Assessing your approach to compliance risk management

Compliance programs should be risk-based — here's how you get there

Compliance risk assessments are one of the first steps on the path to an effective risk-based compliance program, but it’s how you continue to manage and mitigate risk that truly determines if your program is successful. Kwamina Williford, Partner at Holland & Knight, and Chris Caron, Compliance Director at Kiewit, shared their thoughts on putting a risk-based compliance program into practice in the real world during a webinar—Achieving a Risk-Based Approach to Compliance Management—earlier this year. Here are some highlights of what they said, along with some additional insights.

Analyze Risk

A key component of allowing you to prioritize your initiatives is to analyze, rank and understand the key risks your organization faces. Many are familiar with the likelihood of impact and likelihood of occurrence evaluation graphs, but it’s a key tool that should not be overlooked. Once your risks have been identified—either through a dedicated risk assessment or surfaced by continuous program analysis—take the time to create likelihood scales you can use to map and prioritize that risk.

When creating a “likelihood of impact” matrix, be sure the categories you rank against accurately reflect your industry and business. These areas can include:

  • Legal liability
  • Health and safety
  • Operations (class/research)
  • Financial loss
  • Reputational impact

Categories such as legal liability, financial loss and reputational impact should be included in every company’s evaluation. But categories like health and safety will be far more impactful for manufacturing, construction and other similar industries than it would likely be for mostly office-based enterprises, such as financial institutions.

Next, determine a likelihood of occurrence scale customized to your company, industry and locations. Having historical data on incidents within your organization will help you create an accurate scale. In the absence of historical information from your company, look to peers and industry data. If a company in your field recently got charged for a compliance violation, consider whether it should effect the likely occurrence for your organization.

Here’s a sample likelihood of occurrence scale using example metrics Kwamina shared.

Likelihood of Occurrence Scale

This two-part likelihood analysis will help you prioritize and chart your risk, highlighting high risk areas that need intimidate attention. It will also define a common language to ensure all your risks are evaluated and assessed the same way for cross-program consistency. If every department is using the same language and same evaluation scale, it will be much easier to compare departmental and location risks and ultimately collate the data into a single, company risk evaluation.

Analyze Your Initial Analysis

That’s right, you’re not done yet! Once your initial analysis is complete there are a few different ways you should look at it to ensure its accuracy and influence.

If you encourage different departments, teams or locations to complete their own risk evaluations (a good idea since they are the ones on the ground who understand the risks they face on a daily basis), spend the time as a compliance team to review those evaluations for cross-organization consistency and appropriate risk level. Just like any micro-department evaluation or assessment, a localized team may identify a risk that is high level to them, but that is a much lower level risk to the company as a whole. These risks shouldn’t be discounted, but it’s the compliance team’s job to evaluate them within the context of organizational risk.

Kiewit helps align these two processes by giving their managers a specific set of risks to choose from. Instead of asking project managers to imagine up all the possible risks associated with each project, Kiewit gives them the list of enterprise risks identified by the company risk assessment to pick off of. The mangers then rate the likelihood and impact of these risks in relation to their specific projects using the evaluation matrix definitions. Chris noted that this process of including mangers resulted in better buy-in and a higher interest in mitigating risks at a team level.

Once mitigation measures have been put into place, it’s time to assess your analysis again. Program assessment and improvement is a vital aspect of compliance, but that doesn’t just apply to policies, training and management procedures. After your risk map and mitigation initiatives have been in place and practice for a little while it’s time to go back and assess for accuracy and effectiveness. New risks could have appeared that supplant your “old” top risks, your risk matrix could have expanded as the company or regulatory landscape changed, maybe your initial assessment just wasn’t as in-line as you originally thought.

While scraping something you spent so much time on can be difficult, it’s important that your risk monitoring and mitigation efforts are doing what they’re intended to do. Chris knows this experience well—Kiewit replaced its old risk rating model when the compliance team discovered some major process weaknesses.

“Last year [our impact levels were] low, medium and high and what we found was a lot of our construction projects were rating a large percentage of their risks as “Low” because that meant they had to do a little bit less mitigation on their part. That had management concerned. So what we did is we converted all the “low” risks to “standard” risks. Those are risks they all face and anything higher than that is an “elevated” risk and they have to do extra efforts on it,” he said.

When Kiewit discovered that its process was not performing as intended, they took the time to look at the deeper issue and make it easier for their employees to practice risk-based compliance. (You can hear more of the story in the webinar recording.)

Use your compliance risk assessment  to look for gaps

With any major project, it’s easy to focus on the big-ticket items and let the smaller, less consequential aspects slip through the cracks. And compliance is certainly a major project. You’ve undoubtedly put initiatives in place to address your major risk areas, but what about those less likely and impactful risks? While it’s important to start with the highest priority risks, you also need too keep working your way down the priority list until every identified risk is addressed in some manner. At a minimum, every risk important enough to make it into your assessment and analysis should have a policy and procedure associated with it. Higher risk issues might need more robust initiatives, but it’s OK to rely on less labor intensive policies and procedure outlines for less vital or lower focus risk areas, as long as that approach is proving to be effective.

Ultimately, it all boils down to effectiveness. Simply having a program, process or procedure on paper isn’t enough (as we recently learned from BHP Billiton). You need to ensure that your approach is effectively addressing risk. Kwamina recommends looking at these internal control measures to ensure your mitigation efforts are as robust as they need to be:

  • The policies and procedures you have in place for each risk are adequate
  • Reporting mechanisms are clearly defined, working correctly and being consistently used
  • Corrective actions are clearly outlined and consistently enforced
  • Auditing and monitoring take place on a regular schedule to ensure effectiveness and identified weaknesses
  • Training and education are regularly deployed, completed and effective

These controls aren’t a checklist, but a cyclical approach to continuous program evaluation and improvement. Once you feel confident you’ve addressed every risk at a base level, going back over each initiative ensures that there aren’t any gaps. Weak policies, procedures that were never fulling implemented, new hotspots and overlooked or ignored trends all weaken your program and lessen the effectiveness of your risk mitigation. Set a schedule for recurring risk assessments and a timeline you can follow for analyzing effectiveness and gaps. This will help keep you from missing a risk or relying on an ineffective process.

(Need more guidance on assessing your program’s effectiveness? Check out the Practical Guide to Compliance Program Review & FSGO Benchmarking – including two printable assessment templates.)

Work with Your Peers

Everyone in compliance is still trying to figure out how best to structure, run and improve their program, and the best way to do that is to not turn a blind eye to what your peers are experiencing. Chris said he regularly borrows good ideas from other compliance teams and many compliance professionals start peer groups or attend roundtable discussions to share their insights and seek input from others. So while each company’s risk profile should be tailored to that specific organization, don’t ignore outside influence—it could raise risks you didn’t think of or possibly undervalued for your industry. From Chris:

“Look around your industry. I focus very heavily and I interact a lot with my counterparts at various construction companies because I’m interested in the things they’re being challenged with. Usually they’re challenged with those issues because regulators are focusing on those things. I want to know about those things up front. The sooner I know about those challenges, those compliance areas that are being really focused on, the sooner I can put a process in place or ensure that the processes we have in place are going to keep us compliant.”

Industry trends and standards are often looked at as part of an official risk assessment, but paying attention to the industry shouldn’t be relegated to yearly official assessments. Take time at conferences and other industry events to talk to peers and find out what they’re facing and how their initiatives are working. As they say, the best offense is a good defense, and that applies to getting a handle on compliance risk too.