Managing compliance risks can seem like a daunting task.
In fact, a survey of compliance officers published by Nasdaq in late 2018 found that 55 percent of respondents named fully understanding regulation and how it impacts their business as their top concern for the next 12 months. In order to manage compliance risks, it is crucial that you take a systematic approach to identifying, mitigating, and reviewing the compliance risks your business faces on an ongoing basis. Here are the seven essential tips to take into account when evaluating your approach to compliance risk management.
How to Manage Compliance Risk?
1. Always Start With a Risk Assessment
You can’t manage compliance risks if you don’t understand what your risks actually are. Without a thorough and scientifically justified risk assessment all the elements that make up your compliance program; your policies, due diligence, and tone at the top, will accomplish little if they do not address the right risks.
There is no one-size-fits-all approach to risk assessment. Compliance departments typically have limited resources; applying the same approach to the entire organization will inevitably lead to resources being spread too thin as they will end up being over-allocated to low-risk markets. It is thus key to assess the risks faced by your business first in order to prioritize and address them appropriately.
For a more thorough look at risk assessment, see our Best Practices for Conducting Risk Assessments eBook.
2. Managing Compliance Risk is All About Third Parties
Every business deals with a large number of third parties, however, that number will vary depending on the size and type of business. Performing at least some level of due diligence on all your third parties is essential, as many of the biggest and most prominent compliance risks are associated with interacting with third parties. Under most prominent foreign bribery legislation, companies generally face liability for bribes paid by intermediaries to foreign officials.
Hence, a strong due diligence process should be a central part of an attempt to manage compliance risks. As you will likely deal with a large number of third parties, it is essential that the due diligence process is streamlined, integrated, and as automated as possible. Using an end-to-end due diligence solution will enable you to automatically screen and categorize third parties.
As due diligence is a complicated process with many hurdles and pitfalls, we encourage you to read our Common Due Diligence Pitfalls eBook written in collaboration with Control Risks.
3. Understand the Latest Enforcement Policies
Compliance risks typically encompass a number of areas including data protection, export control, and anti-corruption law. As part of your risk assessment, you should ensure that you understand the requirements imposed by all applicable laws and regulations. However, beyond understanding the letter of the law, it is important that you stay up-to-date with the latest guidance and enforcement policies released by the enforcement agencies as prosecutors wield significant discretion when deciding whether or not to prosecute misconduct. Doing so could potentially be enormously beneficial if problems do arise, as you will have been able to tweak your compliance program to qualify for leniency.
As a case in point, the corporate enforcement policy for the U.S. Foreign Corrupt Practices Act (FCPA) saw its last major revision in late 2017. Under this policy, the U.S. Department of Justice (DOJ) holds that companies that voluntarily self-disclose FCPA violations in a timely manner, and subsequently fully cooperate and appropriately remediate the misconduct, will as a matter of presumption, absent aggravating circumstances, receive a declination. You can read more about the FCPA Corporate Enforcement Policy in our detailed eBook.
4. Don’t Forget to Build a Culture of Ethics and Compliance
In the process of trying to manage compliance risks, it is easy to lose yourself in managing complex problems or, indeed, trying to tailor your compliance program to the latest enforcement policies. Hui Chen, the DOJ’s former Compliance Counsel Expert, rightly pointed out in an op-ed that the conversation around compliance programs has increasingly focussed on the question “what does the DOJ/SEC expect?” rather than “what actually works?”
Of course, every compliance officer worth their salt wants to run a compliance program meeting the highest expectations set by the authorities. And that is fine, but a problem arises when that results in a myopic focus on managing compliance risks as a tick-box exercise. It requires a much broader, organization-wide effort to drive compliance and ethics to the core of the business.
The tone at the top of your organization is crucial. Senior leadership should clearly communicate to middle managers, and the rest of the organization, the type of ethical conduct expected from each and every employee—themselves included. Beyond words, actual conduct matters; mere lip-service has never convinced anyone.
Figuring out “what actually works” may also require a bit of experimentation. Novartis, the pharmaceutical giant, implemented a system where employees are only eligible for bonuses if they meet or exceed expectations of their values and behaviors.
On a more practical level, you should ensure that you deliver training in a way that is easily accessible to employees and engages them in a way resulting in them actually retaining the message. Failing to do so might render training meaningless. In the same vein, using technology to easily collect conflict of interest declarations and signatures on important policies reduces the “annoyance factor” of manual processes and will drive engagement with your compliance efforts.
5. Ensure People Feel Free to Speak Up
A strong ethics and compliance culture in your organization is essential to ensure people feel free to speak up if they see misconduct in the organization. No matter how many procedures you have in place, employees will not feel free to blow the whistle on misconduct in the organization if they are not confident they can do so anonymously and without fear of retaliation.
Unfortunately, even the strongest internal controls can occasionally be circumvented by ill-intentioned employees. Once internal controls have failed, the only defense against the misconduct escalating further is a culture where employees are able to speak up. In an organization with a strong ethics and compliance culture, employees are your allies in ensuring that misconduct, when it does occur, is actually reported.
6. Continuously Monitor and Update Your Compliance Efforts
As your business is continuously changing, your compliance efforts should change in lock-step. It would be a mistake to think of managing compliance risks as a one-time exercise of writing policies and setting up processes. You will only know whether or not your policies and procedures are effective if you evaluate them on a regular basis. Always ask yourself how you can best measure your impact. One key benefit of compliance technology is that it can give you insight into large amounts of data at a glance via useful dashboards and automatically generated reports.
Similarly, compliance officers should periodically ask themselves whether it is time to elevate their compliance program. A good moment to do so can be when the business is about to expand into new high-risk markets or when the business is about to acquire another company. Learn how to build out a strategy to elevate your compliance program by downloading our free Step-By-Step Guide to Elevating Your Compliance Program eBook.
7. Free Up Time and Resources Using Automation
It is evident that managing compliance risks is not an easy task; it requires managing lots of complicated processes, a myriad of stakeholders, as well as fostering a culture of ethics and compliance. However, compliance also involves a number of mundane tasks. Many compliance officers will recognize they waste a lot of time chasing employees for signatures or trying to retrieve records from a multitude of non-centrally stored spreadsheets and documents.
Automating these processes does not only eliminate these frustrations; it can also give you much greater insight into your data, which allows you to improve your program. Moreover, you can use the time freed up to engage in strategic planning, advocate for changes internally to company stakeholders, and conduct in-person training to the most high-risk employees, to name just a few examples.
The Bottom Line
Managing compliance risks is no easy feat; it involves a number of complicated processes as well as a concerted effort to create an ethical culture in order to be successful. We hope the seven pointers above will help you navigate how to best manage the compliance risks in your organization.