The way I see it, many risk assessments are far too backwards-facing making them inaccurate predictors of future risk. Risk assessments ostensibly help the company to prioritize risks that need greater resources which in turn lessens the focus on those risks that are unlikely to cause big problems. The trouble is, many companies use unhelpful methodologies and lessons learned from the previous year which fail to give useful forward-looking results. Following are three problematic areas of focus with suggestions for how to make your annual risk assessment more robust and more likely to create a meaningful roadmap to help prioritize real risk.
Problem No. 1: Compliance Performs the Risk Assessment in a Vacuum
In many companies, compliance is tasked with producing the annual risk report and then presenting it to the C-suite or Board without the input of other functions. Compliance is therefore entirely reliant on their own experiences and the things they have learned during the past year. This makes the risk assessment limited in scope and understanding.
A better way of performing a risk assessment is to involve multiple stake-holders from different areas of the business in order to get a fulsome idea of where each function sees risk, problems and opportunities. Compliance professionals will do themselves a big favour if they request input from:
- Human Resources
Each of these functions will have their own idea of where the greatest risks lie. You can send representatives of each function a short survey, an email questionnaire or request a 15-minute phone conversation. You can then take this information into account to create a risk assessment that responds to a more informed view of the business.
This multi-disciplinary approach to the risk assessment not only creates a more balanced risk assessment, but it lays the groundwork for better collaboration between Compliance and the other functions throughout the year when they come across compliance-related issues. The more Compliance can interact with other areas of the business, the more effective compliance can be.
Problem No. 2: Risk Assessments are Focused on Lessons Learned and Current Laws
Many risk assessments are simply updated year-on-year without much thought about the methodology utilized. Every year the Compliance Department should begin the risk assessment process by determining whether the methodology utilized in prior years still makes sense. As regulations increase and the scope of risk embraced by compliance expands, risk assessment methodologies and risk categories should be reviewed before the risk assessment is undertaken in order to determine whether the prior year’s methodology and categories are rigorous enough for this year.
Once the methodology and risk categories are reviewed, Compliance needs to take a forward-looking approach to the risks the business will face in the upcoming year. To be effective this requires consideration of multiple things, for instance:
- Are there new sales initiatives planned that will create new risk areas or heighten existing risks?
- Are there draft laws or regulations which are likely to come into force which will significantly increase penalties for failure?
- Are there mergers, acquisitions, investments or other activities planned or considered by the business which will require additional compliance-related resources or create greater risk than currently exist?
To be fully effective, Compliance needs to use the answers provided by their discussion with the other functions to complete the risk assessment. Compliance should also consider talking to outside counsel or reviewing the updates provided by many law firms to help them to plan responses to upcoming regulations.
It is tempting to carbon-copy last year’s risk assessment, but a proper risk assessment requires a thorough review of the upcoming year with fresh eyes and potentially new methodology.
Problem 3: Too Much Focus on Metrics
Let’s face it: boards and members of the C-suite love metrics. There is something soothing about providing a graph or Excel report showing an increase in calls to the whistle-blower hotline year-on-year or the completion rate of mandatory training hitting 99%. But over-reliance on these metrics provides an empty calorie version of the risk assessment. It may taste good at the time, but ultimately provides no nutrition to carry you through the year.
Over-reliance on metrics gives a false sense of understanding about the program and where it is going or how effective it is with respect to critical things like culture. We need to balance the reporting on metrics with things like:
- Survey results regarding culture and perceptions of ethics at the company.
- Case studies where things went well and badly with respect to ethics at the company the previous year.
- Review of human resources complaints or resolution of representative calls to our whistle-blower hotline.
- Review of the engagement survey results in the context of the metrics.
- Review of press coverage of the company in the context of culture and ethics.
Review of these types of materials will help to round-out the metrics discussion with human information which should bring the metrics-related information to life. Risk assessments that focus entirely on metrics and big data analytics miss the human and culture element, which frequently provide a better diagnosis of the company than any Excel spreadsheet ever could.
To be effective, risk assessments need to be forward-looking vehicles based on good data and a holistic view of the business. Compliance can’t do this by itself, and it can’t do this by using only metrics and backwards-looking lessons learned. Engage with the other functions, focus on what is coming and use human and culture-related information to inform your risk assessment so it will help you through the whole year.