Doing the Two-Step: Prioritizing Risks and Allocating Resources
Chief compliance officers face imposing tasks on a daily basis. The tasks often look insurmountable and it is easy for CCOs to just turn away and find a more manageable set of tasks.
Compliance requires resources and those resources are not limitless. In other words, a CCO has to decide how to allocate limited resources. A CCO has to be an efficiency expert, especially when it comes to significant tasks. Large projects are often critical and need to get done. A CCO has to rise to the challenge and come up with a plan.
A CCO lives by defining risks and mitigation strategies. Setting priorities based on risk is an important task. It is important to commit to a fair risk analysis and then act in response to the priority list of risks. But not all risks are the same, and a number 2 risk may be far less significant than a number 1 risk. A CCO has to exercise judgment when prioritizing risks in order to reflect a weighted and prioritized list of risks.
Again, it is important to develop a list of potential risks relating to accomplishment of a company’s code of conduct and compliance with applicable laws and regulations. The CCOs focus is on those risks that can be mitigated, that are under the control or influence of the company.
Setting priorities means understanding the nature of the risk, the likelihood of it occurring, and the possible impact to the company and its key stakeholders. Legal risk is only one part of the equation since we have cultural risks and reputational risks to manage as well.
This is the first step in an important process. We all live by costs and benefits, and risk analysis is critical to a CCO’s ability to tackle a company’s risk profile.
Once a CCO understands and has prioritized the company’s risks, a CCO has to turn to mitigation strategies. Ultimately, the CCO has to develop a plan, one that reflects the company’s available resources.
Again, not all mitigation strategies are the same – one can have high cost and high impact, while another may have low cost and medium impact. If only life and compliance was black and white; instead, we always face grey areas and complex analyses in order to make decisions. This is not something to labor over but recognizing how decisions need to be made, a CCO has to act and make those judgment calls with the assistance of other compliance stakeholders.
Based on the risk priorities and available resources, the CCO has to design and implement a strategy that maximizes risk mitigation at the most efficient allocation of resources. It is a delicate balancing act but one that can be done with intuitive analysis.
Every CCO knows that a risk assessment is really just a formal way of capturing a profound grasp of obvious risks known to the CCO. The important component of a risk assessment is the analysis of compliance mitigation strategies, how effective compliance resources can reduce risks, and the amount of resources available to do so. The design of the controls can be done effectively and with precision. CCOs have to think creatively and bring resources to bear on risks in a way that reduces such risks without overwhelming allocation of resources.
I often say that intelligent people, no matter what profession, are creative people. The same applies to CCOs and the compliance field. When it comes to risk mitigation, thinking outside the box is critical, and CCOs often know exactly how to do so.
You’re so right this is why the CCO has to be best friends with not only the audit manager but also the risk manager!
You’re also right about intelligent people being also creative: unfortunately that also applies to the marketing and engineering staff in the company. The CCO always has to be one step ahead of them!