Quick question: which of the following is riskier? Having a risk assessment sitting in a drawer, untouched, or not having a risk assessment at all? This is a trick question. Either is a recipe for disaster. It’s easy to commit to performing a risk assessment, but execution is frequently harder than anticipated.
By: Kristy Grant-Hart
The word “risk” appears 56 times in the 20 pages of the U.S. DOJ’s guidance on the evaluation of corporate compliance programs. That’s more than twice per page. The phrase “risk assessment” appears eight times, and “risk-based” four. The DOJ instructs prosecutors to evaluate whether a risk-based approach was taken with respect to training, third-party due diligence, integration into enterprise risk, and the program as a whole.
How can you prove a risk-based approach without a written risk assessment?
Answer: you can’t. When a prosecutor arrives and begins questioning the compliance and management team on how decisions were made, the prosecutor will expect that the answers will flow from a documented, well-thought-out risk assessment. Indeed, “Prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction.”
Risk Assessment Isn’t Just Meant to Protect from Prosecution
Hands up anyone who has all the financial, human, temporal, and technological resources they need to run their program with maximum effectiveness. Right. A risk-based approach is critical because it allows you to allocate limited time and money to the highest-risk areas of the business. If there isn’t a proper evaluation of the risks facing the business, there can’t be a systematized, defensible way of designing your program.
Top Tips for Risk Assessment Success
The basic flow of any risk assessment is the same: (1) scoping, (2) document collection, (3) interviews, (4) regulatory review/benchmarking, (5) choosing a methodology and evaluating risk, (6) writing the report and creating the heat map, and (7) applying the risk-based approach to the rest of your program. The steps may be the same, but the way you execute them makes all the difference.
Scoping: The Most Important Step
If a risk assessment isn’t properly scoped, it is likely to fail. It will either spiral out of control and be unmanageable or not properly capture the risks facing the business. Getting the scope right will enable you to ask for the right documents, set up the right interviews, review the correct regulatory guidance, benchmark against the right sources, evaluate risk correctly, and apply the right risk-based approach to the rest of your program. Scoping sounds easy, but frequently isn’t.
There are two basic types of risk assessments. The first reviews multiple types of risk against each other. For instance, a multi-subject risk assessment may evaluate the company’s bribery risk against its trade sanctions, antitrust/competition, data privacy, and modern slavery risk. The second type reviews one type of risk in-depth, such as bribery or money-laundering.
Following you’ll find five top tips for scoping your risk assessment. The first two Top Tips relate solely to multi-subject risk assessments, the third solely to single-subject risk assessments, and the last two apply to both types.
Top Tip One: Don’t Go Outside the Scope of Your Program (if you can help it)
If you have a specific scope for your program, don’t go outside of that scope. For instance, if you’ve been assigned bribery, trade sanctions, and privacy, don’t add competition to your review. There are two reasons for this. The first is that you don’t want to rely on other functions to help you to complete your risk assessment. You want to control the pace and evaluation of the risk. Second, if your recommendations impact other departments, you may end up with a turf war on your hands when you try to implement them. If you stick to the areas you alone control, your risk assessment process will be much easier.
That said, there may be areas you can’t control alone. For instance, if you work with a cross-functional group for modern slavery prevention, you may have to include other functions in the review. This may include Sustainability/Corporate Social Responsibility, Procurement/Supplier Management, Legal, and Manufacturing. If you must include a risk area with multiple stakeholders, try to keep your recommendations to actions that Compliance can drive alone.
Top Tip Two: Don’t Choose Too Many Risks to Evaluate
For many, there is a temptation to boil the ocean when it comes to their compliance risk assessment. It’s hard to limit the scope because there is always the fear of missing something important. The risk assessment scoping process itself requires a risk-based approach. Ensure the inclusion of the true compliance-related risks, and discard any other risk that is tangential. Too many risks will muddy your capacity to obtain the right documents and focus the interviewees’ attention. Sprawling risk assessments that take a year or more to complete aren’t useful.
Top Tip Three: For Single-Subject Risk Assessments, Don’t Choose Too Many Sub-Risks
When you’re performing a deep-dive into a single risk area, you’ll typically review known patterns of misconduct, then look for those areas of risk in your business. For instance, if you’re performing a bribery risk assessment, you may look specifically at (1) gifts and hospitality, (2) political donations, (3) charitable donations, (4) use of sales agents, (5) the third-party due diligence program, (6) interactions with government officials, and (7) inherent risk in the jurisdiction/CPI score. Hundreds of fact patterns exist in bribery cases and guidance from regulators throughout the world about what to look out for. Choose the highest-risk or most common patterns in your industry, define them specifically, and then make that the scope of your single-subject risk assessment.
Top Tip Four: Be Specific About the Risk Scope
Be specific when scoping your risk assessment. Name the exact geographies, regions, business units, and/or business segments you will be reviewing. Name the risks explicitly. If you’re reviewing data privacy, does that include cybersecurity or not? If you’re looking at trade sanctions, does that include import/export, or is that a separate risk at your company? Be specific from the beginning so you know where to target your attention.
Top Tip Five: Know when You Need More than One Risk Assessment
If your risk assessment is evaluating more than five geographical regions, business units, or business segments, you need to do more than one risk assessment. It is acceptable to perform three or four risk assessments, then aggregate the findings for an overall risk assessment. Trying to cram too many regions or business units into one risk assessment will disperse your energy in too many directions. It may also make evaluation difficult, and recommendations too wide-reaching. If you have more than five areas to evaluate, chunk down the risk assessment process into more manageable pieces.
Scoping a risk assessment properly is the key to the rest of the process. By getting the scope right in the beginning, your end product will be more effective.
Kristy Grant-Hart is the CEO of Spark Compliance Consulting, a London, Los Angeles, and Atlanta based group. She is the author of the best selling book, “How to Be a Wildly Effective Compliance Officer.”