Performing a compliance risk assessment is not just the most important thing a compliance officer might do. Usually, it’s also the first thing a compliance officer does, for any hazards or risks that come along.
What Is a Compliance Risk Assessment?
Compliance professionals must understand what a compliance risk assessment is and how to do it properly. A flawed risk assessment process means that a company doesn’t understand the actual risks it faces, and nothing good comes from that. Flawed risk assessments can lead to bad business decisions, regulatory enforcement actions, lawsuits, reputation harm, and innumerable other headaches—including you standing in the unemployment line.
In the simplest definition, a risk assessment identifies potential hazards and analyzes what would happen if that hazard occurs. (Seriously, that’s the textbook definition provided by Ready.gov.) Hazard identification is a critical step that should not be overlooked. A business might perform risk assessments on everything from a data breach to the failure of critical IT systems, to natural disasters, to poor financial reporting, to anti-bribery processes. Compliance officers can narrow their focus a bit more than that. When we talk about performing a compliance risk assessment, we’re trying to answer two questions:
What do rules, regulations, or internal policies require our company to do? And how well do our business processes fulfill those requirements?
The challenge for compliance officers—and the reason why risk analysis is so important—is that compliance requirements and business processes change constantly. A thorough risk assessment must gauge both things even as they shift, like an equation with two variables. Any change in one variable can have a dramatic effect on the final answer, even if the other holds steady. We can break down that complete process into several smaller pieces.
Why Conduct a Compliance Risk Assessment?
There are many reasons your organization should conduct a compliance risk assessment. These include:
- To identify and mitigate risks and to comply with relevant laws and regulatory standards. In turn, reducing or preventing potential penalties, fines, or reputational damage.
- For operational efficiency. To lead more efficient business processes alongside proactive allocation of resources to manage or mitigate those risks.
- To prevent lost revenue due to business disruptions and avoid any potential financial risk.
- To support strategic decision-making, utilizing the insights from a compliance risk assessment to ensure all changes are fully informed.
- To foster a culture of compliance, where employees and management are engaged, and the process is embedded within daily operations.
How Do Compliance Risk Assessments Differ from Other Risks?
Compliance risk assessments differ from other risk assessments as they focus primarily on regulatory requirements that your organization needs to comply with from a legal perspective. While all risk assessments share the common goal of finding and managing potential threats to an organization, compliance risk assessments have a legal and regulatory compliance focus.
Other risk assessments are managed outside of the compliance department and usually sit with the C-suite, such as the Chief Information or Chief Financial Officer.
Other risks may focus more on broader operational, financial, or strategic risks that inhibit the organization from achieving its objectives, financial stability, or operational effectiveness. Response to other risks may also differ, involving tactics such as risk avoidance, risk transfer, mitigation, and acceptance.
Compliance risks, on the other hand, focus on implementing controls and procedures designed to adhere to laws and regulations.
What are the Steps of a Compliance Risk Assessment?
1. Monitoring changes
First, a company must be able to monitor regulatory changes, since those changes happen all the time. For example, many countries are adopting new whistleblower protection laws. Yes, you need to know what those laws require, but first, you need to know that those laws have changed—which can be a big challenge for some organizations.
Whether you rely on local advisory firms to provide updates, use an automated service, or find some other solution, your company does need to know when applicable laws, rules, and regulations change. Those updates should go to someone in your company who cars, which usually will be you, the compliance officer.
2. Assessing impact
Second, assess how that new regulation wants your business to change. Sometimes new regulations will require your company to report something: additional data about employees and pay equity, for example. Other regulations might require your company to be able to do something: notify consumers of a breach of personal data within 24 hours; or prevent retaliation against whistleblowers.
3. Determining how to meet expectations
Third, determine how well your company can meet those expectations. The important point here isn’t exactly what your answer is; the important point is that you’re sure that answer is accurate.
For example, a company might have an immature due diligence function that is nowhere near able to deliver the third-party due diligence you should perform to comply with the Foreign Corrupt Practices Act. That’s not ideal, but it’s far better to know that your due diligence capability is weak than to believe your capability is strong and be mistaken about that.
4. Developing a plan to improve
Fourth, develop a plan to improve any weaknesses in your business processes, to fulfill what the regulations require.
This point can get a bit complicated. For example, if you assess the company’s risks around regulatory reporting and find that you can’t easily file accurate reports on time—you need to improve internal business processes to gather accurate information and file that report. There aren’t too many ways to interpret that task.
On the other hand, many compliance risks are more about the company’s ability to do something to a satisfactory level. That’s a much more grey area. For example, the FCPA requires companies to have internal controls “sufficient to provide reasonable assurance” that company money isn’t going to bribe foreign government officials. Exactly how sufficient and reasonable should those assurances be? The law doesn’t say.
A company could impose draconian controls for ironclad assurance and lower your risk to zero. That’s too much compliance and too much risk control. It would slow your business to a crawl and drive employees crazy. Or you could impose minimal controls and hope regulators never notice. That’s too little compliance—and will come back to haunt you if regulators do knock on your door someday.
The Role of Compliance Risk Assessments in Evolving Businesses
A successful risk assessment is also about knowing when and how the company’s own business processes or objectives change. They can be just as urgent and difficult to remediate as any changes in risk that come from outside the company. For example…
- If your company expands the business into a new country, it might face new anti-corruption or data privacy risks.
- If your company offers new products, it might face new ethical sourcing or antitrust risks.
- If your company caters to new customers (selling to government agencies or to high-net-worth individuals), it might face new anti-corruption or anti-money laundering risks.
- If your company adopts new software delivered via the cloud, it might face new cybersecurity or business interruption risks.
In all those cases, the world and all its rules and regulations remain the same. The company itself changes, and that triggers a change in its risks—which should, ideally, lead to a new risk assessment. The steps are essentially the same as outlined above. What’s important is that the compliance department is aware of the company’s changing plans.
The need for compliance risk assessments is only going to increase because the pace of change in the business environment—whether that change comes from outside your organization or within—is only getting faster. That means compliance functions will need to be more adept at risk assessments, compliance officers more knowledgeable in how the assessments should work.
Then, get to it. An accurate compliance risk assessment is the most important thing a compliance officer might do.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.