Although the formalisation of the discipline of risk management is relatively recent, the notion of enterprise-wide risk management first appeared in the 1960s and was developed in the insurance field. In order to reduce losses, insurance companies encouraged their corporate clients to have a more secure installation to prevent external risks. At this time, risk management was specific and limited. Since then, risk management has spread to other aspects of business, such as health, safety, manufacture quality and environmental protection. Risk management as we perceive it today is used in a wide range of activities, including compliance. Assessing compliance risks while utilising most of the traditional risk assessment approaches requires a specific tact when it comes to determining the potential impact the materialisation of these risks might have on a company.
Risk applies across all industries and may be generated through a company’s activities or services throughout its lifecycle or due to changes in business and law. However, operational risks and compliance risks do not have the same scope of intervention in their application to business.
Compliance risk can be defined as the risk of breaching the law, the risk of material or financial loss, or the risk of loss of reputation an organisation may suffer as a result of failing to comply with laws, its own regulations or code of conduct, or even standards of best practice.
An operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. Operational risk can be created by a wide range of different external events, ranging from power failures to floods or earthquakes to terrorist attacks. Similarly, operational risk can arise due to internal events such as the potential for failures or inadequacies in any of the organisation’s processes and systems or those of its outsourced service providers. Nevertheless, and despite the differences within the term, techniques in terms of managing the different types of risks can be approached in a similar manner.
Another distinction that needs to be underlined here is between risk management and risk assessment. While risk management aims at controlling the level of risk associated with an activity, the objective of a risk assessment is to identify and measure the risks associated with this activity. Risk assessment is a key step in the mitigation process.
A risk assessment in its general sense involves three key steps that can be applied to the function of a compliance risk assessment.
Different departments of an organisation are encouraged to identify sources of compliance risk, areas of impact, risk events, and risk causes and potential consequences in order to generate a comprehensive list of risks. The identification of compliance risks can come in various forms, such as email communications, minutes of meetings, issue logs, brainstorming and discussions.
Some of the most common compliance challenges that a company should consider, and that can affect a company’s decision making, are:
- corruption and bribery
- privacy breaches
- anticompetitive behaviour
- grey market selling
- intellectual property infringements
- human rights
- sanction breaches
- export control breaches
- fraud, embezzlement and money laundering.
The Red Flag Group® has created an in-depth guide to understanding each of the 30 risk areas and the impact they can have on your business.
GET TO KNOW THE 30 KEY RISK AREAS
At this stage of the process, each compliance risk will be analysed to comprehend its nature and determine its impact. The impact of risks, should they materialise, will be measured using a matrix combining consequences and likelihood. The measurement can be expressed either in quantitative, semi-qualitative or qualitative terms. The outcome of the weighting determines the priority and as such provides basis for risk evaluation. The risks with high probability of occurrence and a strong impact are received in detail and captured in a risk register: a central repository that will be consistently monitored and managed.
The next step is deciding which compliance risks need treatment, and in what order of priority. Depending on the organisation’s risk appetite (as defined earlier), a risk can either be acceptable or require mitigation. The fundamental outcomes of a compliance risk evaluation process should assist with the following:
- Understanding the nature and significance of the compliance risks
- Obtaining information on the suitability of the compliance risk control arrangements
- Developing and implementing additional control measures to further eliminate or reduce the compliance risks
- Determining corporate objectives, targets and performance measures
- Identifying opportunities within the organisation’s strategic goals and implementing strategies in line with compliance functions to enhance these opportunities
- Identifying abnormal events
- Improving the compliance programme overall.
A key aspect in determining what compliance risks exist within an organisation when conducting a compliance risk assessment is understanding the prior risk appetite as part of the analysis. The key is to decide how much of a compliance risk an organisation is willing to accept, where it has little appetite and where it might be comfortable taking on more risk as a means of meeting strategic goals. To do so, an organisation needs to balance the required financial resources as well as the time and effort to reduce the risk against the degree of risk presented. Even if risks are worth taking to achieve profit, it does not necessarily mean it is a free pass for companies to compromise on compliance with laws and regulations.
Looking to build a perfect due diligence programme for your business? CONTACT US
Why do we need to carry out a compliance risk assessment?
Conducting compliance risk assessments has become an increasingly fundamental requirement for all businesses. A compliance risk assessment is a crucial step in implementing an efficient, proactive and sustainable compliance programme. Companies should not expect to receive full credit for a compliance programme if it is not derived from a compliance risk assessment. Analysing and ranking the risks related to compliance allows companies to develop the best response to significant compliance risks by allocating compliance resources tailored to these risks. Companies often spend too much time focusing on specific expense situations to the detriment of mitigating other risks, such as third-party conduct.
The wide range of laws and regulations detailing specific requirements and tougher reprisals has increased the liability of companies and the monitoring of their activities. Companies cannot guarantee the total eradication of wrongdoings by conducting a compliance risk assessment, but they can show their awareness and their willingness to move in the right direction in an efficient and expedient manner. It will help prevent the possibility of prosecution and related consequences, such as imprisonment, fines and a severely tarnished reputation as a result of illicit practices.