Risk assessment is both an art and a science. Many compliance officers avoid them, whether consciously or subconsciously. It makes us uncomfortable to determine probability and impact because, although we have information, there will always be a subjective element in the evaluation.
How can you prove a risk-based approach without a written risk assessment?
Answer: you can’t. When a prosecutor arrives and begins questioning the compliance and management team on how decisions were made, the prosecutor will expect that the answers will flow from a documented, well-thought-out risk assessment. Indeed, the DOJ’s Evaluation of Corporate Compliance Guidance says, “Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction.”
Risk Assessment Isn’t Just Meant to Protect from Prosecution
Hands up anyone who has all the financial, human, temporal, and technological resources they need to run their program with maximum effectiveness. Right. A risk-based approach is critical because it allows you to allocate limited time and money to the highest-risk areas of the business. If there isn’t a proper evaluation of the risks facing the business, there can’t be a systematized, defensible way of designing your program.
Scoping: The Most Important First Step
If a risk assessment isn’t properly scoped, it is likely to fail. It will either spiral out of control and be unmanageable or not properly capture the risks facing the business. Getting the scope right will enable you to ask for the right documents, set up the right interviews, review the correct regulatory guidance, benchmark against the right sources, evaluate risk correctly, and apply the right risk-based approach to the rest of your program. Scoping sounds easy, but frequently isn’t.
There are two basic types of risk assessments. The first reviews multiple types of risk against each other. For instance, a multi-subject risk assessment may evaluate the company’s bribery risk against its trade sanctions, antitrust/competition, data privacy, and modern slavery risk. The second type reviews one type of risk in-depth, such as bribery or money-laundering.
Top Tip One: Don’t Go Outside the Scope of Your Program (if you can help it)
If you have a specific scope for your program, don’t go outside of that scope. For instance, if you’ve been assigned bribery, trade sanctions, and privacy, don’t add competition to your review.
There are two reasons for this. The first is that you don’t want to rely on other functions to help you to complete your risk assessment. You want to control the pace and evaluation of the risk. Second, if your recommendations impact other departments, you may end up with a turf war on your hands when you try to implement them. If you stick to the areas you alone control, your risk assessment process will be much easier.
That said, there may be areas you can’t control alone. For instance, if you work with a cross-functional group for modern slavery prevention, you may have to include other functions in the review. This may include Sustainability/Corporate Social Responsibility, Procurement/Supplier Management, Legal, and Manufacturing. If you must include a risk area with multiple stakeholders, try to keep your recommendations to actions that Compliance can drive alone.
Top Tip Two: Don’t Choose Too Many Risks to Evaluate
For many, there is a temptation to boil the ocean when it comes to their compliance risk assessment. It’s hard to limit the scope because there is always the fear of missing something important.
The risk assessment scoping process itself requires a risk-based approach. Ensure the inclusion of the true compliance-related risks and discard any other risk that is tangential. Too many risks will muddy your capacity to obtain the right documents and focus the interviewees’ attention. Sprawling risk assessments that take a year or more to complete aren’t useful.
Top Tip Three: For Single-Subject Risk Assessments, Don’t Choose Too Many Sub-Risks
When you’re performing a deep-dive into a single risk area, you’ll typically review known patterns of misconduct, then look for those areas of risk in your business. For instance, if you’re performing a bribery risk assessment, you may look specifically at (1) gifts and hospitality, (2) political donations, (3) charitable donations, (4) use of sales agents, (5) the third-party due diligence program, (6) interactions with government officials, and (7) inherent risk in the jurisdiction/CPI score.
Hundreds of fact patterns exist in bribery cases and guidance from regulators throughout the world about what to look out for. Choose the highest-risk or most common patterns in your industry, define them specifically, and then make that the scope of your single-subject risk assessment.
Top Tip Four: Be Specific About the Risk Scope
Be specific when scoping your risk assessment. Name the exact geographies, regions, business units, and/or business segments you will be reviewing. Name the risks explicitly. If you’re reviewing data privacy, does that include cybersecurity or not? If you’re looking at trade sanctions, does that include import/export, or is that a separate risk at your company? Be specific from the beginning so you know where to target your attention.
Top Tip Five: Know when You Need More than One Risk Assessment
If your risk assessment is evaluating more than five geographical regions, business units, or business segments, you need to do more than one risk assessment. It is acceptable to perform three or four risk assessments, then aggregate the findings for an overall risk assessment. Trying to cram too many regions or business units into one risk assessment will disperse your energy in too many directions. It may also make evaluation difficult, and recommendations too wide-reaching. If you have more than five areas to evaluate, chunk down the risk assessment process into more manageable pieces.
Scoping a risk assessment properly is the key to the rest of the process. By getting the scope right in the beginning, your end product will be more effective.
Want help with your risk assessment? Feel like you’d benefit from having an outside point of view? How about outsourcing it? Write me for more information at kgranthart@diligent.com.