Forget About a Risk Assessment – Conduct a Risk AND Compliance Program Assessment
A Chief Compliance Officer can get lost in terms, titles, risk management solutions, effective services, magic bullets, absolute requirements and ultimately confusion. Whether the strategy is called lines of defense or some other moniker of professionalism and deep thought, the real work occurs in the trenches and with a practical eye to minimizing risks while protecting the company. When a CCO adheres to common sense and practical solutions, a CCO can succeed. When a CCO wraps him or herself up in trendy or complicated (and meaningless) strategies, they lose sight and flounder.
I do not mean to belittle scholarly and professional contributions. We all play a role in moving the ball, sharing ideas and improving the overall perspective and effectiveness of compliance. No one person or organization holds the keys or even the monopoly to ideas to improve the compliance function.
A skeptical eye is needed whenever someone tells you that some has to be done and done in one particular way. As one of my prior mentors used to say, there is no one way to do something right.
The difficulty in the compliance space, like many others, is that there are many companies and representatives trying to sell so-called compliance products or services. In the marketplace of ideas, this sometimes leads to a skewing of ideas to favor or influence decision makers in the direction of a particular product or service. The key value of compliance professionals is the objectivity with which they face specific issues and need to approach solutions. There is no silver bullet in the marketplace and there never will be – each company has a different set of risks, behaviors, culture and operations unique to itself. Some general ideas can be applied but the fine tuning is ultimately up to the key actors in the company – the CEO, the CCO, the board and individuals responsible for critical functions.
All of this explanation is meant to set up a key question – what is the value and importance of a risk assessment? If a company commits to conducting a risk assessment, should it include an assessment of the compliance program at the same time.
This may sound like I am quibbling over unimportant details but it is something that may be implicit but needs to be explicit. A risk assessment is a very valuable exercise – however, many professionals question whether they really need to conduct one since they already know what the company’s risks are. I wholeheartedly agree with this opinion, if the CCO expresses his/her knowledge and commitment to this issue.
My point adds a little bit to the equation – it is not just understanding, ranking and assessing your risks – a company has to understand how effective its existing compliance program and controls are operating to reduce or mitigate these risks. That is where the rubber meets the road and where an independent analysis can help a company to develop a fresh perspective on its compliance program.
I often criticize costly risk assessment reports that provide glossy charts, graphs and high-level discussions to outline a company’s risks. That is a waste of time and money in my view. CCOs will candidly admit the fancy reports while costly do not really help them understand their compliance program very much.
A comprehensive review and analysis of a company’s risks and its current compliance program controls is a much better vehicle for developing insightful analysis and pointing out practical actions that the CCO can take to improve the company’s compliance program, reduce its risks, and implement an overall effective strategy for managing a compliance program.
My warning is meant to provide cover for CCOs to avoid a long-standing trap in the legal profession. Many General Counsel will admit they hired a big name law firm to conduct an investigation or handle a matter, at considerable expense, as a defensive measure in case someone questions them for failing to focus enough resources to protect the company. It is defensive lawyering rather proactive intelligent decision making.
CCOs have to be careful not to hire big name consultants or firms to provide glossy but impractical reports as a cover, but rather to use their limited resources in the most effective way to implement and maintain an effective compliance program.