Although the formalisation of the discipline of risk management is relatively recent, the notion of enterprise-wide risk management first appeared in the 1960s, and was developed in the insurance field. In order to reduce losses, insurance companies encouraged their corporate clients to have a more-secure installation to prevent external risks. At this time, risk management was specific and limited. Since then, risk management has spread to other aspects of business, such as health, safety, manufacture quality and environmental protection. Risk management as we perceive it today is used in a wide range of activities, including compliance. Assessing compliance risks while utilising most of the traditional risk assessment approaches requires a specific tact when it comes to determining the potential impact the materialisation of these risks might have on a company.
Risk, risk management and risk assessments
Risk applies across all industries, and may be generated through a company’s activities or services throughout its lifecycle or due to changes in business and law. However, operational risks and compliance risks do not have the same scope of intervention in their application to business.
Compliance risk can be defined as the risk of breaching the law, the risk of material or financial loss, or the risk of loss of reputation an organisation may suffer as a result of failing to comply with laws, its own regulations or code of conduct, or even standards of best practice. An operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. Operational risk can be created by a wide range of different external events, ranging from power failures to floods or earthquakes to terrorist attacks. Similarly, operational risk can arise due to internal events such as the potential for failures or inadequacies in any of the organisation’s processes and systems or those of its outsourced service providers. Nevertheless, and despite the differences within the term, techniques in terms of managing the different types of risks can be approached in a similar manner.
Another distinction that needs to be underlined here is between risk management and risk assessment. While risk management aims at controlling the level of risk associated with an activity, the objective of a risk assessment is to identify and measure the risks associated with this activity. Risk assessment is a key step in the mitigation process.
Compliance risk assessments
A risk assessment in its general sense involves three key steps that can be applied to the function of a compliance risk assessment.
Different departments of an organisation are encouraged to identify sources of compliance risk, areas of impact, risk events, and risk causes and potential consequences in order to generate a comprehensive list of risks. The identification of compliance risks can come in various forms, such as email communications, minutes of meetings, issue logs, brainstorming and discussions. Some of the most common compliance challenges that a company should consider, and that can affect a company’s decision making, are:
- corruption and bribery
- privacy breaches
- anticompetitive behaviour
- grey market selling
- intellectual property infringements
- human rights
- sanction breaches
- export control breaches
- fraud, embezzlement and money laundering.
At this stage of the process, each compliance risk will be analysed to comprehend its nature and determine its impact. The impact of risks, should they materialise, will be measured using a matrix combining consequences and likelihood. The measurement can be expressed either in quantitative, semi-qualitative or qualitative terms. The outcome of the weighting determines the priority and as such provides basis for risk evaluation. The risks with high probability of occurrence and a strong impact are received in detail and captured in a risk register: a central repository that will be consistently monitored and managed.
The next step is deciding which compliance risks need treatment, and in what order of priority. Depending on the organisation’s risk appetite (as defined earlier), a risk can either be acceptable or require mitigation. The fundamental outcomes of a compliance risk evaluation process should assist with the following:
- Understanding the nature and significance of the compliance risks
- Obtaining information on the suitability of the compliance risk control arrangements
- Developing and implementing additional control measures to further eliminate or reduce the compliance risks
- Determining corporate objectives, targets and performance measures
- Identifying opportunities within the organisation’s strategic goals and implementing strategies in line with compliance functions to enhance these opportunities
- Identifying abnormal events
- Improving the compliance programme overall.
A key aspect in determining what compliance risks exist within an organisation when conducting a compliance risk assessment is understanding the prior risk appetite as part of the analysis. The key is to decide how much of a compliance risk an organisation is willing to accept, where it has little appetite and where it might be comfortable taking on more risk as a means of meeting strategic goals. To do so, an organisation needs to balance the required financial resources as well as the time and effort to reduce the risk against the degree of risk presented. Even if risks are worth taking to achieve profit, it does not necessarily mean it is a free pass for companies to compromise on compliance with laws and regulations.
Risk appetite mainly depends on the industry and a company’s overarching attitude to compliance and its knowledge of the consequences of a breach. Pharmaceutical companies, for example, will most likely maintain a low appetite when it comes to engaging third parties, given the potential ramifications of non-compliance with expected standards of handling medical products. On the contrary, oil and gas companies are often more lax when it comes to engaging with government associated organisations, despite the potentially high risk of corruption.
Why do we need to carry out a compliance risk assessment?
Conducting compliance risk assessments has become an increasingly fundamental requirement for all businesses. A compliance risk assessment is a crucial step in implementing an efficient, proactive and sustainable compliance programme. Companies should not expect to receive full credit for a compliance programme if it is not derived from a compliance risk assessment. Analysing and ranking the risks related to compliance allows companies to develop the best response to significant compliance risks by allocating compliance resources tailored to these risks. Companies often spend too much time focusing on specific expense situations to the detriment of mitigating other risks, such as third-party conduct.
The wide range of laws and regulations detailing specific requirements and tougher reprisals has increased the liability of companies and the monitoring of their activities. Companies cannot guarantee the total eradication of wrong-doings by conducting a compliance risk assessment, but they can show their awareness and their willingness to move in the right direction in an efficient and expedient manner. It will help prevent the possibility of prosecution and related consequences, such as imprisonment, fines and a severely tarnished reputation as a result of illicit practices.
The number of legal and regulatory requirements will continue to grow, especially in the financial services and healthcare industries, and therefore the requirement for compliance risk assessments will expand. Tracking these changes, assessing their impacts on the organisation and updating compliance registers will become a must-do activity for companies. As evidence of this trend, over the past few years The Red Flag Group has received an increasing number of requests to conduct risk roundtable series and compliance risk assessments. Although compliance risk management as a specialisation is currently in its early stages, it is likely to gain greater recognition as an essential component of developing an effective and sustainable compliance programme.