How do you identify the highest compliance risks to your organization?

The definition of a risk-based compliance approach is straightforward. You identify the highest compliance risks to your organization and make them the priority for controls, policies, and procedures. Once your compliance program reduces those highest risks to acceptable levels, you move on to lower risks.

One can see why a risk-based approach is so useful. Your biggest compliance risks will cause the most disruption should they happen: time spent on investigations, money spent on regulatory settlements, unwanted headlines, business partnerships jeopardized, and so forth. 

If there’s one thing senior executives hate, it’s disruption to their business. So operationally, a risk-based approach makes huge sense. 

Regulators in data privacy protection, anti-corruption, fair competition, etc. advocate risk-based approaches for another reason: it shows that the company actually thinks about its risks.

So what does a risk-based approach entail?

It has two parts: identifying certain risks and making them the priority: it’s about proficiency at risk assessment and responding with agility. 

That’s an important point for Compliance Officers to consider as you defend the value of compliance programs to senior executives. Using a risk-based approach is the better way to run a compliance program—but not necessarily cheaper or faster, because savings and speed aren’t the paramount goals. However, reducing compliance risks is!

“Proficiency in risk assessment” implies several specific capabilities. For example, it implies a strong ability to perform due diligence on third parties, since they might become part of your extended enterprise. Inevitably a third party will bring some risk, and that’s fine, so long as you understand what that risk is.

It also implies an ability to monitor regulatory change. You need to understand how a regulatory change in the outside world is shifting the criteria for “high” compliance risk in your specific organization.

And perhaps most importantly, you need an ability to understand the compliance risks that arise from your company’s own internal processes. New product lines, new incentive compensation schemes, new staff, new IT systems, new third parties, new assignments for third parties—all of them can affect your compliance risks, without anything in the “outside” world changing. 

To some extent (in many cases, to a great extent), compliance officers will need access to more data and more analytics to develop these capabilities. You’ll also need good relations with other parts of the enterprise so they can keep you informed about internal changes, which means support for compliance from senior leaders, so those other parts of the enterprise understand that compliance should be included. 

After that enhanced risk assessment still comes the part about responding to risks. As I said, responding “with agility” is crucial to success here. It, too, implies several specific capabilities for the compliance program.

The program will need skill at testing controls. They are the brakes that keep the company’s compliance risk from careening into a disaster, and they need to work. If not, you need skill at developing compensating controls to fill that gap. In practice, that might mean working closely with your audit team or an IT security function, or even an outside vendor. 

Without that ability to command and control change across the whole enterprise, the company can face serious questions about the effectiveness of its compliance program. Maybe the company isn’t devoting sufficient resources; maybe various employees aren’t giving compliance the priority it needs. Regardless, an inability to implement compliance defeats the whole point of a risk-based approach.

Company-wide automation processes in compliance management will certainly help. That is the reason why I always promote special software for data privacy protection so that the risks for the organization are substantially reduced.

Feedback is welcome; assistance in risk assessment and automation can be made available; contact me at [email protected]