Let's take a closer look at one of the most common phrases in corporate ethics and compliance—“a risk-based approach.”
What do we actually mean by that? How does a compliance program run on a daily basis when you use it?
The definition of risk-based approach is straightforward. You identify the highest compliance risks to your organization; and make them the priority for controls, policies, and procedures. Once your compliance program reduces those highest risks to acceptable levels, you move on to lower risks.
One can see why a risk-based approach is so useful. Your biggest compliance risks will cause the most disruption should they come to pass: time spent on investigations, money spent on regulatory settlements, unwanted headlines, business partnerships jeopardized, and so forth.
If there’s one thing senior executives hate, it’s a disruption to their business. So operationally, a risk-based approach makes huge sense.
Regulators advocate a risk-based approach for another reason: because it shows that the company actually, ya know, thinks about its risks.
For example, if you perform the same due diligence procedures on all third parties, that’s a waste of time. Many of your third parties are harmless, while a few can pose great peril. Applying one standard to all shows that the company isn’t thinking about its compliance risks. It’s thinking about how to get due diligence over with.
Once regulators get that idea into their head—that perhaps the company sees compliance as a checklist item to put behind it ASAP—you’re in a much worse position. Regulators might start questioning the company’s sincerity about compliance, in addition to its skill at compliance. Nothing good comes from that.
What a Risk-Based Approach Entails
Go back to our definition of risk-based approach from above. It has two parts: identifying certain risks, and making them the priority. So when we talk about what a risk-based approach entails, it’s about proficiency at risk assessment and responding with agility.
That’s an important point for CCOs to consider as you defend the value of compliance programs to senior executives. Using a risk-based approach is the better way to run a compliance program—but not necessarily cheaper or faster, because savings and speed aren’t the paramount goals. Reduction in compliance risk is.
“Proficiency in risk assessment” implies several specific capabilities. For example, it implies a strong ability to perform due diligence on third parties, since they might become part of your extended enterprise. Inevitably a third party will bring some risk, and that’s fine, so long as you understand what that risk is.
It also implies an ability to monitor regulatory change. We can define that is new regulations coming to bear on your business; or existing regulations that are becoming larger enforcement priorities. (Think of FCPA risks 10 years ago, or sanctions risk today.) Either way, you need to understand how a regulatory change in the outside world is shifting the criteria for “high” compliance risk in your specific organization.
And perhaps most importantly, you need an ability to understand the compliance risks that arise from your company’s own internal processes. New product lines, new incentive compensation schemes, new IT systems, new third parties, new assignments for third parties—all of them can affect your compliance risks, without anything in the “outside” world-changing.
To some extent (in many cases, to a great extent), compliance officers will need access to more data and more analytics to develop these capabilities. You’ll also need good relations with other parts of the enterprise so they can keep you informed about internal changes. Which means support for compliance from senior leaders, so those other parts of the enterprise understand that compliance should be included.
Risk-Based Approach After the Assessment
After that enhanced risk assessment still comes the part about responding to risks. As we said, responding “with agility” is crucial to success here. It, too, implies several specific capabilities for the compliance program.
First, the program will need skill at testing controls. They are the brakes that keep the company’s compliance risk from careening into a disaster, and they need to work. If not, you need skill at developing compensating controls to fill that gap. In practice, that might mean working closely with your audit team or an IT security function, or even an outside vendor.
Second, the program will need skill at policy management—because some control somewhere won’t satisfy the compliance risk you have, and you’ll need to change a policy or procedure to fix it, and that change has to stick.
Without that ability to command and control change across the whole enterprise, the company can face serious questions about the effectiveness of its compliance program. Maybe the company isn’t devoting sufficient resources; maybe various employees aren’t giving compliance the priority it needs. Regardless, an inability to implement compliance defeats the whole point of a risk-based approach.
Third, the program will need skill at reporting, because that will provide the evidence you need to show senior executives, operations executives, regulators, business partners, and anyone else that the compliance program has put thought into its approach.
Again, that’s the whole point of a risk-based approach: to put first things first. Plenty of groups will have a perfectly reasonable need to ask, “Why are we doing this?” and clear, precise reports about compliance risk provide the answer.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.