- Be prepared – As Charlie mentioned, someone at the SFO once said ‘the first thing we will ask for is the company’s risk assessment’. Questions you’ll need to answer include: was there a consistent methodology, were all parts of the business involved, what was out of scope and why, how often was a full risk assessment undertaken? Essentially, prosecutors are trying to understand whether the risk assessment has been taken seriously, and what attempts have been made to mitigate risk.
- Really understand your business – ‘really’ is the key word here. According to Jo, only by really understanding the business can you be asking the right questions that are specific enough to identify previously unearthed risks. This also links to the experience of the team undertaking the risk assessment. Do they understand what has happened in other companies and the potential implications for your organisation? After the desktop research of what business we’re in and where etc, do the team understand where the real interactions are and where they need to focus?
- Engage the business and share findings – Ultimately, you need the business to see the value in the risk assessment so that they support the process and cooperate. You and your team understanding the business and asking the right questions will help gain their respect. Where relevant you can also share findings of the risk assessment with business units that can also help them to progress; validation is important to getting the risk owners to engage with mitigation steps that need to be taken. For example, Jo mentioned letting them know about the total commissions paid and how this is affecting their margin. For those in the business who are still reluctant to engage, sometimes you simply need to say that it’s law and they need do it!