An international logistics company wants to transition from a generic, compliance-by-template model to a risk-based compliance program. Which approach best represents this principle?
Select an answer to reveal the explanation.
Short Explanation and Infographic
Think of it like this: you wouldn't spend the same amount of money securing a small tool shed in your backyard as you would securing a vault filled with gold, right? You put your security cameras and locks where the valuable stuff is! That's what a risk-based compliance program is all about. You can't audit every single transaction in a multi-billion dollar company—that would grind the business to a halt. Instead, you do a risk assessment to figure out where your biggest exposures are, like sales operations in a country known for high corruption levels, and you focus your compliance resources and audit teams right there. It's about working smarter, not harder.
Full explanation below image
Full Explanation
A key principle of effective corporate compliance, as emphasized by the U.S. Federal Sentencing Guidelines and international regulatory bodies like the OECD, is that compliance programs must be tailored to the specific risks faced by the organization. A "one-size-fits-all" approach is inefficient and often ineffective, as it spreads compliance resources too thin and fails to address deep-seated systemic risks.
Option C is correct because a risk-based compliance program prioritizes resources, oversight, and monitoring controls based on the results of a formal risk assessment. High-risk areas—such as operations involving government contracts, high-risk geographic locations, or complex regulatory requirements—receive more frequent audits, stricter controls, and specialized training. Conversely, low-risk areas receive proportional, less intensive oversight.
Option A is incorrect because using un-tailored templates fails to account for the unique operational and geographical risks of the subsidiaries, which is the opposite of a risk-based approach.
Option B is incorrect because applying identical controls across all business units ignores the risk profiles of different departments (e.g., finance and sales vs. internal facilities management), leading to operational bottlenecks in low-risk areas and insufficient controls in high-risk areas.
Option D is incorrect because risk assessments are the very foundation of a risk-based compliance program; you cannot build a risk-based model if you avoid risk assessments.