Coronavirus or not, you must ensure that your organization complies with the laws and regulations that apply to it. However, let me ask a more nuanced question. How much effort should a company put into effective compliance? That’s what a compliance risk management framework tries to answer.
By definition, compliance risk management refers to the practice of identifying potential risks in advance, analyzing them and taking precautionary steps to reduce/curb the risk.
After all, even with unlimited budget and resources (which we all don’t have these days), no company can achieve perfect compliance with all regulatory burdens at all times. Some mistake is bound to happen eventually. The goal is to reduce the operational risk of non-compliance down to levels acceptable to your board, and your regulators!
Compliance risk management is the art of managing the risk of non-compliance as best as possible, given the resources your compliance program has and the regulatory obligations your company faces.
As you might guess, companies can achieve practical, effective compliance risk management in any number of ways. One doesn’t buy a standard-issue compliance risk management program, that can fit all firms across all industries. You have tobuild one, based on your firm’s own business processes, employees, and regulatory compliance concerns.
What should compliance risk management do?
First, compliance officers need to understand where the risks of non-compliance for your business truly reside. Some are more prevalent than others, and those become the compliance risks your program should address first and most aggressively.
For example, some cornerstones of effective compliance are due diligence of third parties, data privacy protection, financial fraud, anti-corruption, anti-smuggling, to name a few only. A compliance program should address all, but not necessarily to the same extent; it depends upon your business model. A firm that uses local agents extensively might invest heavily in due diligence, while another that uses employees in a direct sales model might spend more time on training and enforcement of gifts and entertainment policy.
So the first step in strategic risk management is to understand what your compliance risks really are, and how they come to be.
Second, understand what your company’s tolerance for a compliance risk is. The greater its tolerance for risk, the less exacting your compliance policies and procedures need to be.
Risk tolerance can be a fuzzy concept, so the internal control community devised a more precise phrase: “acceptable variation from a performance goal.” That’s the standard you want stuck in your head as you design policies, procedures, and internal controls: how much can company transactions or employee behavior deviate from the goal before senior management intervenes or regulators hit you?
For example, the company might have a policy that no local distributors receive discounts or credit notes that can later be converted into cash (a common way for distributors to pay bribes). Do you want no variation from that goal, with 100 percent compliance? That’s possible, but it requires exacting corporate accounting controls and willingness to fire anyone who violates the policy. Would you live with a failure rate of 1 percent or 5 percent — or different failure rates for resellers in high- and low-risk markets?
Every company will have to find its own correct answer. The point is that every company must answer it, or you will not know how many compliance policies and procedures need to be established.
Third, ensure that the compliance processes you have are on pace with compliance risks. That is the art of risk management: it is a fluid thing, where the mechanisms to manage risk change as the risk does.
For example, if your firm hardly ever sells to governments, your anti-corruption risks are low, and perhaps you could survive with a manual approach to due diligence. Then new senior management arrives, or the company acquires a new subsidiary or expands into a new product line, where selling to government becomes a priority.
Your compliance risks have increased, so you need to assure that your processes to manage that compliance risk are up to the task. A manual approach might no longer work, because you have so much due diligence to do that employees would be overwhelmed, and not do it. Suddenly an automated approach becomes more sensible.
That’s compliance risk management: ongoing, shifting, constant. The objective isn’t to eradicate all your compliance concerns forever; that’s impossible. You just need to do the best you can with the resources you have — so a keen understanding of where your company’s risks come from, and how much it wants to quell them, is essential.
If you need assistance, especially in the automation approach, contact me at schumacher@gmail.com