Are Risk Assessments Just a Report on the Obvious?
If you give a Chief Compliance Officer truth serum and ask him/her whether they believe a risk assessment is valuable, what do you think the CCO say?
Let’s start with the cynical side – not that I am a pessimist. Many CCOs will candidly tell you that a risk assessment provides them with a colorful and expensive report on the company’s risks that contains no new information. In other words, many CCOs believe that a risk assessment does not provide them with any new information about the company’s risk profile. Frankly, CCOs will say they know and understand the company’s risk profile. In other words, the bottom line is that a risk assessment is not a high priority for CCOs.
CCOs face a difficult quandary because they have to document that the company’s compliance program is tailored to a risk assessment, or some analysis of the company’s risks. For smaller companies, I have seen many innovative approaches to a risk assessment, including informal roundtable discussions with key stakeholders, group discussions, interviews, surveys and other information gathering procedures.
These strategies, however, do not work well in larger organizations with complicated risk profiles across businesses and geographic operations. A risk assessment process is much more cumbersome in larger organizations but can be focused on key risks surrounding foreign government interactions and touch points.
On the positive side, a risk assessment can be quite valuable. Whenever my firm has conducted a risk assessment, we have worked closely with the CCO and his/her staff the CCO often attends most of the interviews, if available, and finds the process to be informative. I am always surprised by how much a CCO learns through the process. Further, the risk assessment process inevitably unearths some risks that a CCO may not have identified, usually less significant risk but nonetheless worthy of analysis.
A risk assessment also can be valuable if it includes an assessment of the company’s compliance program. After understanding the company’s risk profile, it is important to evaluate how the company’s existing compliance controls mitigate the current risks so that a gap analysis is completed. The combination of a risk and a compliance program assessment is much more relevant to a CCO and provides a specific action plan for minimizing any gaps between risks and compliance controls.
It is easy to launch into a criticism of a CCO who does not understand or know about all of the risks he/she faces in the company. Before doing so, however, a CCO rarely can devote the time and attention to conducting a risk assessment to “learn” every aspect of a company’s operations, develop a risk profile and rank the relevant risks.
As a result, CCOs often rely on law firms or consultants to conduct the risk assessment, tag along where they can to learn about the business, and support a risk and compliance program assessment.
CCOs who are building a compliance program often struggle with the question of whether to conduct a risk assessment or work on a due diligence system where they know that third party risks are the company’s most significant risk. There is no one answer to the question – companies that have a fairly straightforward risk profile, and are relatively small, may need to focus on due diligence initially and then return to the risk assessment process after building a due diligence system.
When balancing priorities and projects, CCOs always have to consider the size of the organization, the nature of the company’s risks, the available resources, and mitigating the most significant risks. In many cases, a CCO has a firm understanding of the company’s risk profile and can return to the formal risk and compliance program assessment process after addressing some significant risks. Such a two-step process may be a more appropriate solution given the size of the company, the nature of its risks and available resources.