Compliance with global laws and regulations poses a significant challenge as organizations grow and enter new markets. Regulatory agencies around the world are now coordinating their enforcement activities and sharing information. In this climate, organizations should consider strengthening their risk assessment process to address a broader spectrum of compliance risk exposure and adopt risk-sensing tools for deeper analysis
“In today’s environment of global regulatory convergence and the expansion of businesses into new or adjacent industries, the need for a broader view of compliance risk has never been greater,” says Michael Hercz, a director at Deloitte & Touche LLP. “Nevertheless, 36% of companies do not perform an annual compliance risk assessment, according to a survey of 364 risk and compliance professionals conducted by Deloitte & Touche LLP and Compliance Week,” Mr. Hercz notes.
The case for conducting strong compliance risk assessments is underscored by the U.S. Federal Sentencing Guidelines for Organizations, which establishes the potential for credit or reduced fines and penalties should an organization be found guilty of a compliance failure. The UK Anti-bribery Law contains similar provisions.
To help protect organizations and add value, ethics and compliance professionals need to understand the full spectrum of compliance risks that could impact each part of their organization. “But they shouldn’t stop there,” says Mr. Hercz. “It’s important to assess which risks have the greatest potential for legal, financial, operational or reputational damage and then allocate resources to mitigate those risks.”
Risk Assessment Building Blocks
While every compliance risk assessment is different, the most effective ones have a number of aspects in common, such as clear ownership and transparency. Following are several leading practices:
Gather input from a cross-functional team: A compliance risk assessment requires the participation of deep subject matter specialists from the compliance department and across the enterprise. It is the people living and breathing the business—those in specific functions, business units and geographies—who understand the risks to which the organization is exposed, and can help ensure all key risks are assessed. If the methodology for a risk assessment is designed in a vacuum without consulting the risk owners, the output could lack credibility, and thus hamper implementation of mitigation programs.
Build on what has already been accomplished: Look for ways to leverage existing material, such as enterprise risk assessments, internal audit reports and quality reviews, and integrate compliance risk content where appropriate. Communicate the differences between the compliance risk assessments and other assessments to groups that are being engaged. The output of each risk assessment process should inform and connect with the output of other assessments.
Establish clear risk ownership of specific risks and drive toward better transparency: A well-thought-out compliance risk assessment can help identify those individuals responsible for managing each type of risk, and make it easier for executives to get a handle on risk mitigation activities, remediation efforts and emerging risk exposures.
Make the assessment actionable: The assessment should both prioritize risks and indicate how they can be mitigated or remediated. Remediation actions should be universally understood and viable across borders. The risk assessment findings should be used in operational planning to allocate resources, and they should serve as the starting point for testing and monitoring programs.
Solicit external input when appropriate: By definition, a risk assessment relies on knowledge of emerging risks and regulatory behavior, which are not necessarily well known within the organization. Tapping outside resources can inform the assessment and ensure that it incorporates a detailed understanding of emerging compliance issues.
Treat the assessment as a living, breathing document: Once resources to mitigate or remediate compliance risks are allocated, the potential severity of those risks may change, as will the business environment. Changing conditions should drive changes to the assessment itself.
Use plain language that speaks to a general business audience: The assessment needs to be clear, easy to understand and actionable. Avoid absolutes and complex legal analysis.
Periodically repeat the risk assessment: For compliance risk assessments to be effective on an ongoing basis, they should be conducted at regular intervals at a minimum. Meanwhile, it is critical to identify emerging risks or early warning signs, using ongoing analysis and environment scanning.
Leverage data: By incorporating and analyzing key data (e.g., hotline statistics, transactional records, internal audit findings, compliance exception reports, etc.), organizations can gain a deeper understanding of where existing or emerging risks may reside within the business. Many organizations are considering investments in technology, such as analytical and social and brand monitoring tools, to help leverage and analyze data to strengthen their risk-sensing capabilities.
Questions to Consider
There are a number of critical questions organizations could potentially ask related to compliance risks and the programs in place to mitigate them:
—What kinds of compliance failures would create significant brand risk or reputational damage? Could the failures arise internally, in the supply chain, or with regard to third parties operating on the organization’s behalf? What is the likely impact of that damage on the organization’s market value, sales, profit, customer loyalty or ability to operate?
—What kinds of compliance missteps could cause the organization to lose the ability to sell or deliver products and/or services for a period of time?
—How should the compliance program design, technology, processes and resource requirements change in light of growth plans, acquisitions or expansions in products, categories or services?
—Is the organization doing enough to inform customers, investors, third parties and other stakeholders about its vision and values? Is it making the most of ethics, compliance and risk management investments as potential competitive differentiators?
—What are the total compliance costs beyond salaries and benefits at the centralized level, and how are costs aligned with the most significant compliance risks that could impact the brand or result in significant fines, penalties and/or litigation?
—How well-positioned is the compliance function? Does it have a seat “at the table” in assessing and influencing strategic decisions?
—What are the personal and professional exposures of executive management and the board of directors with respect to compliance?
The evolving regulatory environment increases most organizations’ vulnerability to compliance risk. This is particularly true for those organizations that operate on a global scale. The complexity of the risk landscape and the penalties for noncompliance make it essential for organizations to conduct thorough assessments of their compliance risk exposure at least annually if not more frequently.
“An effective ethics and compliance risk assessment includes both a comprehensive framework and a methodology for prioritizing risk,” says Maurice Crescenzi, a senior manager at Deloitte & Touche LLP. “With these tools and an understanding of which risks could do most harm, organizations may be better prepared to develop effective mitigation strategies and reduce the likelihood of a major noncompliance event or ethics failure. And that preparedness can set them apart in the marketplace from their competitors.”