Quick But Never Dirty Risk Mapping

It’s been nearly 20 years since the Sentencing Guidelines’ definition of an effective compliance and ethics program was amended to explicitly reference the importance of risk assessment to effective programs. Twenty years, and many compliance risk assessments later, and I can’t help but feel that we as a profession have not quite mastered compliance risk assessment yet.  Unlike program assessments, which have always (at least in my practice) followed a well-defined methodology, risk assessments have evolved significantly over the years.

My thinking has evolved significantly in this area also. In the old days, I questioned the value of colorful risk graphs – bright documents that map out compliance risks in terms of likelihood and impact and velocity and controls. I worried that they could create a false sense of certainty about the likelihood and impact of violations in particular areas. I questioned the value in terms of how we then utilize those graphs in improving our programs. I questioned the accuracy of the inputs. In addition, the greatest value from the risk assessments that I have conducted over the years comes from the recommendations for control enhancements, creating further doubts about the value of the charts, which don’t significantly contribute to specific recommendations for compliance program enhancements.

Value of a Risk Map

More recently, however, I’ve come to appreciate risk maps, even if I still shy away from the bright colors and continue to worry about all the issues set forth above. Risk maps can communicate about an organization’s compliance risk profile in a succinct and helpful manner.  It has always been important to their oversight responsibilities that boards and senior leaders understand a company’s compliance risk profile. Risk maps are incredibly useful for that. And, since the case of Marchand v. Barnhill,[1] the board’s understanding of the company’s risk profile – and, in particular, of what risks are “mission critical” to the company – has taken on greater significance. (In the 2019 case of Marchand v. Barnhill, the Delaware Supreme Court addressed the importance of board oversight of compliance systems in a company’s mission critical compliance risk areas.)

However, I’ve also wondered if we can’t get to the risk map more efficiently (and possibly more accurately) if we employ a simple, “quick but never dirty” ranking process, rather than using complicated formulas, thus leaving more time and resources for the valuable task of assessing and making recommendations regarding compliance controls.

Methodology Challenges

Getting to a risk map in a defensible manner is no easy feat. You can ask appropriate employees to rate the risks for likelihood and impact, then graph out the averages of those ratings. The benefit of incorporating this into a legal risk assessment is that it affords a large number of inputs and gives you numbers. Everyone (including the DOJ) loves data, and it does feel oddly comforting to assign a legal risk a likelihood rating of 4.1 rather than just saying “it’s significant.”  Those numbers also translate easily into those colorful charts that everyone loves. However, there are always concerns about the value of the data inputs.  Can your head of sales adequately assess the impact of a data privacy violation?  Does the head of HR have a well-informed sense of the likelihood or impact of an antitrust violation? 

Another approach is to conduct interviews, which has myriad benefits, including allowing for focused discussions with appropriately-positioned employees regarding how risks might arise at the organization and the effectiveness of existing controls.  However, you can touch fewer people with the interview approach, so your inputs are more limited.

Then there are focus groups, where you bring folks together to identify, discuss and assess risks in a group setting.  This can be helpful with respect to obtaining a variety of views. The group can also be asked to provide ratings, so data can be collected.  However, this approach can also sometimes lead to “group think,” which can be counterproductive.

And regardless of methodology, there remains the concern that the map creates a false sense of certainty about likelihood and violation.  So, the map is important to communicating, but the communication may be a bit misleading (even when we try hard to prevent that with lots of caveats).

The Quick But Never Dirty Approach

Another possible approach that we have experimented with lately taps the knowledge of a company’s in-house lawyers and other appropriate function heads to create the risk map.  This approach limits the number of people who are providing inputs to those whose roles at the organization create a reasonable foundation for the rankings.  Asking these employees (who are likely well-positioned to have a good understanding of the likelihood and impact of various legal and policy violations) to rank risks as high, medium, low or on a three- or five- point scale will allow for a depiction of those results in a table or graph form, thus providing that thousand-word picture for senior leaders and the board in a less resource-intensive manner. The accuracy of this approach is likely similar to those approaches that involve more number-harvesting, and it has the potential to create a more authentic representation.

Risk Assessment

Risk mapping is just one aspect of the compliance risk assessment process, of course. While risk mapping is a helpful educational and communication tool, the value of the broader compliance risk assessment process goes well beyond educating the board and senior leaders about the organization’s compliance risk profile. Risk assessments provide important opportunities to gather broad-based input for use in program design and enhancement of compliance controls.  

In my experience, interviews are critical for understanding where there may be gaps in controls – or, as we often prefer to phrase it, opportunities to enhance the program. The interview process also creates important learning and training opportunities for those who participate, and it creates important auditing and measurement opportunities for those who conduct the assessment. When a risk assessment utilizes the “quick but never dirty” risk mapping approach, additional time and resources can be devoted to the valuable exercise of considering control enhancements – a topic that we will definitely explore in a future article.

In the meantime, we at Ideas and Answers would love to hear your thoughts on the value of risk mapping and what methodologies you have found to be most effective.  As a profession, we still have a lot of learning to do in this area, and we would love to hear from you.

[1]   Marchand v. Barnhill, 212 A.3d 805 (Del. 2019).