Focused Risk Assessments
The most common refrain in compliance parlance is “tone-at-the-top.” It may be overused. Where the rubber meets the road for every compliance program is in the risk assessment. Howard Sklar had a recent post on the subject emphasizing the importance of a continuous risk assessment. He was right on point. Building an effective risk assessment model and continuous review process is essential to overall compliance and can minimize or even eliminate risks which would otherwise develop.
My approach to risk assessment starts with a broad view of an organization and then depends on telescoping into various sectors of the organization – I call it “focused assessments.” I like to start at the 1000 foot level and work my way down. To accomplish this, it is important to meet and interview key players in the business. A risk assessment requires a solid understanding and picture of the company’s business operations. This perspective is gained through interviews and from reviewing as much information as you can about a business, including all existing compliance and employee conduct manuals.
Anyone who tells you that they have a standard procedure for conducting risk assessments is definitely off course. There is no one way to get at the problem. It varies across organizations and the number of ways to identify, monitor and respond to risks varies in the same way.
With an open-minded perspective, I like to meet with and interview as many key business people as possible – not just your typical players, the CFO, auditor, regulatory managers or legal staff. It is important to talk to as many business managers as you can, in as many countries or regions as possible. Most of these interviews occur on the telephone and not face-to-face because of the expense. The more people I talk to at a business, the more I learn and most importantly, the more I gain a good feel for the company and its compliance fiber. Tone at the top is important but so is tone in the middle.
This learning process is fascinating. No two companies are alike. As you dig down into the company, the issues come into focus –
1. How are risk identified (if at all)?
2. Who is responsible for identifying, measuring and responding to such risks?
3. How is compliance perceived within the organization?
4. What procedures, if any, are in place to ensure the process?
5. How do these procedures coordinate or interact with financial controls?
6. How is compliance communicated to senior management and employees?
7. How active a role does the Board of Directors or the Audit committee take in monitoring compliance and financial controls?
8. How do reporting responsibilities work (or are supposed to work)?
9. How is information captured, measured and reported? What kinds of information is available and who reviews it?
10. How has compliance changed with the business changes in the company?
The learning process leads to a vey clear picture. With this picture, the inquiry into the standard set of risks facing every organization can be incorporated into the analysis. In the macro down to the micro process, it is easy to examine and the assess the specific industry risks (in each country or region), the level of government interactions especially those with regulatory agencies, the use of third parties, the handling of gifts, meals, entertainment expenses, the giving of charitable donations or political contributions, and the many variety of potential risk-creating activities.
In most situations, the risk assessment inquiry leads to a long list of recommendations and tasks to help the company. The challenge becomes how to prioritize the project into a manageable timeline, taking into account your role in the overall business organization, the need to build alliances within the organization to accomplish the tasks and implement the recommendations and the importance of buy-in from the key players and eventually the organization itself. Diplomacy, as always, is a skill which will come in handy when addressing these critical compliance issues.