The foundation of a good corporate compliance program is a thorough, accurate risk assessment process—and as you may have noticed throughout this past year, assessing compliance risk has become increasingly tricky to do.
Businesses have seen entirely new regulations, such as those related to COVID-19 restrictions on business operations. Or they encountered existing regulations for the first time as they pivoted their operations, perhaps in response to COVID-19 or recession or climate disruptions. Meanwhile, the Justice Department also published new guidance on effective compliance programs, placing even more importance on the need for effective risk assessments.
So as we head in 2021, let’s consider ways to improve your risk assessment. After all, an effective risk assessment doesn’t just placate regulators who might evaluate your program. It helps the compliance program to be a better, more strategic asset to the organization overall.
Remember the Goal of Risk Assessment
For all our talk about how to perform risk assessments, we should never lose sight of the thing your risk assessment is supposed to deliver: a current, complete, accurate risk profile for your organization’s activities.
That assessment should happen at both the “micro-scale” of individual transactions, as well as the “macro-scale” of whole business operations. For example, your due diligence program should be able to assess the risk of specific third party agents in foreign countries; that’s the micro-scale. It should also be able to assess the risk of relying on third party agents as a strategy for driving sales; that’s the macro-scale.
What a compliance officer ultimately wants is an ability to prove that the design and operation of your compliance program make sense, given the risks your organization faces. That can’t happen unless you correctly understand the risks the organization faces, and that understanding can’t happen unless you correctly assess all the risks the organization faces.
So like we said at the beginning: your risk assessment really is the foundation of an effective compliance program. Nothing else will work well if this part is weak.
Where to Begin With Improvement
To improve your risk assessment capabilities, you first need to understand how effective your current risk assessment capabilities are. Some potential questions to consider include:
- How structured and disciplined is your risk assessment? Does it follow certain objective criteria about when and how to perform an assessment, or does it rely on subjective judgment of executives?
- How comprehensive is the risk assessment? For example, can you track all the new regulations that might impose new compliance obligations on your business? Can you assess the operational risks in business processes that might trigger a compliance infraction? Are you strong at some of these challenges, but weak in others?
- How quantitative is your risk assessment? Can you rely on objective criteria to categorize risks as low, medium, or high? Are you able to collect evidence in a reliable, systematic way?
- Do you have clear instructions from the board and C-suite? Senior leaders (ideally, the board) are supposed to set the organization’s risk tolerance and risk priorities. Have those things been done, so your risk assessment can unfold accordingly?
The goal here is a clear-eyed understanding of how well your risk assessment process does or doesn’t work. If your organization has an internal audit function, they would be a great resource to perform this review because they are well-versed in risk assessment, familiar with your operations, and with sufficient objectivity to give you the impartial analysis you need. (Even when you might not love hearing it.) If you don’t have an internal audit function down the hall, you could also consider hiring an outside specialist to review your risk assessment efforts as well.
You don’t necessarily need a formal review of your risk assessment capabilities every year. Once every several years would probably be sufficient (for comparison purposes, the Institute of Internal Auditors recommends that companies get a formal quality assurance review of their internal audit function every five years); or whenever the company undergoes some significant operational change such as a merger or a restructuring.
Practical Steps to Improve Risk Assessment
Compliance officers can also take numerous specific, practical steps to improve risk assessment at any time; you don’t need to delay until you conduct a formal review of the matter once every three to five years. Here are several ideas and best practices you can implement at any time.
1. Involve the Right People
First, strive to involve the right people in the right away. For example, we already mentioned that the board of directors should set the organization’s overall risk tolerance; that helps the compliance officer to understand how many controls to place on various business processes. Likewise, leaders of business operating units should help you to understand how their transactions and processes do or don’t relate to compliance risks the business might have.
Compliance officers can’t assess risk in some theoretical vacuum. You need other parts of the enterprise to contribute their insights, to understand how significant a risk actually is.
2. Design a Risk Assessment Process
Design formal risk assessment processes whenever possible. Recall what we mentioned earlier about subjective judgment versus objective evidence. Whenever possible, you want to move away from the former (“due diligence on our agents in the Far East is weak”) to the latter (“We doubled the number of resellers in Africa over the last three quarters, with no change in our compliance staffing or due diligence budget.”)
These processes should be based on objective criteria such as specific triggering events: mergers, business expansions, changes to compensation plans, and so forth. Or they could be based on certain thresholds defined by key risk metrics: failure rates for certain processes, trends in data across multiple periods of time. The overriding goal is to reduce subjective human judgment as much as possible and therefore reduce the risk of error, fraud, or incompetence in assessing risk.
3. Integrate Compliance Risk Into Strategy
Third, get people to think about compliance risk while setting strategy. This is crucial: senior executives and business operating unit leaders need to think about compliance issues when setting strategy. The best way to do that, of course, is to include the compliance officer in those discussions, so you can raise the subject: “This is an intriguing proposal, but how can we satisfy the new compliance challenges it poses?”
Those other executives might well reply, “That’s your problem to solve.” It’s not an ideal answer, but at least you’re aware of the strategic ideas under consideration. Then you can consider the compliance risks, your resources available to address them, and any residual risk that might linger after you implement any necessary policies, procedures, and internal controls. Regardless of how imperfect that risk assessment approach might be, it’s better than a compliance officer excluded from strategic discussions and acting without sufficient information.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.