In my last post, I discussed the purpose of a compliance program: to ensure that your organization complies with the laws and regulations that apply to it. However, this post answers a more nuanced question. How much effort should a company put into effective compliance? That’s what compliance risk management framework tries to answer.
After all, even with unlimited budget and resources (which you’ll never have anyway), no company can achieve perfect compliance with all regulatory burdens at all times. Some mistake is bound to happen eventually. The goal is to reduce the operational risk of non-compliance down to levels acceptable to your board and your regulators.
Compliance risk management is the art of managing the risk of non-compliance as best as possible, given the resources your compliance program has and the regulatory obligations your company faces.
As you might guess, companies can achieve practical, effective compliance risk management in any number of ways. One doesn’t buy a standard-issue compliance risk management program, that can fit all firms across all industries. You build one, based on your firm’s own business processes, employees, and regulatory compliance concerns.
So the question to ask about compliance risk management isn’t, “Where do I get that?” The question is, “What should compliance risk management do?” — and then several points emerge.
Understanding the Risks of Non-Compliance
First, compliance officers need to understand where the risks of non-compliance for your business truly reside. Some are more prevalent than others, and those become the compliance risks your program should address first and most aggressively.
For example, two cornerstones of effective FCPA compliance are due diligence of third parties and training employees on the anti-bribery policy. A compliance program should include both, but not necessarily to the same extent; it depends upon your business model. A firm that uses local agents extensively might invest heavily in due diligence, while another that uses employees in a direct sales model might spend more time on training and enforcement of gifts and entertainment policy.
So the first step in strategic risk management is to understand what your compliance risks really are, and how they come to be.
Setting Your Risk Tolerance
Second, understand what your company’s tolerance for a compliance risk is. The greater its tolerance for a risk, the less exacting your compliance policies and procedures need to be.
Risk tolerance can be a fuzzy concept, so the internal control community devised a more precise phrase: “acceptable variation from a performance goal.” That’s the standard you want stuck in your head as you design policies, procedures, and internal controls: how much can company transactions or employee behavior deviate from the goal before senior management intervenes?
For example, the company might have a policy that no local distributors receive discounts or credit notes that can later be converted into cash (a common way for distributors to pay bribes). Do you want no variation from that goal, with 100 percent compliance? That’s possible, but it requires exacting corporate accounting controls and willingness to fire anyone who violates the policy. Would you live with a failure rate of 1 percent or 5 percent — or different failure rates for resellers in high- and low-risk markets?
Every company will find its own correct answer. The point is that every company must answer it, or you will not know how many compliance policies and procedures establish.
Align Compliance Processes and Risks
Third, ensure that the compliance processes you have are on pace with compliance risks. That is the art of risk management: it is a fluid thing, where the mechanisms to manage risk change as the risk does.
For example, if your firm hardly ever sells to foreign governments, your anti-corruption risks are low, and perhaps you could survive with a manual approach to due diligence. Then new senior management arrives, or the company acquires a new subsidiary or expands into a new product line, where selling to foreign governments becomes a priority.
Your compliance risks have increased, so you need to assure that your processes to manage that compliance risk are up to the task. A manual approach might no longer work, because you have so much due diligence to do that employees would be overwhelmed, and not do it. Suddenly an automated approach becomes more sensible.
That’s compliance risk management: ongoing, shifting, constant. The objective isn’t to eradicate all your compliance concerns forever; that’s impossible. You just need to do the best you can with the resources you have — so a keen understanding of where your company’s risks come from, and how much it wants to quell them, is essential.