Internal auditors and compliance professionals have become attuned to recognizing that if you want support of the C-suite, you should focus on compliance issues that are top of mind among CEOs. For example, one obvious yet relatively new risk are cyber-threats—including inadequate data security, which has materialized as a priority issue for many organizations.
Consider: Did your most recent compliance risk assessment identify cyber-security as a major compliance risk? If so, how was it prioritized? What steps were taken to reduce the risk? According to PwC, this year data security far outpaced other areas as a perceived future risk. Notably, the subject didn’t even make last year’s survey, although privacy and confidentiality have consistently been listed as a compliance-related risk.
Recent compliance program benchmarking surveys by Deloitte and PwC indicate that a healthy majority of companies do regular compliance risk assessments at least annually (both surveys reporting more than 60 percent). How the assessments are performed seems evenly split among being done as a stand-alone process, as part of internal audit’s risk assessment, or as part of a general enterprise-wide risk assessment.
A comprehensive and repeatable compliance risk assessment remains the foundation to a strong compliance program, but companies still struggle to implement one in a sustainable manner. Like other elements of a compliance program, no single, universal risk assessment exists. Anyone planning a compliance risk assessment must account for variations in company attributes that affect both the risks to which the company is vulnerable, and the assessment processes that will be practicable.
Those experienced with risk assessments know that the assessment team often begins with templates, tools, and process plans—only to stall or veer off course when it becomes evident that a different approach is needed. Even worse, you might pay for a high-priced, convoluted risk assessment with fancy graphics that ultimately tells you what you already know. Compliance professionals have come to realize that the effectiveness of the compliance risk assessment will depend on carefully balancing what outcomes are achievable given available resources and time.
Risk Assessment Methodology
The internal audit team can play a significant role in assisting with an effective risk assessment, particularly by applying methodologies and techniques from enterprise risk management. The core steps for conducting risk assessments are well-established: information gathering on key risks and the associated likelihood, effect, and controls; gap analysis; and design of remediation or mitigation steps. But the context in which these steps are applied can be quite specific and driven by organizational variation.
Remember that regulatory risks change over time, and the challenge is to avoid investing heavily in generating large amounts of information that can’t be used before it goes stale. A thoughtful risk ranking, controls evaluation, and gap analysis by knowledgeable people will prove be a big step forward, if it leads to effective action.
Because ethics and compliance risks touch so many areas of the enterprise, organizations should consider integrating the compliance risk assessment into an existing ERM process. This is another area where risk assessments seem to struggle, grappling with siloed, uncoordinated, and overlapping activities. One obvious benefit of an integrated approach is consistency and uniformity of terminology, criteria, process, and the risk information collected. When risk assessments are conducted separately by different business units, use of different frameworks can result in the need and cost for reconciling the information collected across the organization. Integration can lead to a better quality of risk-based information upon which strategic and tactical decisions are based.
Contemplating the risk universe and the assessment process can seem overwhelming. Keep in mind that the fundamental objective of the compliance risk assessment is to drive improvements in the compliance program. The assessment should result in information that will guide the allocation of (limited) resources and activities within the compliance program to optimize the match between the company’s major compliance threats and the corresponding mitigation efforts.
Here are some realistic considerations for a balanced approach:
Establish scope. For instance, decide whether you should include all operations or apply a materiality threshold to determine inclusion in the process. It might be better to limit the scope to significant operations, especially during an initial risk assessment so that the process does not become unwieldy.
The risk universe. You shouldn’t to try to inventory every conceivable compliance requirement to identify the key risks to be evaluated. In most cases, a small group of legal and compliance experts can triage a comprehensive “kitchen sink” risk list down to a manageable number to examine more systematically. You do, however, want key knowledge experts involved. Depending on your industry and activities, you may need to develop or retain specialized expertise in significant or newly evolving areas such as fraud control and data security.
Carve-outs. In considering the scope and the risk universe, determine if any functions and areas can be carved out (environment, health and safety, for example) because they already maintain a robust risk assessment and remediation process. To distill the risks to be reviewed, evaluate whether there are separate areas for subsequent assessment, particularly those that may need a different methodological approach. Some areas, such as those pertaining to the compliance “program” itself (ethical culture, fear of retaliation) versus a substantive regulatory topic, may require additional data (employee perceptions) to evaluate adequately. Certain compliance risks may also benefit by a deeper dive involving a distinct process.
Data and technology. Be mindful that more is not always better. The availability of sophisticated survey tools can make it seem inexpensive and easy to gather voluminous data from a large population, and to slice that data. Potentially, this means we can conduct a much larger assessment with the same resources. Still, there is a point of diminishing returns. Be aware that the more questions you require people to answer, particularly those not intimately related to their job, the less effort and the more guesswork will go into the answers.
Common sense. Sometime less is more. While assessment surveys are valuable, in most cases, they are just a starting point for analysis that tells you where to look. You may find that interviews and focus groups produce better information than written surveys, and that surveys with a few open-ended questions, or that invite the respondents to explain their observations, are usually better than purely numerical ratings.
Institutionalizing the Compliance Risk Assessment
The compliance professional should commit to updating and revising the risk assessment process on a regular basis. A periodic assessment provides an opportunity to step back and assess how well the mitigation strategies have worked, and to identify new or emerging risks that were not previously considered. If compliance program activities are well integrated into business activities, then ongoing monitoring of compliance risks should be occurring.
The final product of a compliance risk assessment should summarize the risk profile of the organization, identify gaps and opportunities for improvement, set the compliace and ethics strategy for a specified period of time (say, three to five years), and shape the direction of the compliance program and related operations. This document should record how the assessment was conducted and include an action plan for addressing specific risks.
Benchmarking data suggests that companies are not yet fully using assessment results to track whether compliance risks are increasing or decreasing. That information can be valuable to support the business strategy by providing insights into key decisions that can affect a company’s growth targets and other strategic imperatives.
One approach for the compliance program to implement is to incorporate risk ratings that are generated from the assessment into regular monitoring reports. The status of mitigation efforts can be tracked and their effect on the risk rating reported as part of regular compliance program updates to senior management and the board. This approach can also serve to build the risk assessment process into operations as monitoring of the risk level will be dependent on business people monitoring their own operations. The reports can be trended to (hopefully) depict the impact of mitigation activities with risk ratings adjusting over time.
Your compliance risk assessment will be more effective if you devote time at the start to focus carefully on defining the scope and objectives you want to achieve. Remember that regulatory risks change over time, and the challenge is to avoid investing heavily in generating large amounts of information that can’t be used before it goes stale. A thoughtful risk ranking, controls evaluation, and gap analysis by knowledgeable people will prove be a big step forward, if it leads to effective action.