Have you risk assessed the risk assessment on how you assessed your risks?!
I was recently advised to document the basis for the compliance program. Immediately I reached for the risk assessment that we have carefully documented over the course of years. But that risk assessment, covering six regions as well as at corporate level, was not what the adviser wanted to see. They wanted a high level explanation for why we implemented our program.
How can it be right that if you have explained your business, the risks you face and the contexts in which you operate down to significant detail, you still need to put in place a one-pager explaining why you decided to start a program? Can you imagine such a document being provided as evidence in court? Can you imagine a prosecutor reading such a document and deciding not to pursue a matter?
That there is misunderstanding about risk assessments, even amongst experts, is no surprise. And that makes it more important to talk about them.
Sharing assessments can be difficult, particularly in the risk-averse world of compliance. They detail some of your most private fears for a company. (As a side note – sharing internally is a must. If you don’t talk about and manage the risks, what is the point?)
There is no set standard for how to identify, document, act on and mitigate risks. Guidance is pretty vague. Even if there were such a standard, one-size-fits-all would render it useless. All we have to go on is the “adequate procedures” guidance from the UK Ministry of Justice (UK Bribery Act), DoJ and SEC (FCPA) and a handful of other jurisdictions. As I’ve written before, in Norway there is virtually no help in this area.
How to attack a risk assessment can be daunting. Some of the questions that come up are:
Do you adopt a divisional, regional or functional structure?
Does your company have sufficiently mature processes that you can use them as the basis for risk identification?
If not, what does this mean for integrating and embedding compliance in the business?
How do you collect and aggregate the risks into the right level for management and board evaluation?
Is there enough structured data on the supply chains, JVs, subsidiaries, business partners, etc to make meaningful assessments of the risks involved?
How do you make the risk assessment useful if there is actually a serious incident?
How detailed are the risks to be documented? What about the actions and their owners?
How does the compliance risk assessment fit into the ERM process?
Your compliance officer knows the answers to all of these, and should be front and centre to making sure that the risk assessment is properly taken care of.
For the advisers, ensure you have a coherent methodology and approach before making recommendations. Risk-based approaches are meant to save time, prioritise issues and allocate resources efficiently. Poor recommendations about risk assessments make a risk-based approach all the more difficult.