Performing a risk assessment is not just the most important thing a compliance officer might do. Usually, it’s also the first thing a compliance officer does, for any risk that comes along.
What is the Purpose of a Risk Assesment?
Compliance professionals must understand what a risk assessment is and how to do it properly. A flawed risk assessment means that a company doesn’t understand the actual risks it faces, and nothing good comes from that. Flawed risk assessments can lead to bad business decisions, regulatory enforcement actions, lawsuits, reputation harm, and innumerable other headaches—including you standing in the unemployment line.
In the simplest definition, a risk assessment identifies potential hazards and analyzes what would happen if that hazard occurs. (Seriously, that’s the textbook definition provided by Ready.gov.) A business might perform risk assessments on everything from a data breach to the failure of critical IT systems, to natural disasters, to poor financial reporting, to anti-bribery processes. Compliance officers can narrow their focus a bit more than that. When we talk about performing a risk assessment, we’re trying to answer two questions:
What do rules, regulations, or internal policies require our company to do? And how well do our business processes fulfill those requirements?
The challenge for compliance officers—and the reason why risk assessments are so important—is that compliance requirements and business processes change constantly. A thorough risk assessment must gauge both things even as they shift, like an equation with two variables. Any change in one variable can have a dramatic effect on the final answer, even if the other holds steady. We can break down that complete process into several smaller pieces.
What are the Steps of a Risk Assesment?
1. Monitoring Changes
First, a company must be able to monitor regulatory changes, since those changes happen all the time. For example, many countries are adopting new whistleblower protection laws. Yes, you need to know what those laws require, but first, you need to know that those laws have changed—which can be a big challenge for some organizations.
Whether you rely on local advisory firms to provide updates, use an automated service, or find some other solution, your company does need to know when applicable laws, rules, and regulations change. Those updates should go to someone in your company who cars, which usually will be you, the compliance officer.
2. Assessing Impact
Second, assess how that new regulation wants your business to change. Sometimes new regulations will require your company to report something: additional data about employees and pay equity, for example. Other regulations might require your company to be able to do something: notify consumers of a breach of personal data within 24 hours; or prevent retaliation against whistleblowers.
3. Determining How to Meet Expectations
Third, determine how well your company can meet those expectations. The important point here isn’t exactly what your answer is; the important point is that you’re sure that answer is accurate.
For example, a company might have an immature due diligence function that is nowhere near able to deliver the third-party due diligence you should perform to comply with the Foreign Corrupt Practices Act. That’s not ideal, but it’s far better to know that your due diligence capability is weak than to believe your capability is strong and be mistaken about that.
4. Developing a Plan to Improve
Fourth, develop a plan to improve any weaknesses in your business processes, to fulfill what the regulations require.
This point can get a bit complicated. For example, if you assess the company’s risks around regulatory reporting and find that you can’t easily file accurate reports on time—you need to improve internal business processes to gather accurate information and file that report. There aren’t too many ways to interpret that task.
On the other hand, many compliance risks are more about the company’s ability to do something to a satisfactory level. That’s a much more grey area. For example, the FCPA requires companies to have internal controls “sufficient to provide reasonable assurance” that company money isn’t going to bribe foreign government officials. Exactly how sufficient and reasonable should those assurances be? The law doesn’t say.
A company could impose draconian controls for ironclad assurance and lower your risk to zero. That’s too much compliance. It would slow your business to a crawl and drive employees crazy. Or you could impose minimal controls and hope regulators never notice. That’s too little compliance—and will come back to haunt you if regulators do knock on your door someday.
The Other Part of Risk Assessment: Know Thyself
A successful risk assessment is also about knowing when and how the company’s own business processes or objectives change. They can be just as urgent and difficult to remediate as any changes in risk that come from outside the company. For example…
- If your company expands the business into a new country, it might face new anti-corruption or data privacy risks.
- If your company offers new products, it might face new ethical sourcing or antitrust risks.
- If your company caters to new customers (selling to government agencies or to high-net-worth individuals), it might face new anti-corruption or anti-money laundering risks.
- If your company adopts new software delivered via the cloud, it might face new cybersecurity or business interruption risks.
In all those cases, the world and all its rules and regulations remain the same. The company itself changes, and that triggers a change in its risks—which should, ideally, lead to a new risk assessment. The steps are essentially the same as outlined above. What’s important is that the compliance department is aware of the company’s changing plans.
The need for risk assessments is only going to increase because the pace of change in the business environment—whether that change comes from outside your organization or within—is only getting faster. That means compliance functions will need to be more adept at risk assessments, compliance officers more knowledgeable in how the assessments should work.
Then, get to it. An accurate risk assessment is the most important thing a compliance officer might do.