Chapter 3: Running an Effective Compliance Program

Risk Assessment and Management

Conducting an effective risk assessment is an essential first step to developing a strong compliance program, as well as an essential operating process for managing the ongoing inherent and emerging risks that every business will face. An effective risk assessment framework and process, among other things, helps organizations identify direct and indirect compliance hot spots that when used in combination with technology and data analytics, can pinpoint unknown or unwanted trends in order to maintain an effective compliance program.

Regularly conducting a comprehensive risk assessment is recognized as one of the key elements of an effective compliance and ethics program. More broadly, as regulators have emphasized the importance of effective risk management, boards and management teams have increased their focus on the concept of “risk” and have observed a measurable shift on this focus at their organizations. By understanding the nature and the impact of the risks an organization faces, it is expected that an organization can better design programs and develop controls to mitigate those risks.

Performance of risk assessments often fall under the discipline of risk management, where organized frameworks and techniques have emerged. Risk management, in its most elemental form, comprises the identification, assessment, and prioritization of risks followed by the coordinated and efficient use of resources to monitor, mitigate, and otherwise control the probability and/or impact of the risks occurring. Broadly, organizational risks arise in many forms from the board room to the storeroom and everywhere in between. Examples include uncertainty in financial markets, operational failures, third-party risks, and natural disasters, to legal liabilities and reputational harms, and even missed opportunities (known as the “upside” risk).

More than ever there are areas of overlap between risk management and compliance. Risk management has become even more integrated into organizational processes and hardwired into various laws, rules, and regulations since the beginning of the 2008 financial crisis. So, the failure to have a risk assessment process may now itself represent noncompliance for many modern organizations. Some companies in the financial services industry have gone so far as to merge the two areas so that their related activities are better coordinated, though many are of the view that the disciplines have quite different skill sets and simply need to work more closely together as managers of risk.

The U.S. Department of Justice (DOJ) updated its guidance for federal prosecutors in 2020 on how to evaluate an organization compliance program when making charging decisions or sentencing recommendations. DOJ emphasized the importance of a robust risk assessment process in assuring that a compliance program was designed and operating to effectively mitigate compliance risks:[8]

The starting point for a prosecutor’s evaluation of whether a company has a well-designed compliance program is to understand...how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.[9]

DOJ guidance goes on to cite the following areas that prosecutors should consider as they evaluate the extent to which a company has appropriately assessed its risk profile and designed a compliance program to mitigate identified risks:

Risk Management Process: What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?

Risk-Tailored Resource Allocation: Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas...? Does the company give greater scrutiny, as warranted, to high-risk transactions...than more modest and routine [activities]?

Updates and Revisions: Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?[10]

As legal, compliance, and ethical risks are a major subset of the overall risks faced by an organization, it is essential for compliance professionals to be aware of risk management techniques, particularly those used in the industry sector in which the compliance professional works. Risk-management components and the role of risk managers vary by industry, the size and structure of the organization, as well as the risk financing strategies employed by the organization. Similar to the field of compliance and ethics, the risk management profession has evolved along functional needs and growing regulatory mandates.

Risk assessments are a proactive and preventive measure that should be a regular and systemic part of an organization’s compliance efforts. If the organization does not have a compliance program in place, a thorough, enterprise-wide risk assessment could be conducted as a first step in identifying potential areas of compliance risk and exposures.

This document is only available to subscribers. Please log in or purchase access.