Risk Assessments

A Guide for Sustainable Entrepreneurs

SUSTAINABLE ENTREPRENEURSHIP PROJECT

Dr. Alan S. Gutterman

Risk Assessments:

A Guide for Sustainable Entrepreneurs Published by the Sustainable Entrepreneurship Project (www.seproject.org) and copyrighted © 2017 by Alan S. Gutterman. All the rights of a copyright owner in this Work are reserved and retained by Alan S. Gutterman; however, the copyright owner grants the public the non-exclusive right to copy, distribute, or display the Work under a Creative Commons Attribution-NonCommercial-ShareAlike (CC BY-NC-SA) 4.0 License, as more fully described

at http://creativecommons.org/licenses/by-nc-sa/4.0/legalcode. About the Project

The Sustainable Entrepreneurship Project (www.seproject.org) engages in and promotes research, education and training activities relating to entrepreneurial ventures launched with the aspiration to create sustainable enterprises that achieve significant growth in scale and value creation through the development of innovative products or services which form the basis for a successful international business. In furtherance of its mission the Project is involved in the preparation and distribution of Libraries of Resources for Sustainable Entrepreneurs covering Entrepreneurship, Leadership, Management, Organizational Design, Organizational Culture, Strategic Planning, Governance, Corporate Social Responsibility, Compliance and Risk Management, Finance, Human Resources, Product Development and Commercialization, Technology Management, Globalization, and Managing Growth and Change. Each of the Libraries include various Project publications such as handbooks, guides, briefings, articles, checklists, forms, forms, videos and audio works and other resources; management tools such as checklists and questionnaires, forms and training materials; books; chapters or articles in books; articles in journals, newspapers and magazines; theses and dissertations; papers; government and other public domain publications; online articles and databases; blogs; websites; and webinars and podcasts. About the Author

Dr. Alan S. Gutterman is the Founding Director of the Sustainable Entrepreneurship Project and the Founding Director of the Business Counselor Institute (www.businesscounselorinstitute.org), which distributes Dr. Gutterman’s widely-recognized portfolio of timely and practical legal and business information for attorneys, other professionals and executives in the form of books, online content, webinars, videos, podcasts, newsletters and training programs. Dr. Gutterman has over three decades of experience as a partner and senior counsel with internationally recognized law firms counseling small and large business enterprises in the areas of general corporate and securities matters, venture capital, mergers and acquisitions, international law and transactions, strategic business alliances, technology transfers and intellectual property, and has also held senior management positions with several technology-based businesses including service as the chief legal officer of a leading international distributor of IT

products headquartered in Silicon Valley and as the chief operating officer of an emerging broadband media company. He received his A.B., M.B.A., and J.D. from the University of California at Berkeley, a D.B.A. from Golden Gate University, and a Ph. D. from the University of Cambridge. For more information about Dr. Gutterman, his publications, the Sustainable Entrepreneurship Project or the Business Counselor Institute, please contact him directly at alangutterman@gmail.com.

Risk Assessments

1 Risk Assessments

Setting the Stage

All companies, regardless of their size and the industries in which they operate, are facing greater challenges with respect to identifying and managing the internal and environmental risks that are related to their day-to-day activities. While larger companies are particularly focused on the risks associated with corporate governance issues, founders and executives everywhere should be concerned about the potential adverse impact of natural disasters, litigation or government investigations, physical infrastructure and facilities risks, terrorist attacks, unforeseen changes in customer requirements, the entry of new competitors or introduction of new technologies, credit and market risks, breakdowns in internal controls, and security breaches that can lead to financial losses and reputational damage. All this means that companies must integrate risk management into their overall strategic business planning effort to reduce and manage uncertainties in the environment in which they operate. In order to do this, companies need a formalized approach to risk management, systems and programs that have come to be known as “enterprise risk management”, or “ERM”. ERM programs, which often include compliance aspects or are implemented in conjunction with a separate but related compliance program, have been mandated or highly recommended by federal and state laws and regulations, federal sentencing guidelines, listing standards required by national securities exchanges, credit agencies, directors’ and officers’ liability insurance carriers and accounting and audit review standards. Companies must also embrace risk assessment processes that allow them to benchmark, or compare, the risk areas and compliance activities of their company against firms of similar size engaged in comparable operational and business activities. The output of these processes then becomes the basis for designing effective compliance programs and setting operational priorities for everyone in the workplace.

Key Topics Covered Key topics covered in this Guide include the following:

Enterprise risk management

The importance and definitions of risk assessments

Best practices for conducting risk assessments

Activities in the risk assessment process

Choosing between in-house risk assessments or outsourcing

Risk management techniques for emerging companies

Learning Objectives After reading this Guide, you should be able to: 1. Identify and understand the risks that are the greatest concerns for corporate executives. 2. Recognize factors that are strong indicators of increased risk. 3. Understand the basic principles of enterprise risk management. 4. Explain operational risk and its various categories. 5. Explain the activities associated with an effective risk assessment process. 6. Understand and apply “best practices” for conducting risk assessments.

§1 Risk management—a corporate imperative

Risk Assessments

2 All companies, regardless of their size and the industries in which they operate, are facing greater challenges with respect to identifying and managing the environmental risks that are related to their day-to-day activities. It is becoming routine practice for larger companies to create a corporate risk manager position and to have that position report directly to the chief executive officer. Surveys indicate that risk management will continue to be a major concern for corporate executives in the years to come and the areas that are of most concern seem to fall into the following categories:

Corporate governance issues, including the impact of the federal Sarbanes-Oxley Act of 2002 (“Sarbanes-Oxley”) and the growing interest and active intervention in corporate governance among specific states in the United States and in foreign countries.1 In addition to the costs of actual liability for violation of corporate governance laws and regulations, companies are being forced to invest substantial amounts in compliance programs in order to satisfy the requirements of financial exchanges and business partners who themselves are heavily regulated.

Natural disasters (e.g., hurricanes, flooding and earthquakes) in the United States and in foreign countries where companies have substantial assets and/or are engaged in a high volume of business activities.

Higher levels of litigation that can result not only in liability for claims made against a company but also in substantial additional expenses to defend against the lawsuits even if the company is ultimately found not to be liable. Companies are being sued for all sorts of potential claims ranging from products liability to mismanagement of employee benefit plans and the number of active lawsuits that larger companies may be defending at any point in time generally runs into the hundreds.

Physical infrastructure and facilities risks, including the rising costs of maintaining aging facilities and the potential damage to products, property and humans that may occur as the company operates over public roads and railways.

Governmental regulation, apart from the corporate governance issues referred to above, that carries higher costs of compliance which will ultimately cause companies to raise the prices of their products and services and risk loss of market share to competitors.

The list above is by no means all-inclusive and companies must also anticipate the possibility of terrorist attacks, unforeseen changes in customer requirements and the entry of new competitors or introduction of new technologies. In addition, as companies do more and more business outside of the United States they are exposed to local risks in each foreign country where they are operating including a unique set of laws and regulations and the possibility that changes in the political environment will have a negative impact on foreign companies. Finally, while new communications technologies have revolutionized the way that business is conducted they also create new potential hazards—the risk that a business can be shut down by natural disasters that disable the communications infrastructure and potential liability for theft of personal information that has been entrusted to companies for safekeeping.

1 For further discussion of the Sarbanes-Oxley Act of 2002 and corporate governance challenges in general, see “Governance: A Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the Sustainable Entrepreneurship Project (www.seproject.org).

Risk Assessments

3 Fortunately the increase in risk has been accompanied by the development of new tools to manage those risks. Even small companies can establish systems to collect and analyze information regarding potential events that may result in losses and insurance companies are working with their customers on enterprise risk management (“ERM”), which is discussed in more detail below. In fact, a number of providers offer in-person and online courses on various aspects of ERM and companies should seriously consider having all of their top managers participate on a regular basis. Companies can also purchase sophisticated software tools that purport to provide integrated solutions for internal audits, financial controls management, risk management, information technology and governance/compliance. Among other things, the software allows companies to document, track and report on compliance policies and procedures and establish and maintain a standard library of industry specific laws and regulations. Viewed properly, risk management is part of the company’s overall strategic business planning effort to reduce and manage uncertainties in the environment in which the company operates. §2 Enterprise risks and risk management No business is without some sort of risk and overcoming those risks is the key to achieving an acceptable return on investment of capital, technology and human resources. Higher levels of risk drive investors to expect greater risk-adjusted returns in exchanging for providing capital to the business. The risk profile for each company is different; however, commentators have suggested that the range of risks confronting an enterprise may appear within an extensive list that includes the following, in no particular order: financial markets disruption; credit; interest rate; capital; human resources; transactional; data protection and privacy; legal; enforcement actions by federal or state criminal authorities; Foreign Corrupt Practices Act; governmental investigations; regulatory and compliance requirements; cyberattacks; information technology; business continuity and disaster planning; operational; supply chain; financial disclosure; document retention policies and practices and disclosure (obstruction of justice or civil contempt); executive misconduct or negligence (personal and/or professional); brand; reputational; vendors; business partners; third party service providers; customers; and environmental.2 The scope of the potential risks to a company above should illustrate why companies need a formalized approach to risk management, systems and programs that have come to be known as “enterprise risk management”, or “ERM”. ERM programs, which often include compliance aspects or are implemented in conjunction with a separate but related compliance program, have been mandated or highly recommended by federal and state laws and regulations, such as Sarbanes-Oxley and the Dodd-Frank Wall Street Reform and Consumer Protection Act; federal sentencing guidelines; listing standards required by national securities exchanges; credit agencies; directors’ and officers’ liability insurance carriers; and accounting and audit review standards. In many cases, companies are

2 G. Goldberg and M. McNamara, Effective Enterprise Risk Management and Crisis Management: Roles and Responsibilities of the Board and Management (August 20, 2012), https://www.dentons.com/en/insights/alerts/2012/august/20/effective-enterprise-risk-management-and-crisis-management

Risk Assessments

4 required, or strongly urged, to create a separate board-level risk management committee and appoint a chief risk officer, a position discussed further below. ERM has been conceived as a comprehensive solution to risk management that requires that all strategic, management and operational tasks of an organization be enabled through projects, functions, and processes so that those tasks are aligned to a common set of risk management objectives. ERM addresses various types of risk exposures including3:

Hazard risk risks related to accidental losses, such as workplace injuries, liability torts, property damage, and natural disasters

Financial risk risks related to financial activities, such as pricing, asset valuation, currency fluctuations, and liquidity

Operational risk risks related to operations, such as supply chain, customer satisfaction, product failure, or loss of key personnel

Strategic risk risks related with an organization’s long-term goals and management, such as partnerships, mergers, and acquisitions

Reputational risk risks related to the trustworthiness of business (damage to a firm's reputation can result in lost revenue or destruction of shareholder value)

Compliance risk risks related to violations of or nonconformance with laws, rules, regulations, prescribed practices, internal policies, and procedures, or ethical standards.

Apart from legal and regulatory requirements, companies have recognized that ERM can be deployed as an essential business management tool to assess and analyze business and activities on a risk-adjusted basis; engage in sound strategic planning and financial management which requires that all risks of every line of business and activity be assessed and balanced against profitability, and recognize and prepare for the interdependency of events.4 The first step in creating an ERM program is conducting an enterprise-wide risk identification and assessment program, preferably undertaken by an independent third party and with the intent that the assessment process would be continuously updated on a regular basis. The goal of the risk assessment, which is discussed in more detail below, is to create a solid foundation for designing an ERM program that is aligned with the most material risks confronting the organization. Once the assessment has been completed the results should be reviewed by the board of directors and the senior management of the company and specialists should be assigned to develop a proposal for the ERM program. The proposal should be reviewed by the entire board and senior management and approval of the program should be accompanied by a commitment to provide the resources necessary for the program to be successful. At this point the ERM infrastructure should also be established starting with allocation of risk topics among

3 Risk Managers are from Mars, EHS Professionals are from Venus: The EHS Professionals’ Role in ERM (California State University Risk Management Authority). 4 G. Goldberg and M. McNamara, Effective Enterprise Risk Management and Crisis Management: Roles and Responsibilities of the Board and Management (August 20, 2012), https://www.dentons.com/en/insights/alerts/2012/august/20/effective-enterprise-risk-management-and-crisis-management.

Risk Assessments

5 committees of the board and continuing with the appointment of a chief risk officer and creation of an ERM committee that will include senior representatives from each of the main functional groups of the company and the company’s various business units. §3 --Chief risk officer Lee and Shimpi noted that enterprise risk management (“ERM”) has emerged as an important and essential management practice and a recognized strategic discipline and that organizations have created ERM-specific roles, responsibilities and structures, notably the position of “chief risk officer” (“CRO”) that has taken its place along with other members of the C-suite.5 Lee and Shimpi argued that the CRO has become instrumental in assuring that the organization has processes in place so that it complies with the very much heightened risk management expectations of shareholders, regulators, and even elected officials and attorneys general, and in developing and introducing an integrative risk management framework that helps the organization mitigate risks and allocate capital to build shareholder value with a full understanding of both the positive and negative potential of the risks involved. Specific duties and responsibilities of the CRO generally include central oversight of the organization’s risk assessment and risk appetite; familiarizing the organization, its shareholders, regulators and rating agencies with the ERM program; implementing a consistent, integrated risk management framework throughout the company; managing that program with a particular emphasis on operational risks; and developing ways to mitigate and finance risk within the organization’s larger business strategies. There are several different strategies that companies use with respect to the reporting obligations of the CRO position. The most popular approach is for the CRO to report to the CEO, although many companies have the CRO report to the CFO due to the fact that many of the risk factors that a business must face and overcome are finance-related. A smaller group of companies have opted to have the CRO report directly to the board of directors or the board-level committee responsible for risk management. Even if the CRO’s first reporting obligation is to another member of the C-suite, the compliance and risk management committee should be vested with explicit authority to oversee the activities of the CRO and his or her support group and should carefully monitor the CRO’s relationship with other members of the senior management team, operating groups, finance, legal and human resources. Lee and Shimpi commented that the most successful CROs forge close relationships with the internal audit function to gather information about the effectiveness of existing risk management programs and the planning function as a means for integrating risk assessment into the development of the company’s future business strategies. The CRO should work closely with the company’s general counsel and other members of the in-house legal team to ensure that potential legal risks and liabilities are integrated into the ERM program and that the program operates in a manner that mitigates liability and risk exposure. The general counsel should be able to analyze best practices and

5 C. Lee and P. Shimpi, “The Chief Risk Officer: What Does It look Like and How Do You Get There?”, Risk Management Magazine, http://cf.rims.org/Magazine/PrintTemplate.cfm?AID=2855

Risk Assessments

6 provide advice to senior management and the members of the board-level compliance and risk management committee on how the ERM program should be structured. In addition, the general counsel can be a valuable resource in identifying, assessing, prioritizing and managing legal risks and liabilities. The general counsel is also responsible for advising the board of directors, and the board’s compliance and risk management committee, on their duties and responsibilities with respect to oversight of risk management.6 §4 --Management risk committee A common recommendation of risk management consultants is that companies form an enterprise-wide risk management committee ("ERM Committee") below the board level that should include senior executives from all non-line areas (e.g., IT, finance, audit, legal, compliance, human resources, public/investor relations), and the primary business line areas (e.g., heads of manufacturing, operations, geographic heads or business lines, depending on how the company is organized). Goldberg and McNamara explained that this approach recognized and accounted for the interdependency of products, geographies and business lines and allowed the ERM Committee to fulfill the key role of making sure that all of the risks faced by the company are identified, analyzed and prioritized, and that internal controls and procedures, many of which impacted multiple departments and/or business line, are implemented in order to manage and mitigate those risks based on frequency and severity.7 The ERM Committee should be chaired by the CRO and the CEO should also be a member of the committee. The ERM Committee should report directly to the board-level compliance and risk management committee, which itself should be responsible for oversight of the ERM Committee. Goldberg and McNamara offered several recommendations relating to the launch and ongoing activities of the ERM Committee8:

At initial meetings, each member of the committee (or senior officers from the area) should make a formal presentation assessing and identifying risks in the particular area for which he or she is responsible, and explaining what processes and controls are in place within that area to mitigate and manage risks identified. Recommendations regarding prioritization and tolerance should also be made along

6 G. Goldberg and M. McNamara, Effective Enterprise Risk Management and Crisis Management: Roles and Responsibilities of the Board and Management (August 20, 2012), https://www.dentons.com/en/insights/alerts/2012/august/20/effective-enterprise-risk-management-and-crisis-management. See also L. Brown, The Chief Risk Officer: your business ally (Deloitte: A Middle East Point of View, November 2010) (noting that critical success factors for businesses looking appoint a CRO included “tone from the top”, providing direct access to the CEO and the board; viewing the CRO as an enabler; mandating risk ownership; and providing sufficient resources to execute). 7 G. Goldberg and M. McNamara, Effective Enterprise Risk Management and Crisis Management: Roles and Responsibilities of the Board and Management (August 20, 2012), https://www.dentons.com/en/insights/alerts/2012/august/20/effective-enterprise-risk-management-and-crisis-management 8 Id. See also P. Sobel and K. Reding, “Aligning Corporate Governance with Enterprise Risk Management”, Management Accounting Quarterly, 5(2), 29 (including guidance on risk management responsibilities; organizational structure of an executive risk committee; financial outcomes and measures of ERM; and aligning governance with ERM.

Risk Assessments

7 with an assessment of how risks in their area interrelate with risks identified by other committee members.

The executives in the divisions should engage in a Sarbanes-Oxley-like financial reporting certification process to assure that they and their divisions take the process seriously and that they fully understand that they will be held accountable for risk identification and management within the assets they oversee.

Once the initial meetings have identified, assessed and discussed controls in place to manage and mitigate risk, a risk prioritization should be undertaken to determine the frequency of subsequent presentations.

The committee should review the results of the initial risk assessment to make recommendations regarding important topics for future assessments and implement a holistic approach to prioritization, tolerance and mitigation.

The ERM Committee should review new products, geographic expansion or business initiatives to assess the risks associated with them and determine what changes should be made to the company’s risk assessment, management and mitigation programs.

§5 --ERM and sustainability-related risks

A joint report published as a preliminary draft in February 2018 by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) and the World Business Council for Sustainable Development (“WBCSD”) included a telling comparison of the results of surveys conducted by the World Economic Forum (“WEF”) that showed that the prevalence of risks related to environmental, social and governance (“ESG”) steadily increased from 2008 to 2018 while the more traditional economic, geopolitical and technological risks became less dominant.9 For example, in 2008 only one societal-related risk (“pandemics”) was reported to be among the top five risks in terms of impact in that year’s “Global Risks Report”; however, by 2018 four of the top five risks in the report were either environmental- or social-related: extreme weather events, water crises, natural disasters and failure of climate change mitigation and adaptation.10 Apart from the WEF survey, news reports have made it clear that companies all around the work have been suffering severe, and sometimes enterprise-ending, adverse financial and/or reputational impacts from events commonly placed under the umbrella of environmental and social responsibility including product safety recalls, worker fatalities, the discovery of illegal child labor in their supply chains, polluting and delays in the delivery of materials due to climate-related disasters suffered by suppliers.

9 Enterprise Risk Management: Applying enterprise risk management to environmental, social and

governance-related risks (Committee of Sponsoring Organizations of the Treadway Commission and the World Business Council for Sustainable Development, Preliminary Draft published February 2018). COSO has been a recognized leader in the development of enterprise risk management frameworks that companies can use to implement effective ERM systems. 10 The two main technological risks in terms of likelihood were cyberattacks and data fraud or theft, each of which comes with substantial reputational and financial risk to companies particularly when the incident involves compromise of consumer information.

Risk Assessments

8 For COSO and the WBCSD all of this was clear evidence that companies needed to make fundamental changes in their ERM strategies and systems to ensure that they were effectively expanded to include ESG-related risks. From their perspective this means companies must identify and prioritize a new set of risks and build them into their ERM strategies, processes and practice and also realize that there new opportunities associated with dealing with these risks that can create real value for their investors and other stakeholders. COSO has defined ERM broadly as “the culture, capabilities and practices integrated into strategy and execution that organizations rely on to manage risk and in creating, preserving and realizing value”. COSO and the WBSCD illustrated their point as follows11:

Environmental issues include energy use and efficiency, climate change impacts and use of ecosystem services. Associated risks include higher-than-average energy costs that cause companies to miss profit targets and greater frequency of extreme weather events that adversely impact operations; however, companies can take advantage of opportunities such as an internal carbon pricing scheme to reduce greenhouse gas emissions and energy costs and using byproducts in waste processes to create new income streams in adjacent industries.

Social issues include employee engagement, labor conditions in the supply chain and poverty and community impacts. Associated risks include increased costs and missed profit targets due to low engagement and high turnover and challenges with local governments to maintain operating permits due to lack of support for local communities; however, companies that can successfully engage with employees and create a diverse workforce will enjoy greater loyalty among their workers and be able to attract top talent and companies that can provide education to members of the local community can improve their standard of living, build stronger bonds with the community and strengthen opportunities to sell goods within the community and recruit local workers.

Governance issues include codes of conduct, accountability and transparency and disclosures. Associated risks include negative company performance due to poor board oversight and reduced access to financing due to limited transparency; however, proactive embrace of ESG issues and risks as a focal point of the board’s oversight responsibilities will satisfy the new expectations of institutional investors who are demanding that their companies consider ESG-related risks and opportunities as core to their business.

COSO and the WBSCD expressed concern that while companies appear to understand the importance of ESG-related risks, they have been slow to integrate them with traditional risks. For example, they pointed to evidence of significant misalignment between risks deemed material in sustainability reports prepared by companies and the risks that the companies disclosed in their traditional financial and legal reports. Among the possible reasons for this misalignment were the following12:

11

Enterprise Risk Management: Applying enterprise risk management to environmental, social and

governance-related risks (Committee of Sponsoring Organizations of the Treadway Commission and the World Business Council for Sustainable Development, Preliminary Draft published February 2018), 4. 12 Id. at 7.

Risk Assessments

9

The challenges of quantifying ESG-related risks in monetary terms due to the fact that they were often long-term risks with uncertain impacts over an unknown time period. The inability to place a “cash value” on these risks makes it difficult for companies to prioritize them and determine the amount of resources that need to be addressed in order to manage and mitigate those risks.

A lack of knowledge of ESG-related risks and poor communication and collaboration between risk and sustainability professionals, a situation that has often led to ESG-related risks being viewed as separate and less important than traditional strategic, operational and financial risks.

The lack of a mainstream practice for integrating reporting of ESG-related risks into traditional financial reports and the difficulties of determining which of those risks is sufficiently material to require reporting.

The problems mentioned above are being addressed in a number of ways including organizational structures that embed sustainability throughout the organization, rather than in a separate unit, and continuous improvements to reporting regimes that make it easier for companies to align strategic, operational, financial and ESG-related risks in their disclosures to regulators and other stakeholders. In 2017 COSO released an initial draft of an updated framework for ERM that reflected the evolution of enterprise risk management and the need to integrate ERM with strategy and performance and incorporate ESG-related risks and opportunities. The framework consisted of the following five components and associated principles that included establishing governance for effective risk management, understanding the business context and strategy, identifying, assessing and prioritizing ESG-related risks, responding to ESG-related risks, reviewing and revising ESG-related risks and, finally, communicating and reporting on ESG-related risks. COSO and WBSCD argued that integrating ESG-related risks into their ERM would allow companies to enhance their resilience, develop a common language for articulating risk, improve resource deployment, enhance pursuit of opportunity, realize efficiencies of scale and improve transparency and disclosure to address the expectations of investors.13

§6 --Board-level risk management committee More and more companies are creating board-level risk management committees, often combining risk management with oversight of compliance programs and activities. Companies may also place board-level groups assigned to compliance and/or risk management as subcommittees of another standing committee of the board, such as the audit committee.14 In a December 2016 report on how board committees among S&P 500 companies had evolved to address new challenges, the EY Center for Board Matters reported that risk management committees generally were responsible for making recommendations for the articulation and establishment of the company’s overall risk

13 Id. at 12-13. 14 For further discussion of compliance and risk management committees, see “Compliance and Risk Management Committee” in “Governance: A Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the Sustainable Entrepreneurship Project (www.seproject.org).

Risk Assessments

10 tolerance and risk appetite; overseeing enterprise-wide risk management to identify, assess and address major risks facing the company, which may include credit, operational, compliance/regulatory, interest, liquidity, investment, funding, market, strategic, reputational, emerging and other risks; and reviewing and discussing management’s assessment of the company’s enterprise-wide risk profile. The functions of a risk management committee might overlap with the finance and compliance committees. Sectors most likely to have a risk committee included financial services (almost 75% of the companies in that sector had a risk committee), industrials, utilities, consumer discretionary, information technology and consumer staples. 15 A Global Compact publication recommended that the purpose statement of a risk management committee should include ensuring that the risks and opportunities arising from current and emerging corporate sustainability trends are included and addressed in the company’s ERM program and that the board is informed of material issues relating to current and emerging economic, social and environmental trends.16 With respect to the duties and responsibilities of a board-level risk management committee, Deloitte suggested that the committee should be concerned with overseeing the company’s risk exposures and risk management infrastructure; addressing risk and strategy simultaneously, including consideration of risk appetite, and advising the entire board on risk management strategy; monitoring risks; and overseeing and supporting the efforts of the CRO, the company’s management risk committee and other groups within the organization formed to monitor risks and implement risk programs.17 Deloitte noted that it was important to determine how the risk committee will stay informed on developments in risks so it can evolve in its response to them and suggested that such committees develop procedures to ensure that members stay abreast of leading practices as risks evolve and understand the new risks associated with new businesses and locations and how changes in regulations increase or decrease risk. The committee should also benchmark risk governance practices of peers, remain current on risk-related disclosure requirements and conduct annual evaluations of committee performance. Among the items in a comprehensive list of duties and responsibilities with respect to risk management included in the committee charter of Brierty were the following:

Maintaining an up-to-date understanding of areas where the company is, or may be, exposed to risk and compliance issues and seek to ensure that management are effectively managing those issues;

Providing input to the board and senior management regarding the company’s risk profile and tolerance,

Assessing and monitoring appropriate risk management and internal control systems to ensure that risk is managed at levels determined to be acceptable by the board;

15 http://www.ey.com/Publication/vwLUAssets/EY-board-committees-evolve-to-address-new-challenges/$FILE/EY-board-committees-evolve-to-address-new-challenges.pdf 16 The Essential Role of the Corporate Secretary to Enhance Board Sustainability Oversight: A Best Practices Guide (United Nations Global Compact, September 2016). 17 http://www.deloitte.com/view/en_US/us/Services/additional-services/governance-risk-management/67caded005014310VgnVCM3000001c56f00aRCRD.htm

Risk Assessments

11 Reviewing the adequacy and effectiveness of the company’s policies and procedures

which relate to governance, risk management and compliance and updating these policies and procedures where required;

Making recommendations to the board on the appropriate risk and risk management reporting requirements to the board and the committee;

Providing advice to the board and the CEO on relevant corporate level performance indicators and targets for risk management and compliance activities;

Undertaking an annual review of risk management policy and underlying strategies and procedures to ensure its continued application and relevance;

If considered necessary by the committee, establishing a periodic and independent review of the implementation and effectiveness of the risk management policy to provide objective feedback to the board as to its effectiveness;

Receiving and considering reports on risk management and compliance programs and performance against policy and strategic targets;

Providing the board with advice and recommendations regarding the appropriate material and disclosures to be included in the section of the company’s annual report which relates to the company’s risk management and compliance policies;

Ensuring that the board, before it approves the company’s financial statements for any financial period, is provided with declarations from the CEO and the CFO that in their opinion, the financial records of the company have been properly maintained and that the financial statements comply with the appropriate accounting standards and give a true and fair view of the financial position and performance of the company and that this opinion has been formed on the basis of a sound system of risk management and internal control which is operating effectively;

Reviewing the adequacy of the company’s insurance coverage; and

Ensuring that management has embedded an appropriate risk management culture in the organization and that risk management is an integral part of the company’s decision-making process.

A Global Compact publication recommended that the duties and responsibilities of committees overseeing risk management include18:

Ensuring that sustainability impacts, trends, risks and opportunities are considered in business continuity and disaster recovery plans

Considering the impact of sustainability trends, risks and opportunities on the company’s business, including the impacts on its supply chain, customers, business partners, operating context and overall industry in the short, medium and long-term

Understanding the opportunities by which sustainability investments can mitigate or influence corporate risks, such as reputation, regulatory, physical, market, strategic, legal, operating risks

Ensuring sustainability risk management findings are factored into corporate strategy development

18 The Essential Role of the Corporate Secretary to Enhance Board Sustainability Oversight: A Best Practices Guide (United Nations Global Compact, September 2016).

Risk Assessments

12 Reporting has become an increasingly important aspect of ERM as companies have been pushed to expand the frequency and depth of their disclosures regarding sustainability and governance topics. The compliance and risk management committee should be charged with understanding and approving management’s definition of the compliance- and risk-related reports that the committee should receive and should be prepared to respond to such reports in order to reinforce the importance that committee places on the reports and their content. The committee members should also be active participants in the review and approval of disclosures in the company’s financial statements and other public statements relating to compliance and risks including disclosures by the entire board in the company’s public statements regarding the steps that the board and the committee have taken to ensure that the company’s compliance programs, compliance audits, risk assessments, responses and interventions have been effective. While creation of a standalone committee at the board level to focus on risk management issues and initiatives is growing in popularity it is by no means a universally accepted approach. Each company must make its own decision and Deloitte has suggested that the follow factors and questions should be considered when deciding whether a risk committee at the board level is appropriate19:

The needs of the stakeholders: The board should assess the quality of the current risk governance and oversight structure, the risk environment, and the future needs of the organization to determine how best to meet the needs of all of the company’s stakeholders, not just investors.

Alignment of risk governance with strategy: Having a risk-focused committee at the board level increases the likelihood that the board, management, and business units be aligned with their approach to risk and strategy, this promoting better risk governance and ensures that risk oversight is value-adding.

Oversight of the risk management infrastructure: The decisions about the role of the board-level committee, if any, should be made in the context of larger questions regarding who will be in charge of the people, processes and resources of the risk management program. Assuming that a chief risk officer position will be created, it is important to be clear about reporting obligations for that position (e.g., to the risk committee, the entire board or the CEO).

Scope of risk committee responsibilities: Before a board-level committee is formed decisions must be about the scope of its responsibilities. In some cases the committee may be responsible for overseeing all risks; however, the board may decide that certain risks should be primarily addressed by other committees (e.g., the audit committee should maintain oversight of risks associated with financial reporting) and that the purview of the risk committee should be limited.

Communication among committees: Particularly when the scope of the responsibilities of the risk committee are to be limited as mentioned above, the board must clear define boundaries among all of the board committees and establish communication channels to be sure that activities do not overlap or that important risks “fall between the cracks”.

19 http://www.deloitte.com/view/en_US/us/Services/additional-services/governance-risk-management/67caded005014310VgnVCM3000001c56f00aRCRD.htm

Risk Assessments

13 §7 Importance of risk assessments

Risk assessment refers to the company’s process for identifying and addressing business risks that is faces in conducting its activities. Such an assessment must address all of the threats to management’s ability to achieving the company’s objectives, including those in the areas of operations, financial reporting and compliance with laws and regulations. The process of risk assessment includes identifying the risks, estimating the significance of the risks, and then selecting methods to manage them. Auditors and others have identified a number of factors that they consider strong indications of increased financial risk. Therefore, management should be aware of their existence and increase its control mechanisms when the following factors exist:

Changes in the organization’s regulatory or operating environment;

Changes in personnel;

New or revamped information systems;

Rapid growth of the organization;

Changes in technology affecting production processes or information systems;

New business models, products or activities;

Corporate restructurings;

Expansion or acquisition of foreign operations; and

Adoption of new accounting principles or changing accounting principles. There are a number of different definitions of “risk.” For example, Webster’s Collegiate Dictionary refers to risk as the “possibility of loss or injury” and the Project Management Institute has defined the term as an uncertain event or condition that, if it occurs, has a positive or negative effect on the company impacted by the event or condition.20 A common element in both definitions is the inability to predict with certainty whether an identified risk will indeed occur and the difficulty to determine the magnitude and timing of any loss or injury. While some risks may be impossible to manage or mitigate, in general risk assessment assumes that it is worthwhile to attempt to identify and analyze the risks confronting a company and invest resources in strategies that will hopefully provide the company with some degree of control over the impact that the risks might have on its operations and survival. Risk assessment is primarily concerned with what are generally referred to as operational risks (also sometimes called transaction risks), which are risks of loss or injury to the company from inadequacies or failures relating to processes, systems or people (e.g., fraud or error). Operational risks can arise from internal and external factors and can be found in every major business activity of the company. Operational risks may be broken down into various categories such as credit and market risks, reputation risks, strategic risks and compliance risks. For example, credit and market risks include an unforeseen adverse decline in the liquidity of a key customer that must be addressed by changes in underwriting policies and collection systems to avoid significant losses and higher costs

20 Project Management Institute, A Guide to the Project Management Body of Knowledge (3d ed. 2004).

Risk Assessments

14 of servicing that customer. Reputation risks include the possibility of security breaches that result in the loss of confidential information and the loss of confidence of customers and other business partners. Strategic risk increases when the company fails to invest in the resources necessary for collection and analysis of all of the information needed to make proper and informed decision about major new investments. Finally, compliance risks include failure to comply with legal and regulatory requirements applicable to the company’s products and services which leave to civil and/or criminal penalties. Rather than posit a definition of “risk assessment,” it is more useful to focus on the various activities associated with an effective risk assessment process:

Identify the risks that are most relevant to the company and develop a short description of the key characteristics of each risk so that it can be analyzed and strategies created for mitigating or eliminating them.

The identified risks should then be put through qualitative and quantitative analysis in order to determine which of those risks are most likely to occur and the potential impact of their occurrence on the company. For example, it may be highly likely that an identified type of loss may occur; however, the magnitude of the loss may be so small that the company decides not to invest heavily in prevention.

The company should make an attempt to define its “risk appetite” to determine which types of identified risks are most problematic for the company and thus appropriate targets for mitigation activities. A company’s risk appetite is the level of risk that is considered acceptable and may vary depending on the point of reference—financial, legal, operational or reputational.

The next step is risk mitigation, which involves developing compliance programs and internal controls designed to reduce risks to levels consistent with the company’s risk appetite. Assuming scarce resources, risk mitigation includes decisions about while areas of risk should be given the highest priority during a given period of time.

The final piece of a risk assessment program is establishing benchmarks for measuring the effectiveness of the company’s risk mitigation efforts and procedures for continuous risk assessment to identify and manage new risks that may arise as the activities of the company and its external environment changes.

Certainly the primary goal of a risk assessment process is to identify and manage the risks that may confront the company and reduce the actual instances of loss or other injury to the company. In addition, however, the existence of a risk assessment process has become an essential element of overall compliance procedures. Risk assessment is an activity that compliments the efforts of the company with regard to compliance audits and establishing and administering effective compliance programs. Risk assessment is a valuable tool for prioritizing compliance program initiatives and investment of resources in compliance (i.e., budgeting) and for creating a strategy for improving the effectiveness of compliance programs so as to reduce the “risk of loss” associated with material violations of laws and regulations. The presence of a risk assessment program is also an indicator a good faith efforts to comply with application laws and regulations that can be used in civil or criminal proceedings to avoid liability or reduce penalties imposed under the Sentencing Guidelines. For example, the Sentencing Guidelines effectively mandate

Risk Assessments

15 that organizations periodically assess the risk of criminal conduct and take appropriate steps to reduce the risk of criminal conduct identified through this process.21 Apparently the potential benefits of risk assessment have been embraced in the business community and periodic risk assessments are now commonplace activities in a majority of the larger companies based in the United States. A number of important questions must be considered and answered when designing a risk assessment program. For example, key risk areas must be identified and then an effort must be made to prioritize those risks to determine which areas should be addressed first and how much time and effort should be put into each of the areas that are placed on the list. The composition of the internal risk assessment team should also be carefully evaluated along with the question of whether the risk assessment process should be managed internally or turned over to a qualified outside party. The structure and sequencing of the risk assessment process must be decided upon and responsibility should be allocated among the participants for creating the necessary evaluation tools. In addition, of course, the form of the report that is the end product of the risk assessment should be agreed upon in advance and the report should be appropriate in scope and detail for several potential recipients including the board of directors and regulatory agencies. Finally, the frequency of the risk assessments should be decided upon and steps should be taken to ensure that responsible parties within the company stay abreast of new developments to ensure that the company’s risk assessment process continues to conform to the requirements of the Sentencing Guidelines and standards laid down by the courts and various federal and state regulatory agencies. A proper risk assessment should focus on the entire range of legal and ethical risks confronting the company and should cover all of the laws and regulations, domestic and international, to which the company is subject as a result of its business activities. The goal of the risk assessment process is to identify and quantify the risk areas relating to the company and use that information to develop, administer and monitor compliance programs. In order for a risk assessment to be effective the tools described herein with respect to conducting a compliance audit must be used and the results thereof can be factored into the risk analysis. Companies may also perform internal audits; however, those audits are more limited than a full-blown risk assessment in that internal auditors concentrate on testing internal controls, particularly in the finance and accounting area, while the risk assessment is much broader. The results obtained by the internal auditors can and should be integrated into the overall risk assessment since the purpose of internal controls is similar to that of compliance programs and procedures. In fact, risk assessment is one of the essential elements of internal control along with the establishment of the control environment; control activities; accounting, information and communication systems; and self-assessment or monitoring. Public companies subject to Sarbanes-Oxley are expected to implement and administer a formal risk assessment process as part of their internal controls. §8 Best practices for conducting risk assessments

21 USSG § 8B2.1(c).

Risk Assessments

16 As the number of companies conducting risk assessments has increased notice can be taken of emerging best practices that can be used to design new programs and improve effectiveness of programs that are already in place. One respected group with substantial experience in the risk assessment area has suggested the following guidelines22:

The risk assessment process should cover all areas in which there is a material risk of potential misconduct including areas that are unique to the company’s industry as well as risks associated with failing to complying all of the material federal, state and local laws and regulations applicable to the company’s business.

While the risk assessment process should be sufficiently broad to address all material risks it must also be done in context and recognize the limitations imposed by the company resources that are available for the assessment and for remedial measures.

The risk assessment process should include collection and analysis of relevant industry information and data regarding the company’s history with respect to the identified risk areas.

An attempt should be made to involve managers and employees from all levels within the company’s organizational structure since many risks, and solutions, are best identified at lower levels of the organization.

Each risk area should be given a measurement for “likelihood” and “severity” and an effort should be made to quantify each risk area to gauge the potential loss or injury to the company.

The risk assessment should be conducted in a defensibly objective manner and properly documented in anticipation of sharing the process and outcomes with regulatory authorities.

The risk assessment process should be institutionalized and assessments should be conducted on a regular basis.

The outcome of the risk assessment process should be used to benchmark the company’s compliance programs against the processes used by similar firms and the standards laid down by regulatory agencies and the courts.

Any deficiencies in the company’s compliance programs identified during the risk assessment process should be promptly addressed through remedial actions and procedures should be implemented to monitor and evaluate the effectiveness of such remedial actions.

§9 --Cover all major areas of potential misconduct

A proper risk assessment process should cover all major areas of potential misconduct not just those areas that appear, at least initially, to have the greatest likelihood of a high impact risk to the company. This means that in addition to identifying risks that are systematic to the “average company” the parties conducting the assessment must also look at risks that are unique to the company’s industry as well as risks associated with failing to complying all of the material federal, state and local laws and regulations applicable to the company’s business. In addition, the risk assessment must go beyond

22 The discussion is based on “Framework for Conducting Effective Compliance and Risk Assessments,” Association of Corporate Counsel InfoPAK (Sponsored by Corpedia, Inc.) (August 2008), 10-16.

Risk Assessments

17 the “letter of the law” to include ethical issues that might suddenly emerge as threats to the company’s overall image and reputation. Finally, when putting together the list of risk areas an effort should be made to predict risks that might reasonably arise at some point in the future due to foreseeable changes in the law or attitudes regarding the acceptability of what might currently be considered “common” business practices. §10 --Examine risk in the context of the company’s resources

While the scope of the risks that should be assessed should be quite broad, consideration must also be given to the actual context of the company’s resources and the ability of the particular company to acquire and deploy the resources necessary for preventing or mitigating risks in every possible area. For example, as part of the assessment process an examination should be made of the controls, processes and procedures that are currently in place to ensure compliance including the knowledge and abilities of those managers and employees responsible for compliance activities. If deficiencies are identified the assessment process must develop recommendations for improvement and a reasonable estimate of the costs associated with closing any gaps in the risk management framework of the company. This information is essential for making decisions about what remedial actions can and should be taken. §11 --Use industry information and company history

When identifying and assessing risks and designing risk prevention and mitigation procedures, consideration should be taken of available industry information and historical data on the company’s own experience with compliance issues and actual losses and damages. It is useful to know and understand the problems that have been faced by competitors and to evaluate the steps that they have taken to improve their compliance programs in specific areas since presumably the company is more likely to be confronted with similar problems at some point in the future. Data should be collected on actual compliance failures and on cases where competitors were able to avoid losses and damages after an initial surprise that uncovered a gap in their controls and procedures. Review of the company’s actual compliance history is important to understand what steps have already been taken to improve its controls and procedures since regulators will closely scrutinize what the company has done to prevent problems that have already arisen from arising again in the future. §12 --Include managers and employees from all organizational levels

Participants from every level of the organizational structure of the company—executives, managers and employees—should be included in the risk assessment process to ensure that all relevant risks are identified and that sufficient information is collected and analyzed to evaluate the risk and design control and procedures that will be accepted by the people most involved with the risk areas. This means identifying the leaders of all functional departments as well as those persons with responsibility for overseeing business units and project teams and making sure that they are actively involved in the risk assessment process. They should be sure that employees reporting to them have

Risk Assessments

18 opportunities to provide their input on areas of concern since many risks are best identified at lower levels of the organization. A variety of tools should be used to collect information including written surveys, individual interviews and workshops and focus groups. Another advantage of having a wide range of company personnel involved in the risk assessment process is that allows the company to measure the level of employee knowledge regarding compliance issues and rules and controls that have already been implemented in the company’s existing compliance programs. If the assessment reveals that employees are having trouble understanding the issues and rules that have been put in place remedial action, such as increased training, can be taken. §13 --Analyze both the impact and likelihood of the occurrence of a risk

Each risk should be analyzed to determine the potential impact on the company if an adverse event happens and the likelihood of the occurrence of an adverse event. For example, a particular event might be catastrophic to the company; however, the likelihood of occurrence may be extremely remote (e.g., a missile launched by a foreign government hits and destroys the company’s main manufacturing facility). On the other hand, a company that uses a large number of trucks to deliver its goods is quite likely to have costs for parking violations; however, this should not be a substantial loss for the company. Most companies that conduct risk assessments use some sort of weighting or rating system that quantifies both the “likelihood” and the “severity” of the various risks on the assessment list and this allows them to make informed decisions about where they should allocate their resources in the compliance area. §14 --Quantify each risk area

In addition to measuring the “likelihood” and “severity” of each risk area, as described above, the risk assessment process should quantify each risk area to obtain a more precise measure of the potential loss or injury to the company. This facilitates the creation of a ranking of the risks confronting the company that can then be used to allocate financial resources and personnel toward bolstering of internal controls and compliance programs. For example, if the quantified measure of a particular risk area is $1 million and allocation of $50,000 toward improved compliance activities in that area is likely to reduce the quantified measure to $300,000 then it would appear that the investment is worthwhile although a comparison must obviously be made to similar proposals for other risk areas. Comparisons to quantified measures included in prior risks assessments can also be used to demonstrate how effective changes in compliance program have been over a particular time period. §15 --Document the outcome of the risk assessment process

The methodology of the risk assessment, as well as the results and the remedial actions taken, should be carefully and clearly documented to create a record of the company’s good faith efforts to maintain and continuously improve its compliance programs and procedures. This record can be used as an affirmative defense in the event of a subsequent civil or criminal action and also provides guidance to company personnel on

Risk Assessments

19 actions that should be taken to ensure compliance programs are run properly. It is particularly useful for the record to show how the company modified its compliance programs to address specific shortcomings identified during the risk assessment. §16 --Conduct the risk assessment in a defensibly objective manner

The entire risk assessment process should be conducted in a manner that is defensibly objective in order for the results to be treated seriously by regulators and other stakeholders at some point in the future. Among other things, this means making sure that all applicable risks are identified and analyzed fairly and objectively without bias or any attempt to cover up a problem out of fear that disclosure may have an adverse impact on the financial and business of the company and/or the career of parties associated with the particular risk. The company should not be afraid to refer to superior practices of other firms in the company’s industry and should not ignore problems that have continuously arisen in the past. One way that companies seek to enhance the objectivity of their risk assessments is to turn to independent outside parties to conduct the assessments and deliver the results to the executives of the company. §17 --Conduct risk assessments on a regular basis

Risk assessments must become a permanent part of the company’s compliance activities and plans should be made for conducting risk assessments on a regular basis. Industry practice should be consulted to determine the frequency of the assessment; however, in most cases an assessment should be done annually and rarely is it advisable to do an assessment less frequently than every two years. In many cases a follow-up review for a particular risk area may need to be done before the next full risk assessment is conducted. Conducting risk assessments on a regular basis demonstrates commitment to the process and also ensures that the company has access to timely information that can be used to monitor and, if necessary, modify its controls and compliance programs. §18 --Benchmark the company’s compliance programs

One of the measures used in the Sentencing Guidelines for gauging the effectiveness of a company’s compliance program is how it stacks against “accepted or applicable industry practice.” Accordingly, one of the goals of the risk assessment should be to benchmark, or compare, the risk areas and compliance activities of the company against firms of similar size engaged in comparable operational and business activities. Admittedly, detailed information on other firms is often hard to find; however, there are publicly available sources for information on compliance programs of various organizations. §19 Risk assessment process

An effective risk assessment begins with careful planning and it is important for the company to adopt a standardized and well documented process that is clear to everyone involved and which will be respect by everyone within the company and by relevant external parties including regulatory agencies. The risk assessment process should be

Risk Assessments

20 comprehensive and cover all of the material risk areas throughout the organizational structure of the company. The goals and purposes of the risk assessment should be set at the beginning and should include an objective analysis and ranking of the company’s risk areas and concrete recommendations regarding risk mitigation activities that can be implemented in order to preserve the value of the company and sustain the company’s business operations. The steps that should be taken in the risk assessment process may vary depending on the size of the company and its prior history in conducting risk assessments. For example, the organizational profile described below should be created during the company’s initial risk assessment; however, once the work on the initial profile has been completed it is not necessary to replicate all of it in subsequent periods although it should be carefully reviewed to determine whether updates are necessary in light of changes in the company’s business activities and/or the relevant legal and regulatory environment. The sections below describe the key steps that many organizations take in order to carry out their risk assessment processes. Risk assessment is a demanding exercise; however, the information generated can provide a fascinating picture of the company’s operational activities and allow the directors and members of the executive team to make good and reasoned decisions about how the company’s compliance activities should be structured and supported. Members of the risk assessment team should expect to conduct interviews with a wide range of persons from throughout the organizational structure of the company; collect information using written surveys and questionnaires; review company policies and documentation relating to internal control activities; inspect and evaluate the company’s key business processes; and obtain and review data on risk assessment and mitigation activities of other firms in the company’s industry. §20 --Purposes and uses of the assessment

Before investing significant time, money and other resources in a risk assessment consideration must be given to designing the process and making sure that everyone involved is on the same page with regard to fundamental issues such as the end product of the process, the audience for the information and results generated by the assessment, the proposed uses of the results of the assessment, and the form and content of the reports that will be created during the assessment. In general, the primary goal in conducting formal risk assessments on a regular basis is to ensure that the company has an effective compliance and ethics program; however, the assessment should also be used as a tool for ensuring the company is setting the appropriate priorities for its compliance activities and focusing on those particular areas that are of greatest concern in light of the company’s business activities. The initial risk assessment will necessarily be quite broad but as time goes by the process will focus on a narrower set of areas that are particularly problematic while the risk assessment team remains vigilant about new risks that may not have been evaluated in previous periods. There are generally several different target audiences for the report that comes out of the risk assessment process and the report should be prepared in a way that ensures that each of the audiences receives the information that they need in order to discharge their

Risk Assessments

21 responsibilities and provide support for the company’s compliance activities. The most common target audiences for the report include the board of directors and, in particular, the audit or other committee of the board to which responsibility for oversight of compliance activities has been delegated; the members of the company’s executive team; and the company’s internal and external legal advisors. Other potential audiences for the report include the company’s internal audit group and human resources department; the company’s insurance carriers and underwriters; and the company managers and employees. It is important to identify each target audience well before the report is written since the nature of the audience is an important factor in deciding what type of information should be collected during the assessment for analysis. As noted above, the primary purpose of the risk assessment report is to provide the board of directors and members of the executive team with sufficient information to create and modify the company’s compliance programs and processes. In addition, the report is often used to design training programs for managers and employees to educate them about the legal requirements associated with those risk areas that have been identified during the assessment as being most problematic. A risk assessment also allows companies to make smarter decisions about purchasing insurance coverage that can reduce their potential exposure to losses that might be suffered should a covered event occur. Finally, an assessment may identify a product line or customer relationship that has become too risky in relation to the company’s other business activities and this information may be the catalyst for divestment activities. The form and content of the risk assessment report is a function of the various matters discussed above—purpose, audiences and uses—and the desire to maintain the confidentiality of the information collected and, if possible, preserve all available attorney-client or work product privileges in connection with information that might later be relevant in the context of a governmental investigation or civil or criminal litigation. Participants in the risk assessment process will be drawn from all parts of the organization and few of them will have a workable understanding of how records regarding their work on the assessment should be prepared to reduce the risk that they might someday be used against the company. In general, participants should be admonished to keep their writings clear, concise and neutral and to be mindful that what they record might easily be taken out of context. Particular care should be taken when writing about potential problems that “could” happen at some point in the future since comments on these issues might be construed as preexisting knowledge of the problem and thus raise issues about whether the company acted appropriately to resolve the problem if it somehow arises at a later date. In order to create greater uniformity in the way in which actual and potential risks are described and ranked participants should be given templates that should be used as the exclusive means for recording results and impressions. The information collected during the assessment process should also be protected by limiting distribution of report drafts and other documents. §21 --Planning the assessment process

Risk Assessments

22 A risk assessment is a complex undertaking and should be approached with the same level of planning as any other major project undertaken by the company. It is essential to identify the members of the risk assessment team and make sure that they have a formal plan in place for conducting the assessment that addresses all risk areas identified at the outset and also is flexible enough to include new areas that might be identified once the assessment has begun. As with any team activity the success or failure of the risk assessment is closely linked to the choice of the team leader. He or she must have a good working knowledge of the key compliance issues and training in the methodology and processes that need to be used in order for the assessment to be effective. Possible candidates inside the company include the general counsel; the chief compliance or ethics officers; the director of risk management, if such a position has been created; or the top manager of the human resources function. Some companies designate one of the persons listed above as the “executive head” of the assessment project and allow him or her to appoint a team leader who will be assigned to the project on a full-time basis and report back up to the person who made the appointment.23 The composition of the risk assessment team should align smoothly with the scope of the risk areas that are to be assessed and members are typically drawn from all parts of the organizational structure of the company. If the general counsel or chief compliance officer are not appointed as the team leader they should still be part of the team and subject matter experts from both the legal and compliance departments should also lend their support. In addition, each major functional department and business unit should be represented on the team, preferably by the department or unit head. Gaps in substantial legal knowledge and/or assessment methodology may be filed by external parties including outside attorneys and accountants and consultants that specialize in assessment techniques. Once the risk assessment team is in place, attention turns to creating a plan for the specific assessment that must be conducted. If the company has not performed a comprehensive risk assessment in the past all of the steps described below should be completed including creation of an overall company profile, identification of all actual and reasonably foreseeable risk areas, analysis of each identified risk area and ranking of those areas by reference to the magnitude of potential harm to the company, and the preparation of the risk assessment report and the recommendations for appropriate remedial actions. On the other hand, if the company has been regularly conducting risk assessments for a number of years the scope of the project may be limited and the available resources may be focused on those areas that have been problematic in prior assessments and on the analysis of new risk areas that have been identified since the last formal assessment. In any case, plans must be made for all necessary and appropriate surveys, interviews and inspections and the team leader should prepare a schedule for the assessment that include specific milestones for completion of each of the interim activities that lead up to the final assessment report.

23 For discussion of staffing the compliance team, see “Elements of Effective Compliance Programs” in “Compliance: A Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the Sustainable Entrepreneurship Project (www.seproject.org).

Risk Assessments

23 §22 --Preparing an organizational profile

A risk assessment cannot be complete or effective unless the assessment team has a thorough understanding of the business activities of the company, its organizational structure and the external environment in which the company is current operating and is likely to operating in the foreseeable future. It is therefore important, particularly for the initial risk assessment, to complete an organizational profile of the company that includes a comprehensive review and description of the company’s products, services and markets; its strategy and supporting core competencies (i.e., competitive advantages); the competitive environment in which it operates; and the legal and regulatory factors applicable to its operations. Special areas of interest might include unionization among the company’s workforce and international operations. The organizational structure of the company should be included in the profile along with description of the activities of each functional department and business unit. Historical information on compliance and litigation issues should also be part of the profile. Much of the data for the profile may already be available in the company’s strategic and business plans; however, additional research may be necessary to uncover relevant information on risk areas. If the executive team is considering a change in the company’s business strategy, such as introducing new product lines and/or entering new markets, the organizational profile should include an analysis of such changes so that the risks associated therewith can be evaluated as part of the overall assessment process.24 While the organizational profile should be comprehensive and generally can be quite lengthy this is also the time for the risk assessment team to take a step back and attempt to create a preliminary picture of the risk profile confronting the company or the specific business unit that is the subject of the assessment. One way to do this is to go through a short list of relatively simply questions such as the following:

What is the overall mission/purpose of the company and what are its current major goals and objectives?

What are the major concerns relating to the ability of the company to attain its goals and objectives?

Have there been changes in external factors such as laws and regulations?

Have the terms of any of the company’s material contracts changed?

Are any of the company’s material contracts up for renewal or in danger of early termination against the will of the company? If a contract is not renewed (or terminated against the will of the company) is a contingency plan required and, if so, is there one?

Have there been changes in key personnel during the past year?

Has there been high staff turnover in the past few years?

Is the company’s staff well trained and properly motivated?

24 For further guidelines on preparing the organizational profile see the discussion on collecting information to perform a compliance audit in “Compliance Audits” in “Compliance: A Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the Sustainable Entrepreneurship Project (www.seproject.org).

Risk Assessments

24 Are the company’s business processes simple and routine or complex and non-

routine?

Are the company’s procedures and processes documented (i.e., procedure manuals)?

Has the company failed to accomplish major goals and objectives in the past and, if so, why did the failure occur?

Have there been changes in information systems in the past year?

Has the company taken on new activities and/or has there been any major restructuring of the company’s internal organizational structure?

Does the unit have a contingency plan if there were a major disruption in provision of services (e.g., all staff on leave of absence, information systems crash, a permanent loss of facilities or key personnel, all paper records destroyed)?

What risks have increased or decreased during the past year and why has this occurred (e.g., major changes in industry-applicable technology and/or competitive environment)?

At this point the most important thing to try and do is identify each of the events or circumstances that might interfere with the company’s ability to achieve its principal goals and objectives. These risk events will be the subject of more thorough analysis as part of the actual risk assessment; however, it is useful to make a preliminary estimate of the likelihood of the event, the damage or injury to the company should the event occur, the steps that can be taken to manage the occurrence and impact of the event and the cost and feasibility of eliminating (or substantially reducing the likelihood) of the event. §23 --Identifying and ranking risk areas

Using the information in the organizational profile the members of the risk assessment team should identify all of the risk areas associated with the company’s business activities. Every business is confronted by day-to-day operational risks such as the possibility that a shipment of supplies will be delayed or a large check from a customer will not arrive. The focus of the risk assessment, however, is on risks that might lead to allegations of misconduct against the company or compliance miscues that might expose the company to governmental investigations or civil or criminal proceedings. The risk assessment must also focus on ethical lapses that while not illegal may nonetheless cause substantial damage to the image and reputation of the company. Identification of risk areas is best done by analyzing each of the significant business processes within the company to pinpoint the specific legal and ethical issues that might arise as those processes are carried out by the involved managers and employees. For example, an analysis of the company’s information technology assets and processes will typically generate a list of risk areas that includes security breaches; system failures; external events (e.g., natural disasters, terrorism or widespread power outages); misguided technology investments (e.g., obsolete software, incompatibility with existing systems or failure to correctly define business requirements and specifications); problems with systems development and implementation; and capacity shortages. Some of the risk areas will be truly company-specific, such as mistakes relating to technology investment, while other areas like software obsolescence and external events will be on the list of every firm in the company’s industry.

Risk Assessments

25 Once all of the risk areas have been identified an attempt should be made to rank all of them based on their “severity,” which is determined by the maximum potential adverse impact on the company in the event that there is a violation of law or other misconduct in the particular area. Certainly civil and criminal penalties which may be assessed in a governmental investigation or a lawsuit must be considered; however, other consequences should also be factored into the analysis including such things as the costs of defending and perhaps settling an investigation or lawsuit before penalties are assessed; a sharp decrease in the company’s stock price and/or financial performance (i.e., revenues and earnings); loss of employees, customers, vendors and other business partners; loss of privileges to engage in business activities with governmental agencies; damage to the company’s intellectual property and other assets; increased future compliance costs due to additional governmental scrutiny; increased cost of capital and difficulties in obtaining financing and credit; and harm to the company’s image and reputation due to adverse media coverage. In some cases the company may be forced to abandon key elements of its business model (e.g., divestiture of facilities and/or product lines) and select and implement costly new business strategies. Risk areas can be grouped into ascending categories such as “minor,” “moderate” and “severe” or can be given a numerical potential severity rating on a scale from 1-10 with 1 being the least severe and 10 being the most severe. If possible, reference should be made to the practices of peer companies in rating similar risk areas. §24 --Collecting and analyzing information

Identification and ranking of risk areas is an important step in defining the risk environment confronting the company; however, the true story can only be learned by actually collecting information from throughout the organization that allows the risk assessment team to ascertain the true level of loss or damage exposure for each of the risk areas. Information collection tools include interviews with the members of the executive team and senior and mid-level managers in each of the functional departments and business units; written surveys of employees; group meetings with employee groups to supplement the feedback obtained in the survey; visual inspections of business processes throughout the organization, including training programs on compliance and ethics issues; and review of documentation pertaining to the company’s compliance policies and procedures and internal controls. While the primary goal of the information collection and analysis is to determine the likelihood of misconduct and violations of law this is also the time to verify that all of the relevant risk areas for the company have been identified and analyzed. When collecting the information the risk assessment team should be mindful of data that might ultimately mitigate or aggravate the loss or damage associated with a particular risk area. Another important issue to consider is the level of awareness within the organization regarding specific risks and the relevant legal and regulatory requirements. Many companies are expanding the information collection process to include key business partners. For example, in order to get an accurate picture of the risks associated with the company’s supply chain relevant data must be obtained from key vendors.

Risk Assessments

26 Generally, the best way to get started is to use a simple risk assessment questionnaire that poses several basic questions in key risk areas such as human resources, information technology, compliance (i.e., laws and regulations), internal controls, asset and revenue management, consumer impact and business processes. Each area will have its own unique risk factors and the questionnaire should call on the user to rank those factors from high to low. The questions should be customized to take into account the company’s specific business activities. For example, the risk assessment questionnaire for a financial services company should include questions relating to industry-specific regulations (e.g., broker-dealer registration requirements, trading requirements and rules relating to safeguarding of client assets). Other questionnaires can be used to delve more deeply into specific risk areas such as the overall organizational control environment; major contractual arrangements; human resource; information systems; and operations (e.g., purchasing, accounts payable and inventory controls). Each risk area has its own unique set of compliance issues; however, as a general matter the information collection process for each area should focus on the following essential elements of an effective compliance program25:

Written institutional code of ethics and conduct;

Explicitly stated compliance policies and procedures;

Training for all employees on code of ethics and compliance policies and standards;

Training for affected employees on laws and regulations pertaining to their specific job responsibilities;

Designation of a responsible company officer with appropriate powers and expertise relating to compliance issues;

Adoption/provision of adequate procedures, resources, and systems to permit compliance;

Maintenance of a process to allow anonymous reporting of alleged noncompliance and protection for employees who lodge reports;

Regular monitoring and auditing to test compliance;

Mechanisms to enforce rules and discipline rule violators;

Management commitment to take corrective actions and follow up to ensure effectiveness of corrective actions;

System to communicate corrective actions and follow up undertaken;

Adequate Board-level oversight of compliance function; and

Mechanism to communicate the impact of policies and procedures to the creators and enforcers of the policies and procedures.

The information to be collected, and the analysis to be performed, for various risk areas may actually be prescribed by statute or regulation. For example, the Privacy Rule and Security Rule contained in Title II of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), which governs use, disclosure and retention of health data,

25 For further discussion, see “Elements of Effective Compliance Programs” in “Compliance: A Library of Resources for Sustainable Entrepreneurs” prepared and distributed by the Sustainable Entrepreneurship Project (www.seproject.org).

Risk Assessments

27 mandates that covered entities perform an accurate and thorough assessment of the potential risk and vulnerabilities to the integrity, confidentiality, and availability of health data which should include an analysis of how the data flows into, through and out of the organization; how it is used; who receives it; and why it is disclosed.26 §25 --Ascertaining likelihood or probability of risk events

The process of identifying and ranking risks by reference to the severity of the potential loss or injury if the risk event actually happens does not provide the company with a realistic picture of its risk profile. This occurs only after the information described above is collected and analyzed and the risk assessment team is in a position to make a reasoned estimate of the likelihood or probably of each of the identified risk areas. The risk assessment team will take into account various factors including the scope and strength of relevant compliance programs and procedures; the effectiveness of internal controls; the company’s organizational culture, particularly the amount of emphasis on ethical behavior; and the level of training and education of managers and employees. Companies commonly rate the likelihood or probably of risk events using a rating scale of 1-5 broken out as follows: 1 – Rare; 2 – Unlikely; 3 – Possible; 4 – Likely; and 5 – Almost Certain. Events that have happened in the past, either to the company or to similar firms in the company’s industry, are more likely to be assigned ratings of 3-5; however, mitigating factors such as implementation of strong compliance procedures may reduce the likelihood to 2 or even 1. §26 --Compiling final ranking of risk areas

In order to prepare a useable ranking of risk areas that can be used to identify necessary changes in the company’s compliance programs and procedures the risk assessment team must assign final risk scores to each risk area that take into account both the potential severity of the risk event to the company and the likelihood or probably that the event will actually occur. The simplest way to compute a risk score is to multiply the potential severity score for the event (i.e. 1-10 on a numerical scale with 10 being the most severe or damaging) by its likelihood/probability rating (i.e., 1-5 on a numerical scale with 5 being highly likely). For example, if an event poses a moderate level of severity to company (e.g., a potential severity score of 5) and its likelihood falls into the “possible” range (e.g., a likelihood/probability rating of 3) then its risk score would be in the range of 15. All risk areas would be ranked from highest to lowest based on their risk scores so that decisions can be made as to what actions are appropriate for each of the areas in light of the available resources. Risk areas with the highest risk scores (e.g., high likelihood and severity) would demand the most attention while risk areas with the lowest risk scores (e.g., low likelihood and severity) would simply be monitored and re-evaluated from time-to-time to determine whether there has been a material change in the risk score. Risk areas that fall into the middle of the pack demand some sort of active attention from the company and are likely to be chosen for changes in compliance programs and special focus in future risk assessments. Companies generally cannot exert much influence on the level of severity of a particular risk area; however, they can work

26 See 45 C.F.R. § 164.308(a)(1)(ii)(A).

Risk Assessments

28 proactively to reduce the likelihood/probability of a highly severe risk area to the point where it is manageable. §27 --Preparing final risk assessment report

One of the byproducts of the risk assessment is generation of a written report that describes the key steps in the assessment process, the material findings of the assessment team and the recommendations from the team for actions that should be taken in order to mitigate or eliminate material risk areas. The report is not only important as a roadmap to be followed inside the company it also can be used as evidence to show to third parties that the company has an effective risk assessment program in place that it follows regularly. For example, the report can be provided to regulatory agencies to demonstrate that the company has policies and procedures in place that meet or exceed the requirements under the Sentencing Guidelines. Among the most common elements of the risk assessment report are an identification and brief description of the most important risk areas; a compilation of the risk scores for each risk area including appropriate documentation to support the conclusions arrived at regarding likelihood/probability and severity; recommendations for actions to be taken to reduce risk exposure, each of which should be supported by a specific mitigation action plan that identifies the persons responsible for carrying out the plan, the actions to be taken and the schedule to be followed in executing the plan; a comparison of the results of the current risk assessment to prior years; and an analysis of how the company’s risk assessment processes and compliance programs compare to like firms in the company’s industry. The report should be carefully prepared so that the results cannot easily be misinterpreted in the event the report is later involved in a governmental investigation or other litigation. The risk assessment team may come up with a wide range of ideas for risk mitigation plans; however, the company rarely has the resources to implement all of the plans at one time and it is therefore necessary to prioritize the responses to fit with the available budget and the specific areas of greatest concern. Options vary depending on the specific risk area. For example, risks in the information technology area might be addressed by investing in and deploying new systems and technological solutions; contingency planning; creating new policies and procedures and/or modifying existing policies and procedures; strengthening internal controls; recruiting new personnel with necessary experience and skills to address a particular problem; insurance; and creating and enforcing new performance benchmarks. Each risk mitigation action plan should be closely monitored and responsible parties should be required to prepare and deliver regular reports to management personnel on implementation of the plans and how effective they are in addressing the identified problems. The responsible parties should also understand that the plans will be an important part of how their overall contribution to the company is evaluated. §28 In-house risk assessments or outsourcing

The discussion of the risk assessment process set out above implicitly assumes that the assessment will be done “in-house” by company personnel. While most large companies

Risk Assessments

29 take this approach, a significant minority chooses to outsource the project to outside experts such as law firms, audit firms and consultants with specialized expertise in conducting risk assessments and using the various tools that are commonly deployed in the assessment process to collect and analyze information. Obviously this is an important choice and companies should carefully consider the pros and cons of each approach before making a decision. Smaller companies with limited financial resources are more likely to opt for turning the risk assessment project over to internal personnel. The rationale is that the assessment can be done with less expense and that the managers and employees assigned to the assessment know the company better than outsiders and can collect and analyze the information more quickly and without concern about disclosing sensitive information to outsiders. Critics of this approach maintain that most in-house risk assessments do not meet the minimum standards for “best practices” due, in large part, to the lack of expertise in the increasingly complex methodologies used in the risk assessment area and the lack of experience of managers and employees in conducting the interviews, survey and inspections that are such a large part of an assessment and in effectively analyzing the data generated by those activities. Another potential drawback to an in-house risk assessment is a lack of objectivity that may result in ignoring or minimizing risk areas for political reasons or because it is known in advance that mitigation may be needed at a cost that is untenable given the resources available to the company at that time. Advocates of using outside experts including, of course, the experts themselves argue that outsourcing effectively eliminates all of the disadvantages associated with an in-house risk assessment. For example, outside experts have the experience necessary for effective use of all of the information collection and analysis tools referred to above and they can not only collect more data but also interpret it in ways that yield higher quality results upon which decisions can be made by the directors and members of the executive team. Outside experts, particularly lawyers, are also much more familiar with the strategies that are most likely to preserve the confidentiality and security of the information collected during the assessment including the ability to prepare risk assessment reports that are clear and concise and which do not contain ambiguities that might be used against the company in the future. Finally, outside experts bring an independence to the process that eliminates the harmful effects of bias that exist during an in-house assessment and it can be expected that outside experts are more likely to provide objective measures of risk severity and likelihood/probability. §29 Risk management techniques for emerging companies

The risk assessment process described above is generally suited for larger companies that have the resources available to undertake a comprehensive process of identifying, assessing, analyzing and measuring specific risks. Emerging companies typically lack the resources and patience to implement a complex risk management system and are generally more focused on growth strategies, product development and forging new business relationships; however, some form of risk assessment and management process must be integrated into the operational activities of these firms lest they suddenly find

Risk Assessments

30 that all of their hard work is in jeopardy due to failure to take fairly simple preventive measures. One suggested method for emerging companies is performing a “layers of protection analysis,” or “LOPA,” to determine whether the company has taken sufficient action to protect itself against adverse consequences of certain events. The process for a LOPA depends on the particular risk, hazard or accident of concern to the company and the level of detail that the company is willing to commit to in carrying out the initial LOPA and subsequent assessments. A good example, which is certainly relevant to emerging companies from the time that they begin to expand their number of employees, is the LOPA that might be used in order to reduce the likelihood that the company will be harmed by illegal or unethical employee behavior. In that situation, a company may set a goal of establishing a reliable system for preventing, detecting and correcting employee behavior that is illegal, unethical or otherwise incompatible with the values that the company wishes to project to its stakeholders. In order to achieve this goal the company may establish three layers of protection which can be regularly evaluated under LOPA—prevention, which focuses on the initial selection and ongoing training of employees; internal detection and correction, which includes procedures designed to uncover and resolve problems at an early stage; and external detection and correction, which includes information obtained from outside of the company that identifies potential or actual legal or ethical problems that may eventually cause material damage to the company. The first layer, referred to as “prevention,” attempts to reduce the likelihood of employee behavior problems by making sure that employees are carefully selected and properly trained and that incentives are provided to employees to increase the likelihood that they will performed in the manner expected. Among the elements that should be included in this layer are the following: background checks; comprehensive interview and pre-employment assessment procedures; new employee orientation programs; compliance training and awareness programs; policies, procedures and employee codes of conduct; control systems; performance evaluation procedures and reward systems tied to compliant behavior; and consistent communication from top management regarding the importance of legal and ethical behavior coupled with appropriate behavior by top management. The second layer, referred to as “internal detection and correction,” includes various tools and procedures for continuous internal monitoring of employee behavior to identify, and quickly resolve, potential issues before they escalate. Among the elements in this layer are the following: compliance monitoring; internal audits; risk assessments; employee questionnaires; ethics hotlines; and prompt and thorough investigation of potential issues followed by clear and effective corrective actions, including necessary modifications to prevention strategies in the first layer. Finally, the last layer, “external detection and correction,” relies on information from external sources to identify issues that may have not been picked up internally. In some cases the information is voluntarily solicited by the company, as is the case when external consultants are brought in to audit the company’s compliance procedures. In other cases the information comes in the form of queries from governmental agencies or complaints received from customers, business partners, investors, or public interest groups.

Risk Assessments

31 The ideal situation for any company is to strengthen the first layer—prevention—to the point where a minimal amount of resources will need to be invested in the other two layers and the risk associated with a major problem is substantially reduced. The efficacy of the prevention layer can, and should, be constantly measured by reference to how much time and effort is expended on correction in the second and third layers and lessons learned from dealing with problems that arise should be integrated into the preventive element in the form of training and modifications to reward systems. Not covered here, yet also important, is the implementation of crisis management procedures that can be used in the event that prevention, detection and correction are not sufficient to avert a major incident.

Summing Up

1. The risks that are the greatest concerns for corporate executives include corporate governance issues, which not only expose companies to the costs of actual liability for violation of corporate governance laws and regulations but also force them to invest substantial amounts in compliance programs; natural disasters (e.g., hurricanes, flooding and earthquakes) in countries where companies have substantial assets and/or are engaged in a high volume of business activities; higher levels of litigation that can result not only in liability for claims made against a company but also in substantial additional expenses to defend against the lawsuits even if the company is ultimately found not to be liable; physical infrastructure and facilities risks, including the rising costs of maintaining aging facilities and the potential damage to products, property and humans that may occur as the company operates over public roads and railways; governmental regulation that carries higher costs of compliance which will ultimately cause companies to raise the prices of their products and services and risk loss of market share to competitors; terrorist attacks, unforeseen changes in customer requirements and the entry of new competitors or introduction of new technologies; and cyber-attacks that disable a company’s communications infrastructure and expose companies to potential liability for theft of personal information that has been entrusted to them for safekeeping. 2. Management should be prepared to increase the company’s control mechanisms whenever there are changes in the organization’s regulatory or operating environment; changes in personnel; new or revamped information systems; rapid growth of the organization; changes in technology affecting production processes or information systems; new business models, products or activities; corporate restructurings; expansion or acquisition of foreign operations; and/or adoption of new accounting principles or changing accounting principles. 3. Coping with all of the potential risks associated with conducting business activities requires companies to take a formalized approach to risk management, systems and programs that has come to be known as “enterprise risk management”, or “ERM”. ERM programs, which often include compliance aspects or are implemented in conjunction with a separate but related compliance program, have been mandated or highly recommended by federal and state laws and regulations, such as Sarbanes-Oxley and the Dodd-Frank Wall Street Reform and Consumer Protection Act; federal sentencing guidelines; listing standards required by national securities exchanges; credit agencies; directors’ and officers’ liability insurance carriers; and accounting and audit review standards. In many cases, companies are required, or strongly urged, to create a separate board-level risk management committee and appoint a chief risk officer, a position discussed further below. Apart from legal and regulatory requirements, companies have recognized that ERM can be deployed as an essential business management tool to assess and analyze business and activities on a risk-adjusted basis; engage in sound strategic planning and financial management which requires that all risks of every line of business and activity be assessed and balanced against profitability, and recognize and prepare for the interdependency of events. 4. Risk assessment is primarily concerned with what are generally referred to as operational risks (also sometimes called transaction risks), which are risks of loss or injury to the company from

Risk Assessments

32 inadequacies or failures relating to processes, systems or people (e.g., fraud or error). Operational risks can arise from internal and external factors and can be found in every major business activity of the company. Operational risks may be broken down into various categories such as credit and market risks, reputation risks, strategic risks and compliance risks. Credit and market risks include an unforeseen adverse decline in the liquidity of a key customer that must be addressed by changes in underwriting policies and collection systems to avoid significant losses and higher costs of servicing that customer. Reputation risks include the possibility of security breaches that result in the loss of confidential information and the loss of confidence of customers and other business partners. Strategic risk increases when the company fails to invest in the resources necessary for collection and analysis of all of the information needed to make proper and informed decision about major new investments. Compliance risks include failure to comply with legal and regulatory requirements applicable to the company’s products and services which leave to civil and/or criminal penalties. 5. The activities associated with an effective risk assessment process include identifying the risks that are most relevant to the company and developing a short description of the key characteristics of each risk so that it can be analyzed and strategies created for mitigating or eliminating them; defining the company’s “risk appetite” to determine which types of identified risks are most problematic for the company and thus are appropriate targets for mitigation activities; risk mitigation, which involves developing compliance programs and internal controls designed to reduce risks to levels consistent with the company’s risk appetite; and establishing benchmarks for measuring the effectiveness of the company’s risk mitigation efforts and procedures for continuous risk assessment to identify and manage new risks that may arise as the activities of the company and its external environment changes. The scope of the process, and required investment, depend on the size of the company and its stage of development and available resources, and companies must decide on the level of sophistication of risk management procedures, how much of the process should be outsourced and the appropriate internal management structure for the risk management activities. 6. Recognized general guidelines for conducting effective risk assessments include covering all major areas of potential misconduct; examining risk in the context of the company’s resources; using industry information and company history; including managers and employees from all organizational levels; analyzing both the impact and likelihood of the occurrence of a risk; quantifying each risk area; documenting the outcome of the risk assessment process; conducting the risk assessment in a defensibly objective manner and on a regular basis; and benchmarking the company’s compliance programs.

References and Resources

The Sustainable Entrepreneurship Project’s Library of Resources for Sustainable Entrepreneurs relating to Entrepreneurship is available at https://seproject.org/compliance/ and includes materials relating to the subject matters of this Guide including various Project publications such as handbooks, guides, briefings, articles, checklists, forms, forms, videos and audio works and other resources; management tools such as checklists and questionnaires, forms and training materials; books; chapters or articles in books; articles in journals, newspapers and magazines; theses and dissertations; papers; government and other public domain publications; online articles and databases; blogs; websites; and webinars and podcasts. Changes to the Library are made on a continuous basis and notifications of changes, as well as new versions of this Guide, will be provided to readers that enter their names on the Project mailing list by following the procedures on the Project’s website.

06.2018