Risk is at the heart of every compliance program. But that’s sometimes easier said than done. In January 2015, Kwamina Williford, Partner at Holland & Knight; Chris Caron, Compliance Director at Kiewit; and Joe LeBas of Convercent gave practical, real world advice on achieving and improving a risk-based compliance program.
Here are the questions you raised during the Q&A portion of the Achieving a Risk-Based Approach to Compliance Management webinar.
We have an ERM and risk colleagues, where does their role end and my role start?
Kwamina Williford: I see them as being complimentary. When your risk professionals within your organization are taking a broad perspective look at what types of events or acts are going to impact my organization, compliance is an aspect of it because you have certain regulations or laws that you are required by law to comply with, risk goes beyond that. So they’re looking at it strategically, they’re looking at reputation, they looking at operational, financial — so they’re looking at a broader piece which includes compliance. So in light of that, I think that compliance should be a part of the conversation relating to the management of risk. As a compliance professional, your focus is really that you understand and are managing the compliance obligations, the legal and regulatory obligations of your company and making sure that those risks and obligations are brought to the forefront and quite frankly should be shared and a part of the ERM process because that’s a part of what they will be looking at. I see them as complimentary with compliance focusing on regulatory and legal and bringing that to the bigger ERM picture.
Chris Caron: It’s certainly a part of it. The only difference for each company is going to be to what level those regulatory areas or compliance as a topic needs the attention. Some companies, like mine, need a full time department with a number of people who are really focused on building tools and monitoring our regulatory world, because if we get into trouble with that that means we don’t get to do business with public agencies anymore. It’s a big thing for us. Other companies are going to have much less impact from those regulatory worlds and it’s going to be dependent on that.
Joe LeBas: When you’re talking about an overall enterprise risk function, compliance practitioners are domain experts in compliance and to be able to speak to that and once you have the confidence to start taking that risk-based view, you’ll learn it’s not really that obtuse. Organizations are not asking you to run quantitative risk analyses or Monte Carlo simulations, really you’re looking at impact and likelihood of risks and assessing risk around areas that you are experts in and bringing those to the table. I’ve had instances where the chief compliance officers I’ve talked to have said, “I feel much more confident being able to step forward and bring this to our enterprise risk efforts rather than waiting to be asked for it.” It’s not an oil and water thing, but something that can be done together and highlight the strength of the compliance department.
Once you have a green light to take a risk-based approach, what are some of the challenges?
Chris: Operational buy-in. Even if management is bought in, convincing the operational people ‘— the people who are actually going to have to do all this stuff on a day-to-day basis — that they need to buy into it too, that’s a challenge. You’re going to get push back. In some cases, that push back is OK because it’s going to challenge you to come up with a better way to do something or better understanding on your part of why you might have to do something a little bit differently. But getting operational buy-in is the next biggest challenge.
Kwamina: A lot of times, once you’ve gone through the process and identified this as a priority, having it acting upon as if it’s a priority [can be a challenge]. I think that goes with the buy-in piece, really getting some of the stake holders to recognize that this is important and it can have a significant impact on our organization so can we prioritize and address this with resources — and by resource I meant funds as well as personnel and stakeholders who can actually help make sure that the policies and procedures are being followed. Buy-in is key, it’s absolutely key.
We believe we’re taking a risk-based approach but we’re not conducting formal risk assessments. Does that mean we’re not taking a risk-based approach?
Kwamina: The regulations that talk about the risk assessment piece are really general, they don’t say what it needs to look like or how it needs to happen. It’s been more recent that the formal risk assessment has really taken hold. For me, it’s the concept that you were looking at risk. Just because you aren’t putting it into a matrix and doing it in a formal way, you could still be doing the process in an informal way that gets you the end goal which is that you are trying to understand where your company’s risks are and you are addressing them in the area that’s prioritized. There is clearly no one size fits all; you really have to know your organization. So while there could be some that go through and do the formal risk assessment every year, every two years or every three years, you can still achieve or strive to achieve the same end, which is looking at what risks you face, trying to understand that and prioritize it as a part of your process. The Sentencing Guidelines don’t say what your risk assessment needs to look at but we have been informed by ERM and a lot of other things in terms of a best practices approach. I wouldn’t fret too much, but understanding that it is important to look at risk and different ways to analyze it is important and quite frankly will usually make your job a lot easier because you’re putting parameters around what you will address first. If you don’t take a risk-based approach and just try to address everything at once it can be very overwhelming. I see it as a plus and usually something that is welcomed by many.
Joe: It’s kind of a new muscle that I think a lot of compliance departments are learning. It’s a different kind of exercise to assess risks and assess risks formally than defusing risk and being cop or mitigating them to a large extent. We all fundamentally know about risks to our company but putting them down on paper and getting a process, no matter what it looks like, [is new]. Technology to an extent can help you keep those processes running.
What kind of reporting mechanisms are best for deploying a risk-based approached?
Kwamina: A lot of times reporting is really keeping stakeholders apprised of where you are with the monitoring that’s happening. You’re going through this, you’re gathering information from various stakeholders, you’re having these policies, you have people in place who are looking at the auditing and monitoring and then what the results are. So you’re not just keeping it, you’re elevating it. You’re essentially tracking the progress that’s made in connection with the internal controls and you’re reporting up to who compliance would report to, whether it’s the board or directors.
Chris: At Kiewit we have a compliance counsel as well as an audit committee and we report to them on a quarterly basis. We like to share that information with out operational units so they can see how we’re doing internally and it’s not really super secret. Generalized information, we like to share that pretty heavily, but there are issues you’re going to have within the company that in some cases you’re going to have to keep them a little bit quieter because they might be sensitive information. But I will push here to try and share some of those so you’re field personnel can see, “Hey, we had this issue and it got resolved this way and there might have been some consequences for some employees because of that situation and it’s been resolved” so they can see things being corrected.
How do you get management buy-in from leaders who don’t understand the importance of compliance, especially in a publicly traded company?
Chris: If you have a voice with or on the board, present the specific high risk areas to your company and how those risks can be mitigated. Industry-related news and legal cases can help you with this message. If the word “compliance” is the problem, avoid it and focus on the specific regulatory risks you see.
Are there examples of risk assessment scales that include a component for how the company currently manages risk?
Chris: We used to include a rating for “Chance of Detection” that was intended to account for those risks where we can easily identify when a non-compliant situation occurs. However this was generally misunderstood and confusing to operations personnel and tended to create too large of a scale to deal with. A Likelihood and Impact scale of five each results in 25 risk levels. Adding a third scale of five drives that up to 125 risk levels.
Kwamina: Usually, the simpler the matrix the better. However, I have had clients who utilized a third step in the analysis where they were able to slightly adjust the risk level (either up or down) based on the effectiveness of the internal controls in place to address the issue or other named circumstances.
Could you address the relative roles of audit vs. compliance in the risk assessment process?
Chris: Our Internal Audit Department does include Compliance in their audits, but only addresses the higher risk areas on each project. They consult with the Compliance Department (and others) before the audit to tailor they audit program for each location they visit.
Kwamina: Compliance drives the compliance Risk Assessment Process (as opposed to ERM), and should gather results from Audit to help inform the company’s risk areas. Other areas for compliance to look to would include hotline complaints, litigation outcomes, industry enforcement client, and regulatory changes.
Too learn more about this topic, watch the full webinar on-demand.