by Jeff Kaplan
For those just getting started with compliance risk assessments, the KISS approach can be invaluable. And by KISS, I mean “Keep it Simple with Spreadsheets.” Spreadsheets are not mandatory in conducting risk assessments, of course. But for the beginners in this area, they can be exceedingly useful.
Consider the simple model below – along with associated commentary. Something like the following can be a helpful tool in creating or improving your risk assessment program.
Risk areas
The risk areas to be assessed generally include:
Additionally, some risk areas should be broken down into sub-risk areas, e.g., bribery of government officials as well as commercial bribery.
Risk areas can often be excluded from the compliance risk assessment process if they have been the subject of other risk assessments or do not appear to represent significant legal or ethical peril (de minimis risks). An example of the latter is copyright risks for most organizations (although copyright can be a significant risk area for some industries, such as publishing or entertainment).
Risk scenarios
Risk scenarios are scenarios of the most foreseeable and significant ways in which relevant law/ethical standards could be violated on a line or staff unit basis.
For instance, it is not necessarily sufficient to identify a company as having a significant fraud risk, without identifying the type of fraud at issue e.g., consumer fraud, financial risk, tax fraud, etc.
Mitigation – both existing and recommended
Risk mitigation generally includes written standards, training, other communication, policies, procedures, assigned accountability, internal controls, auditing/monitoring and any other form of mitigation that varies significantly by risk area. Generally speaking, a more detailed discussion of existing controls will assist in yielding more helpful recommendations as to additional mitigation to consider. For example, rather than simply listing “training” as a control for a given risk area, it is helpful to discuss the type of training, how recently and how frequently it is conducted, for what audience, and even relevant feedback on effectiveness.
Risk mitigation for a risk assessment generally does not encompass controls such as the helpline, investigations, discipline, incentives and background checks, at least as a general matter. This is because those controls are operative with respect to all risk areas and do not generally control for particular risks. These areas should, of course, be subject to periodic assessment, but those efforts will likely be more in the nature of a program assessment than a risk assessment.
Finally, the breadth and depth of risk assessment for any given area will generally depend on various factors. E.g., if a risk assessment is being conducted following a violation at a company, that may suggest the need for a broader and deeper assessment than a risk assessment being conducted on a routine basis.
Search the site
While some organizations bar conflicts of interest in all cases, many opt for allowing COIs to exist where appropriate. But how should appropriate be defined for these purposes?
Attending SCCE conferences is always a source of insights and new information. In these conferences I have seen quite a bit of focus on data analytics, and deservedly so.
The first time I saw Kristy Grant-Hart she put on a show about magic compliance dust and then brought the audience to reality by breaking the news that there is
In our years of assessing compliance and ethics (C&E) programs, my partner Jeff Kaplan and I have pinpointed several key attributes that we consider essential to an effective program, including