A recent roundtable on best practices for risk assessment, sponsored by OneTrust and organized by the International Compliance Association, uncovered insights from those on the front line of compliance.


The International Compliance Association (ICA) is a professional membership and awarding body. ICA is the leading global provider of professional, certificated qualifications in anti-money laundering; governance, risk, and compliance; and financial crime prevention. ICA members are recognized globally for their commitment to best compliance practice and an enhanced professional reputation. To find out more, visit the ICA website.

Delegates were invited to share their experiences as well as the methods and means to help conduct risk assessments that are accurate, effective, and efficient.

A natural focus was on obstacles ushered in by the pandemic, but discussion also centered on current and future challenges for compliance professionals within their organizations and industries.

The result was an engaging and informative gathering that gave voice to a range of compliance professionals from different backgrounds and perspectives.

Three streams

Robert Coxall, GRC strategic executive at OneTrust, started with an examination of the current risk assessment landscape.

He identified three key streams—consolidation, correlation, and communicable insights—before going on to summarize the essence of the challenge facing compliance as being able to “constantly understand the risk landscape.”

Some key issues highlighted by Coxall included slow assessment processes, which can be overly manual and time-consuming, and the different means of attempting to assess regulatory developments.

Of particular interest was his emphasis on consolidation—in other words, obtaining business buy-in and bringing streams together.

On correlation, he looked at the importance of making sense of everything by connecting the dots, acknowledging this is a difficult process.

Communicable insight, Coxall explained, was about asking, “What do we get from observations?” He noted there is usually little or no context and answers with no meaning.

“Assessments are static and immediately out of date,” he explained. “We don’t learn from our experiences.”

This, he said, fosters a bad relationship in the first line, making it slower and more difficult to assess risk. The aim is to obtain a constant management of risk, not a one-off snapshot.

Coxall concluded the first part of the roundtable with a poll asking how well delegates were leveraging technology to improve efficiencies in risk assessment. The overwhelming response suggested a need for improvement.

Top 5 takeaways

  • Obtaining business buy-in is vital. It’s a challenge, but one that can be overcome by engaging directly with teams and individuals, being open and honest, and working and communicating in a collaborative way.
  • Automation and technology are of great utility, but don’t overlook the human aspect. Getting out there and conveying to teams the importance of regulatory updates remains a key part of a compliance professional’s core duties.
  • Giving the reason why helps colleagues get on board. More is achieved by adding context to compliance updates and information, helping staff relate it to their everyday responsibilities.
  • Think creatively and acknowledge the role of others. Showing you understand the duties placed on certain areas demonstrates empathy and helps foster positive, reciprocal relationships.
  • Share your successes and concerns. Giving voice to issues is the first step toward getting them resolved, while illustrating effective compliance helps other areas obtain a better picture of what it is compliance does.

Practitioners speak out

In breakout sessions, delegates shared problems and solutions with their fellow professionals.

Too many people are involved in the risk assessment process, one delegate said. It was generally agreed there was too much emphasis on risks that “will never happen.”

One delegate explored their concerns on their company’s role as a subsidiary firm, detailing how the parent company expected the same level of risk assessment for the subsidiary.

Concerns were also voiced about convoluted and complex systems that “cloud the water.”

One delegate described their firm’s current approach as “very numbers-focused—skill and knowledge aren’t as developed around behavioral data.” With money laundering, they explained, “It’s all about identifying risk around suspicious behavior. How do you influence the rest of the business that those are important factors?”

Risk ownership

Who owns the risk? The first or second line?

One respondent explained they clearly established the risk owners were first line at their firm. “That’s important, because they’re the ones that understand those risks best. They’re at the forefront of the activity,” the delegate said.

“The challenge is they’re doing other roles within the first line; they wear many hats, so time to assess those risks isn’t there.”

Thinking creatively and being realistic about expectations to help prevent backlogs were proposed as sensible solutions, along with the notion the first line of defense should not have too many demands placed upon it.

Regulatory change

One delegate described how they set up a virtual office and had regular alerts and updates on new regulation.

“I pull people into project teams and run regulatory change projects. The important thing to get across is how regulatory change affects every aspect of the business,” they said.

Another utilized technology, applying a tool that scans the Bank of England, the Financial Conduct Authority, and other regulators to determine what the policy statement is about before sharing it with colleagues.

“This is where the manual bit comes in,” they said. “It’s tracked, so we know who it has been sent out to. Then an area takes accountability for it. We push it out to the business as soon as we can.”

Informing the business

Coxall explained you must “give people the reason why you’re getting this information. When questionnaires are sent out, there’s usually a lack of response. How do you educate the business why we are doing this?”

Delegates agreed this was an interesting challenge and that compliance teams can take a long time to engage properly with the business.

“We don’t want to tell the business what to do; rather, we must help them understand why they have to do it,” one delegate said. “This has better buy-in.”

“When you’re in the second line, there’s always that suspicion,” another delegate explained. “As much as we say we’re all on the same side, it doesn’t always feel like that. It’s a challenge to get engagement. But they are busy. It’s about delivering messages that get traction.”

The consensus was context is required, and there is little utility in handing out questionnaires without giving the reason why.

The International Compliance Association is a sister company to Compliance Week. Both organizations are under the umbrella of Wilmington plc.