Corporate Risk and Compliance: Theory and Practice

  • Kim Otte (University of Minnesota Law)

We will answer:  What is an effective compliance program? What is a risk-based approach to compliance? What constitutes a good risk management program? How do these formal programs provide corporate controls? We will use corporate case studies to understand the Office of Inspector General’s seven elements of an effective compliance program – governance, policies, education, reporting, monitoring, enforcement, and response. We will study the still maturing definitions and indices of a good risk management program – the ability to identify, evaluate, and manage risk to maximize the objectives of the company and minimize defects. 

This course includes practical hypotheticals and samples largely from the health care industry but transferable to any industry. We will consider where and how aritificial intelligence is likely to have an impact on this work. This context is useful for the practicing lawyer and, increasingly, is a career path unto itself.

Each student will choose a corporate scandal to study in relation to each of the risk and compliance concepts covered throughout the classes. Impactful corporate scandals – Enron, Wells Fargo, Theranos, Boeing, Purdue Pharma – are the perfect learning lab for risk and compliance theory.

 

9 Risk Assessments (the 8th Element): What, Why, and How 9 Risk Assessments (the 8th Element): What, Why, and How

9.1 Objectives and Discussion Questions 9.1 Objectives and Discussion Questions

This chapter examines the "8th element" of an effective compliance program - risk assessments. This is a tool that can be applied at a very high level (ERM), at a department level, or at a project level. It is a process that typically involves an inventory of risks, some type of quantified scoring ot each risk, reporting out using a dashboard or other visual, and finally remediation Risk assessments are a feeder to prioritization and goal setting. Enterprise Risk Management is the application of a risk assessment tool to the full breadth of risks in a corporation -- regulatory, financial, operational, and strategic.

Discussion Questions:

1. Should a heatmap or dashboard used to report out a compliance department's top regulatory risks be attorney client privileged? Why or why not?

2. How would you describe to a CEO the rationale for conducting an annual risk assessment of the compliance regulatory risks? Why would a compliance leader use this type of exercise?

3. What are the reasons a corporation might NOT choose to have a separate and defined ERM program?

 

9.2 Risk Assessments 9.2 Risk Assessments

9.2.1. Risk Assessment – The Most Important and Least Understood Component of an Effective GRC Program | NAVEX

Risk Assessment – The Most Important and Least Understood Component of an Effective GRC Program | NAVEX

9.2.2. https://auditboard.com/blog/what-is-a-risk-assessment-matrix

https://auditboard.com/blog/what-is-a-risk-assessment-matrix

9.3 Enterprise Risk Management (ERM) 9.3 Enterprise Risk Management (ERM)

Back to the Big Picture

9.3.1. What-is-ERM-2025

What-is-ERM-2025

9.3.2. NACD-Cover-Article_Animal-Kingdom_Lam-Jan-Feb-2019

NACD-Cover-Article_Animal-Kingdom_Lam-Jan-Feb-2019

9.4 Hypo: Is ERM Necessary? Sufficient? 9.4 Hypo: Is ERM Necessary? Sufficient?

Atlas Devices, Inc. is a publicly traded U.S. technology company that designs and manufactures wearable medical devices. Over the past five years, Atlas has expanded rapidly through acquisitions and now operates across multiple jurisdictions.

The board of directors meets quarterly. Risk oversight is assigned to the audit committee, which receives a short “risk update” slide deck once per year prepared by the CFO. The presentation lists several operational risks but does not rank them, connect them to strategy, or include emerging risks such as cybersecurity, data privacy, or regulatory enforcement exposure.

Atlas does not have a formal enterprise risk management (ERM) program. Senior leadership has discussed ERM in the past but decided it would be “too bureaucratic” and that existing internal controls and insurance coverage were sufficient.

Two years ago, Atlas experienced a significant data breach involving patient health information. Management disclosed the breach but characterized it as immaterial and did not update the board’s risk materials. No changes were made to risk reporting or governance structure following the incident.

Last year, Atlas entered into a major government investigation related to data privacy and device safety practices. The investigation resulted in substantial fines, remediation costs, and a sharp decline in stock price. Shareholders have now brought a derivative action against the board alleging failure of oversight.