You need risk assessment
Why do I need risk assessment, many company leaders ask me. My answer: Whether big or small to medium sized, you should invest time and effort into it. Because, no amount of policy, procedure, internal control, or tone at the top will accomplish much, if those tools are addressing the wrong risks in the wrong way, or because the risks themselves were misunderstood in the first place.
That said, performing effective risk assessments can be a difficult art to master. The very phrase— “compliance risk assessment”—can encompass a dizzying range of risks:
* anti-bribery,
* whistleblower retaliation,
* data privacy,
* cyber security,
* workplace harassment,
* anti-competition,
* product safety, and much more.
And within each of those risks are more risks to assess. Consider anti-bribery alone:
* What are the company’s risks from third parties?
* What are the risks of poor due diligence? * What are the risks that compensation schemes will lead sales agents to bribe their way to a performance bonus?
* What are the risks that internal controls won’t detect bribery payments?
That complexity is now a permanent fixture of corporate compliance and risk management programs. More risks will emerge in the future, whether they come from business operations, government regulation, or external forces. All of this drives the imperative for astute risk assessments—performed with rigor, following an efficient methodology, and embracing flexibility to meet whatever new risk is barreling up the audit committee’s agenda.
The question arises, who will perform risk assessments?
No single best practice exists for this question, and even evidence of common practice is hard to find. For example, Deloitte’s Compliance Trends Report from 2015 (which surveyed more than 350 compliance and audit executives) asked whether the compliance risk assessment was done as a stand-alone exercise; in conjunction with internal audit’s enterprise risk assessment; or in some other format. The respondents split exactly one-third for each choice.
NEXT QUESTION: HOW TO PERFORM RISK ASSESSMENT?
Once you – hopefully - do decide who undertakes the compliance risk assessment, the assessment itself should follow proven methodology, so compliance and audit teams do not waste time deciding how to perform the assessment. Yes, every risk will need an assessment tailored to its specific details, but a standard methodology provides the “muscle memory” that lets assessment teams do that tailoring quickly. On a practical level, compliance officers (if you have one or can find one) have no shortage of materials to meet that need: templates, questionnaires, checklists, flowcharts, process guides. Many of those materials trace their lineage back to the internal audit field, with its lengthy experience in enterprise risk assessment. Most are sturdy tools that can walk a compliance team toward some final report or conclusion, no matter what risk information is fed into the tool at the start.
Whatever methodology you use, the true challenge is to set a clear scope for the risk assessment. That is, define the risk to be assessed, and the parts of the organization to be assessed, as precisely as possible. Only then can the assessment produce a useful result. Or to put it more plainly: a compliance risk assessment will not give the right answers if you start by asking the wrong questions. A poorly scoped risk assessment might only tell you what you already know. Worse, a poorly scoped assessment could lead to misjudgments about risk. That, in turn, might leave the company with greater exposure to a risk than it believes (under-compliance); or prompt it to implement policies and procedures it doesn’t need (over-compliance).
As mentioned above, a “compliance risk assessment” can encompass almost anything. The key is to define what you want it to mean in this specific instance; then identify the best people to lead the assessment; and use a proven methodology to work through the assessment itself.