Episode 3: Risk Assessment – Set and Stay the Course

Careful risk analysis and assessment are the central elements of an effective Compliance Management System (CMS). A look at the current international compliance standards makes this clear:

• UK Bribery Act: The company assesses the nature and extent of exposure to internal and external (corruption) risks. Risk analyses and assessments ensure that the existing risks are identified and prioritized accordingly, depending on business volume, activities, customers and markets.
• Foreign Corrupt Practices Act: The compliance policies and processes are developed on the basis of periodic risk analyses and assessments which take into account the individual circumstances of the company
• ISO 37001: “Risk analysis and assessment” are listed as a central component

If the specific risks a company faces are never precisely defined, all other elements of the CMS will be misguided and ineffective. The core questions are: What guidelines and processes are necessary? What should training and communication focus on? What safeguards should be put in place? The answers to these questions will be vague unless they are based on a clear understanding of the risks.

Many compliance officers neglect risk analysis and assessment and start right away by drafting guidelines they deem necessary, or by providing training on specific subjects. This is understandable. A thorough risk assessment involves hard work. However, only companies which understand their risks exactly can develop risk-specific guidelines, training, and monitoring which are precisely targeted to their real situation (“risk-based approach”).

The Systematic Approach

A robust risk assessment sets the course for keeping a company’s compliance activities on track in the medium and long term.

The compliance risk analysis should, in any case, be initially as broad as possible, focusing on “classic” risk areas such as white-collar crime, employee issues, competition and antitrust law etc.

As with the previous step of defining the areas of responsibility[1], a broad initial survey of all potential risk areas doesn’t mean the compliance officer is eventually responsible for all of these risk areas. Rather, the focus is on identifying activities or circumstances that could cause considerable liability risks or other harm to the company and the employees acting on its behalf and taking the necessary cross-functional risk reduction measures for these activities.

Procedure for Risk Analysis and Assessment

The following procedure has proven effective for conducting a risk assessment:

Throughout the process of risk analysis and assessment, the following aspects must be kept firmly in mind:

• A risk is the possibility of an illegal act which can lead to significant consequences such as sanctions (individually or for the company), compensation of damages, or a loss of reputation. Examples: Employees bribing foreign officials or making deals with competitors.
• Within the framework of a risk assessment, we look at activities or circumstances that may be linked to such risks. Risky activities and circumstances may include the following:

          – Risks associated with the specific industry (e.g. intensive regulation in the pharmaceutical or medical-device sector)

          – Geographic aspects (negative Corruption Perception Index,[2] political instability)

          – Importance of licenses and permits for a company

          – The degree of regulatory supervision and control

          – Opening up new markets in countries with poorly developed infrastructure

          – Coordination with business partners (e.g. distributors, consultants)

          – Joint projects

• The aim of risk analysis and assessment is not to eliminate risks. It’s hard to imagine a business without risks, and some risks are even inherent in the very nature of business activity and cannot be eliminated. Example: When the business involves significant dependence on official decision-makers, the risk of corruption can never be completely eliminated. However, it can be controlled as far as possible using targeted measures such as compliance audits, consulting, and training.
• During the implementation phase, it should also be clearly stated what a risk assessment is not: It is neither an internal investigation nor an audit. It is crucially dependent on employees feeling they can report as openly as possible on potential risks in their areas of responsibility.

At the end of a risk analysis should be a clear assessment: Which risks were identified? Which safeguards are already in place? Are they sufficient? Where are possibilities for improvement? Look for existing safeguards you can build on. Using them as a base, develop meaningful additions to effectively address the identified risks. At the end of a risk assessment, you will know which guidelines and processes are still missing and what subjects training should address. You’ll be able to determine your course and set sail.

What’s Next

In the next episode, we’ll address compliance guidelines.

If you are unsure how to set up and run your compliance project successfully, please feel free to contact me.

[1] See Episode 2 of the 12-Months Compliance Challenge.

[2] https://www.transparency.de/cpi.