For many companies, risk assessment is an annual process intended to provide a broad, objective view of the organization’s potential problems -- from operational and legal risks to safety and reputational risks. While useful as an annual baseline, a lot can happen in 12 months. For example, moving into a new emerging market could significantly change a company’s risk profile.
If you’re only revisiting your risk assessment once a year, how confident are you that it’s up to date and relevant after six, nine or ten months? While there’s plenty of guidance available on best practices and conducting a risk assessment, it’s important to focus on keeping the information fresh and measuring the effectiveness of your risk response over time.
Assessing Risk Isn’t Enough
Many compliance, regulatory or ethical risk categories are common to multi-national organizations, and should be considered by the risk assessment team. The following are just a few categories that should be considered in assessing your organization’s risk:
- Non-retaliation/whistleblower protection
- Theft and embezzlement
- Proper handling of resources and data
- Accuracy of time-keeping and other records
- Antitrust and fair competition for business opportunities
- Conflicts of interest
- Offering/receipt of business gifts and courtesies
- Bribery/anti-corruption/Foreign Corrupt Practices Act
A CCO needs to document that their compliance program is tailored to a risk assessment (or some analysis of the company’s risks), but many CCOs don’t see risk assessments themselves as useful, suggests attorney Michael Volkov.
“Many CCOs will candidly tell you that a risk assessment provides them with a colorful and expensive report on the company’s risks that contains no new information,” Volkov writes. In part, that’s because the information is stale.
A Dynamic Picture of Your Organization’s Risk
Instead of an annual report, today’s CCOs need risk information that is fresh and current: a living, dynamic document. To track your risks in real time, you need a way to not only catalogue a change in risk (or add a new one), but also a structure for responding to it. At some organizations, it might be enough to revisit the risk assessment on a regular schedule; others should consider a technology solution that supports risk management as a perpetual business practice.
A live, dynamic risk assessment also lends itself to automation, such as automatic triggering for high-risk transactions. If certain risks present themselves in your assessment, they could trigger automated training requirements, for example. If you’re doing business in parts of the world with high risk of corruption, you could automatically trigger due diligence requirements if a transaction is in a certain region and above a certain dollar amount. When combined with dynamic risk assessment, this kind of automation promotes fluidity and responsiveness to changing risks.
Tracking Your Results
A risk assessment is only helpful if you take action based on what you find. Each risk identified should have corresponding actions, mitigating controls or procedures, and the outcomes must be tracked to determine their effectiveness. For CCOs, it’s important to have a system that allows you to be accountable to your risk assessment by addressing each risk with some specific response -- and then determining if the response actually works.
If you have a risk area that’s continually problematic, such as conflicts of interest, you might take action in the form of a training campaign that’s targeting that area. While the training might reduce the risk of conflicts of interest, that’s not a given: The messaging might be off, or training might not be the right response. In either case, you need to acknowledge the issue and come up with a different response.
Risk assessment and response can be an effective platform for trial and error -- a way of getting beyond annual reports and figuring out what really works for mitigating risk.