to understand the process and results of the risk assessment, and the extent to which the compliance programme has been designed and enhanced in line with the risk assessment. They will want to see clear documentation showing this process and may want to interview those owning the process and those involved day-to-day. Clearly, if the review is in the context of an alleged issue, there will be focus on whether the risk assessment process identified the relevant risks (and if not whether it ought to have done).

  1. How can risk assessments be conducted remotely?

Remote working has both positive and negative implications for risk assessments. Ideally, risk assessments will be informed at least in part by face-to-face conversations and site visits. This is particularly important when expanding into new regions and acquiring new subsidiaries. That said, risk assessments can be conducted remotely and face-to-face meetings/data collection and analysis can be done virtually. By reducing travel costs and time, a company can invest in engaging with a broader range of stakeholders and jurisdictions.

  1. If a company has not yet put in place a risk assessment, to what extent should it be conducting the risk assessment retrospectively?

Companies need to emphasise looking at the current and future state of the business; a risk assessment is not a retrospective investigation but a prospective risk analysis. However, risk assessments should be informed by previous issues or controls weaknesses identified.

  1. Should or can risk assessments be conducted under legal privilege?

In many jurisdictions general risk assessments will not be covered by legal privilege as the underlying facts or risks facing the company are not privileged. If a risk assessment is conducted by external counsel, certain documents may be potentially privileged, but the company may choose to waive that privilege and provide the risk assessment to regulators to gain cooperation credit.

In some contexts, a company may wish to maintain arguments as to privilege regarding its risk assessment. For example, where a company assesses ABC risks in a new subsidiary in a high risk market, or in a region where ABC issues have arisen. In these scenarios, a line needs to be drawn between a general risk assessment and an investigation: where a company is conducting an investigation, it is likely to want to have the option of asserting privilege.

  1. Should a risk assessment be global or local?

A risk assessment should be global and local. A company will need an overall view of risk so that it can deploy resources appropriately. However, companies will also want to understand at a more granular level where risks arise in particular regions, and in some circumstances an update to a risk assessment will be driven by entering into a new region or market.

The purpose of this communication is to provide general information of a legal nature. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to the authors.