We all face a number of risks every day. Yet, we do not respond to each and every risk. We engage in risk-ranking our responses. Some are more risk than others and some are more catastrophic than others. So, we engage in risk ranking each day and allocate our time and attention accordingly.
The same applies, or should apply, when managing a compliance program. Resources are limited and compliance officers face a variety of risks. It is important, however, to rank these risks and then allocate time, attention and resources in accordance with these risk rankings.
The DOJ/SEC FCPA Guidance issued in 2012 emphasized the importance of implementing a risk-based due diligence program as part of a company’s compliance program. Of course, this principle makes sense but it is important for a compliance officer to apply this principle, document the application of the risk ranking system, and devote resources commensurate with the assigned risk. In doing so, the relative treatment of each subject or classes must be conducted in accordance with the assigned risk level.