Risk Assessment – The Most Important and Least Understood Component of an Effective GRC Program

NAVEX
Contact

NAVEX

What is our problem with compliance risk assessments? Why do we struggle with them and once they are done, why don’t we use them effectively?

Among the many crucial elements of effective compliance initiatives (internal reporting programs, policies, procedures, training, supply chain management, M&A, and more) are risk assessments – the intended foundational element of any compliance program. Just ask any regulator or read any global framework for an effective program and they all start with effective and ongoing risk assessment initiatives. Everything should be based on – and will be judged on – an effective risk assessment that identifies areas of risk to be addressed and remediated through said compliance program.

Beyond the best practice expectations, there is also a very basic and common-sense reason to perform a risk assessment – it helps an organization determine how and where to focus limited resources. For a simple example, every employee in the company does not need training on anti-bribery and corruption even if this is a high-risk area for the organization. Requiring irrelevant training wastes resources and leads those employees to feel like their time is being wasted.

A simple risk-based approach to defining who needs what training content helps make logical determinations about training time in a meaningful and cost-effective way. The same approach and thinking also applies to the more multifaceted risks.

Ethics and compliance risks are only getting more complex and nuanced especially as the global political environment is not focused on international cooperation and alignment on matters such as AI, data privacy, sanctions, human rights, ESG and beyond. The chances of missing something if we are only using an informal or limited approach are increasing by the day. More technology and datasets are available to support the process, yet organizations continue to struggle with effectively implementing and benefitting from this process. This is a trend we have been tracking for a long time and it is important for 2025 to be the year we change this.

Beyond the best practice expectations, there is also a very basic and common-sense reason to perform a risk assessment – it helps an organization determine how and where to focus limited resources.

Regulatory expectations

Risk assessments have long been part of the U.S. Federal Sentencing Guidelines and referenced in the Department of Justice (DOJ) Evaluation of Corporate Compliance Programs (ECCP). But often what we see is organizations conducting risk assessments (and not all do) and then filing them away, never to see the light of day.

The September 2024 DOJ update to its ECCP made clear the direction of travel: risk assessments, particularly with regard to new and emerging technology risk such as artificial intelligence, will be a focus for enforcement.

“The starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, including specific factors that mitigate the company’s risk, and the degree to which the program devotes appropriate scrutiny and resources to the remaining spectrum of risks. **This evaluation should account for emerging risks as internal and external circumstances impacting the company’s risk profile evolve.**”

And it is important to add that risk assessment is also a key element of other global guidelines and frameworks including A Resource Guide to the U.S. Foreign Corrupt Practices Act, Second Edition, (2020); the UK’s The Bribery Act 2010 Guidance; The Brazil Clean Company Act (2022); ISO 37301, Compliance Management Systems (as well as other ISO standards); and the U.S. Department of Health and Human Services General Compliance Program Guidance (2023).

Identifying and tackling the barriers to effective compliance risk assessment

So, why is such a crucial element of compliance largely lacking in focus, being underleveraged, or gathering dust on shelves? And why is there a gap between regulatory and best practice expectations that risk assessments be used to make risk-based business resource decisions and many current practices? Let’s identify the key barriers to success and consider some ways to tackle them for a more effective process.

1. Confusion about, or overlap with, enterprise risk assessments

First, we need to clarify the difference between an enterprise risk assessment (ERM) and a compliance risk assessment because they are not the same. While an ERM is a systematic process to identify, evaluate and priority rank risks that could impact a business as a whole, a compliance risk assessment is a subset that evaluates potential risks related to adherence to the laws, regulations and industry standards.

An ERM is often driven by the finance team or the relatively new role of chief risk officer. These risks are big, like a natural disaster or loss of critical suppliers, and can literally bring a business down. In practice, very few compliance risks rise to the level of an enterprise risk. If they do, they are often related to bribery and corruption or an industry specific compliance risk like money laundering in the banking sector or data privacy violations in healthcare.

That said, compliance violations can also be quite costly both financially and reputationally. A focused compliance risk assessment can supplement or stand separately from the ERM – though they are different, both are necessary. And both deserve board-level attention.

2. Not defining scope and desired outcome at the beginning

A good rule of thumb in many projects is to start with the end in mind. Doing a risk assessment can be a daunting task given the universe of compliance risks available. And there are a variety of ways to approach them – some more complex and time-consuming than others.

Before jumping in, determine the level of detail to be covered, the expected topics for review, the audience for the outcomes, and the form of the resulting findings and action plans. Make clear the resources and timing needed to complete the process so that all involved understand their role. Determine who will lead and participate in the process and keep them informed throughout.

One way to identify the scope and desired outcomes is to create an outline and sample of what the final deliverables will be so all understand what will be produced and expected next steps. For example, will you create a heat map showing the relative hierarchy of each risk? Check for understanding and feedback.

Keep in mind that most people, especially executives, don’t like surprises when it comes to compliance, so ongoing communication about the process and expected outcomes is key.

3. Fear of exposing weaknesses and increasing the risk of discovery

We hear this a lot. What if we find a serious weakness and it is used against us in litigation or enforcement actions? The bigger question is what if we don’t find it and it is used against us in litigation and enforcement actions? The answer to the second question is that it will likely be much worse than the answer to the first question.

We all know that identifying and documenting risks is, in itself, a risk, but every regulator I have heard asked this question says you will get more credit for a strong, informed risk assessment with concrete and measurable action plans versus putting your head in the sand. Obviously, the key thing is to do something about the identified risks. This means having a process that identifies mitigation strategies with plans, accountabilities and expected completion dates. Careful and thoughtful communication and documentation also helps mitigate the risk of documenting identified risks.

4. Lack of leadership support and cooperation in the process

This barrier is often driven by lack of understanding of why a risk assessment is important. They have a lot on their plates – at all levels of leadership. This process itself requires resources.

They are likely to be more receptive to the initiative described in the scope section (number two above) when they know what to expect. They are less likely to be receptive to an explanation that “the DOJ expects us to do it.” Leadership needs to understand what’s in it for them. And hopefully, what’s in it for them is an organized approach to addressing compliance realities while maximizing the effectiveness and efficiency of resource allocation.

5. Lack of resources, processes, and systems to conduct risk assessment and then implement the findings and ongoing mitigation strategies

Even with the highest levels of support, we won’t have unlimited resources for this initiative. We don’t need to do everything at once. Instinctively, we already know the most serious risks our organization’s may face, so start there and identify a plan and timetable to go through the rest.

Some organizations bring in an outside expert to help with the process, reduce the time to complete the assessment, and add expertise. Purpose-built technology is also available to support and speed the process and reduce the load on a compliance teams in managing the ongoing mitigation processes.

Most importantly, when planning, don’t forget the resources and timetable needed to manage the ongoing process once the risks and gaps are identified. If we don’t plan for this early, we increase the likelihood of risk assessments sitting on the shelf gathering dust and ultimately increase overall risk due to inaction. As much as we all would like to check off the completion of a potentially significant effort, the intent of a risk assessment as a foundational element means that it informs the day-to-day activities of the compliance program, and it is expected to change with the organization.

We don’t need to do everything at once. Instinctively, we already know the most serious risks our organization’s may face, so start there and identify a plan and timetable to go through the rest.

6. Disagreement over the likelihood, magnitude and priorities of identified risks

Disagreement is exactly what we are looking for! We want the organization to have thoughtful discussions about what is truly a risk, whether something is more likely or not to occur, whether we are taking sufficient steps to mitigate risk to an acceptable level, and what resources we need to do this. This is the objective of the exercise.

A formal risk assessment process just provides the vehicle and framework for these informed discussions. Smart people do the rest. Ultimately, time will tell how successful we are. How many organizations do you think got the likelihood and magnitude of a pandemic right? And how many do you think went back and adjusted their mitigation planning afterwards? Identification, debate, discussion, mitigation, lessons learned, and recalibration is the ongoing process of risk assessment.

7. Just like other longer term strategy initiatives, it is pushed to a lower priority when daily activities and unplanned fire drills demand our time and attention

From my perspective, this is the biggest barrier. We all know we need to do this, and do it well, to positively impact the effectiveness of our compliance programs and protect our organizations from the damage of a significant financial or reputational hit of a compliance failure. We have the best of intentions and then the all-consuming allegation and investigation comes in. Here, I don’t have a good answer – just an observation that it needs to be a priority. In the end, it will help us identify and justify the resources we need to be effective – a short-term investment in a long-term strategy.

None of these are new or brilliant observations, yet they have been standing in our way of success since the beginning of ethics and compliance programs. When we get this right, risk assessment is a powerful tool to guide an organization in risk mitigation strategies while making the best use of limited resources. It helps make the business more efficient and resilient and keeps us prepared should regulators come knocking.

Identification, debate, discussion, mitigation, lessons learned, and recalibration is the ongoing process of risk assessment.

The rise of data-driven risk assessment

Finally, an article on risk assessment would be remiss if it didn’t mention the incredible opportunities we have in using data to enhance and even transform our efforts. The fluid nature of global regulatory requirements, third-party risk, data privacy and cybersecurity laws, etc., make risk assessments an essential effort for the compliance function. And perhaps the most important piece of mature risk assessment processes is connecting the data.

Conducting a risk assessment that doesn’t connect elsewhere is about as useful as that planner you bought but never filled out. Luckily, technology is keeping pace with the change and can assist compliance leaders in making consistent and well-informed decisions based on the risk assessment findings. Driven by the proliferation of data and the increasing sophistication of analytical tools, data analytics is playing a pivotal role in enhancing risk assessment capabilities.

By using technology and analyzing vast datasets with advanced data analysis techniques, organizations can gain deeper insights into their risks, identify emerging threats and make more informed decisions. Commonly used tools like PowerBI and Tableau have emerged as indispensable assets in this context. Artificial intelligence (AI) is another element presenting both challenges and opportunities for future risk assessments.

Final thoughts

Now is the time to honestly ask yourself: how are we doing with risk assessments, really?

Chances are, in one area or another, there is work to be done. And failure to prioritize this important compliance area can have a range of consequences including misdirected resources and missed opportunities to identify and mitigate emerging risks, especially given the ongoing drumbeat and focus from regulators on conducting and using risk assessments.

2025 prediction

With the regulator focus of enforcement and corporate accountability, we can expect to see risk assessments play a crucial role in investigations and prosecutions.

Yet, with the realities of day-to-day operations, we can also, unfortunately, expect to see this important work remain as a lower priority, misunderstood and underutilized component of an effective compliance program.

That said, we have incredible opportunities with the rise of data driven assessments and technology. The year 2025 can be the year of identifying significant risks and gaps through data analytics. Let’s seize the opportunity to reinvigorate our compliance risk management approach and take our work – and our organizations – to the next level.

Written by:

NAVEX
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

NAVEX on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide