COMPLIANCE & RISK / Risk assesment as a foundation of a robust compliance

Excerpt from session:

You can’t mitigate a risk if you don’t know it’s there. Nowadays, organizations are exposed to a greater degree of compliance risk than ever before. Compliance risk is the threat posed to an organization’s financial, organizational, or reputational standing resulting from violations of laws, regulations, codes of conduct, or organizational standards of practice. To understand their risk exposure, many organizations may need to improve their risk assessment process to fully incorporate compliance risk exposure.

Risk assessments take on many forms; some are broad evaluations of compliance or operations risk, while others focus on a particular business unit, project or risk type, like fraud. Organizations reliance on risk assessments also varies greatly. For some organizations, risk assessments are a necessity, helping them design and implement initiatives in order to meet regulatory requirements and other obligations. For others, risk assessments have been initiated but not leveraged to their full potential. And then there are organizations for which risk assessments still fall in the “nice to have” category—the potential benefit is understood, but the assessment process is delayed due to a lack of resources.

Done right, risk assessments enable an organization to gauge the significance of identified risks and empower leaders to develop risk response plans focused on the organization’s most critical threats and opportunities. Too frequently, though, risk assessments fall short of achieving these goals.

Main Takeaways:

  • Enterprise risk management vs internal audit vs complinace risk assessment
  • Compliance program risk inventory
  • Common risk assessment shortfalls and their remedies
  • Speakers corner / Preface to session

    ZEC 2018: How is a compliance risk assessment different from other risk assessments?

    Giovanna: A compliance risk assessment is focused on identifying compliance related risks inside the organization. Some of the main objectives of a compliance risk assessment are:

    • identify current internal standards to verify if they are in accordance with law requirements
    • identify potential risks and vulnerabilities in risk areas
    • provide recommendations and action plans to reduce risks
    • identify areas that will have to be monitor closely
    • provide a baseline for future evaluations
    • serve as a baseline to monitoring and auditing plans

    Basically, all areas, activities, policies and procedures that have a legal or regulatory impact must be reviewed.

    ZEC 2018: How should ethics and compliance risk assessment fits in a broader enterprise-wide risk assessment?

    Giovanna: As mentioned above, the compliance department is focused on specific compliance related risks (for example: antibribery, antitrust and others) and not all kinds of risks that the company might be exposed to. For this reason, it is important that the compliance department communicates regularly with other areas of the company that conduct risk assessments, such as Internal Controls or Audit. The intention is to make sure that the organization has one single enterprise-wide risk-based plan, that is comprehensive and can be divided between areas of responsibilities. Therefore, no risky area is forgotten, nor double works will be done unnecessarily. Even though the compliance risk assessment is ideally conducted by the compliance department, it is important that a multidisciplinary team participates in that activity to guarantee a more effective approach. This team can be formed by legal, finance, HR, compliance and operations, which can be the Compliance Committee.

    ZEC 2018: What specific ethics and compliance risks might be considered in performing risk assessment?

    Giovanna: The risks will differ from one organization to another, because it depends on different elements that will be analyzed in the risk assessment, such as: type of business (examples: construction, industry, consulting, etc.); culture of the company when doing business; home country (Corruption Perception Index); size of the company, and others. Although, there are some common risk areas that most companies relate to and include in their compliance risk assessments: Third Party relations, Conflict of Interest, Intellectual Property, Data Privacy, Antibribery, Antitrust, Contracts Management, Gifts, Entertainments and Meals, Sponsorships, Travels, Opinion Leaders, to name a few.