Risk assessments have long been recognised as a core element of an effective compliance programme. Be it the US sentencing guidelines, US DOJ and SEC FCPA guidance, UK adequate procedures or the French Sapin II requirements, each of these authorities expressly calls out risk assessments as being a required measure when assessing the effectiveness of a company's compliance programme.
Therefore, failing to conduct a risk assessment adequately (or at all) increases the risk of enforcement action, higher penalties and can restrict the availability of early settlement options such as non- or deferred-prosecution agreements.
However, it is important to note that risk assessments are not just programmes of compliance - there is a science and an art to using fundamental approaches to reduce the impact in a data-driven world, as assessing risks is a dynamic and iterative process.
FRA Directors Simon Taylor and Doel Kar discuss this further in their article 'Risky Business - Assessing Risks in the Age of Big Data' in the June edition of The Lawyer.