An annual enterprise compliance risk assessment reveals a significantly elevated risk of commercial bribery within an organization's regional logistics division. Which of the following is the most appropriate and compliant response to this finding?
Select an answer to reveal the explanation.
Short Explanation and Infographic
Imagine your boss walks in and says, 'Hey, the risk report shows our logistics division in South America has a high risk of bribery.' What do you do? You don't just shut down the division (choice A)—that's burning down the house because a light bulb is out! And you don't fire the manager without any evidence of wrongdoing (choice C). You definitely don't ignore it (choice D), because regulators will crucify you if something goes wrong later and you did nothing. The correct move is to roll up your sleeves and apply a risk-based approach. You beef up the controls, run targeted training for those employees, and monitor their transactions like a hawk. This shows you're managing the risk, which is exactly what regulators expect.
Full explanation below image
Full Explanation
A core tenet of effective compliance programs, as outlined by the US Department of Justice (DOJ) and the Federal Sentencing Guidelines, is the application of a risk-based approach. When an organization identifies a high risk of corruption in a specific business unit, it must allocate resources proportionally to mitigate that specific risk. This involves tailoring and implementing more robust internal controls, conducting specialized anti-corruption training for the affected employees, and increasing the frequency of auditing and monitoring in that business unit. Option A (divestiture/shutdown) is disproportionate and commercially impractical as a first response to an unmitigated risk, unless the risk cannot be managed to an acceptable level. Option C (terminating the manager) is inappropriate without evidence of personal misconduct or systemic oversight failure, and does not address the underlying systemic risks. Option D (taking no action) is a critical compliance failure; failing to act on known risk exposures demonstrates an ineffective compliance program and increases corporate liability in the event of a future violation.