Keeping Your Eye on the Risk Ball
Compliance officers face almost an infinite number of risks – not to be trite, but CCOs can drive themselves crazy identifying every plausible legal and compliance risk a company faces. I am exaggerating a little bit to make a point.
Perhaps the most overused phrase in compliance is – companies should not implement a one-size-fits-all compliance program. Add this to the long list of profound grasps of the obvious.
My point is that, given the enormous challenges facing compliance professionals, it is critical that compliance programs are tailored to the company’s most significant risks. In practice this means something very important – compliance officers have to ensure that they devote as much time as possible to high-risk/red-flag activities.
In all too many cases, compliance professional feeling overwhelmed may be attracted to more “doable compliance functions,” or to those that are easier to complete.
I am always amazed at how much time compliance officers may devote to gifts and hospitality requests, while more significant risk conduct is ongoing (e.g. tender bid in high-risk country, need to monitor high-risk third-party relationship and activities).
Every compliance officer has to ask themselves whether their activities, meaning their time and attention, is allocated in accordance with the company’s risk profile. The risk profile framework should be the critical guidance for evaluating whether a compliance officer is using his/her time efficiently.
This may sound unrealistic or fine in theory but difficult in practice. Nothing is perfect, but certainly a compliance officer should be mindful of his/her time and risks. In applying this disciplined approach, low-risk activity may get little to no attention, in contrast to a focus on high-risk activities.
To organize this approach, CCOs should develop a list of risks from highest to lowest, along with the corresponding controls needed to mitigate each specific risk. With this guidance in place, compliance professionals can ensure that they devote sufficient attention to higher risk activities.
Of course, some of the mitigation strategies overlap with multiple risks. For example, ethics and compliance training may be seen as a mitigating strategy for a number of risks. Therefore, such a training program may reduce multiple risks and the impact of such training may be significant.
While we repeatedly emphasize the dangers of third-party risk management, compliance professionals using this approach will find themselves increasing the amount of time and effort needed to monitor the third-party business relationship by interacting internally with the business leader responsible for the third-party relationship. This would be a very good result and makes sense in the overall risk-based allocation of resources.
Conversely, compliance professionals will find themselves devoting less time to other routine functions – small gifts and hospitality expenditures, small charitable contributions and sponsorships that are low-risk or regularly-paid. Routine, low-risk government interactions.
When measuring risk, compliance professionals have to focus the amount of money or benefit that may be involved is a critical factor in assessing and ultimately ranking a specific risk. By incorporating the revenue/money-at-issue factor, compliance professionals can use this factor to aid in assessing risks or opportunities for misconduct.