Editor’s note: This blog post is an excerpt from our ebook The 10 Key Elements of An Effective Compliance Program. You can download the entire ebook here.
Why it’s Important to Conduct Compliance Risk Assessments
Compliance programs must be customized to the needs and challenges facing each company and be comprehensive enough to deal with all of the risks the company has identified.
The presence of an effective compliance program could mean more leniency from regulators in the event of a corporate misconduct investigation. In fact, in April 2019 and again in March 2023, the U.S. Department of Justice Criminal Division updated its guidance document for prosecutors on how to evaluate corporate compliance programs in the context of conducting corporate investigations. DOJ guidance states that prosecutors should consider whether the compliance program is appropriately “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business” and “complex regulatory environment.”
An effective risk assessment should begin with a detailed picture of the compliance landscape your company operates in. The two questions to answer are 1) where are you doing business, and 2) what regulations cover businesses like yours?
For example, are you trying to work with customers in healthcare? If so, you will need to make sure that your systems that handle patient data can sufficiently meet HIPAA security requirements. If you collect, store, transfer, or process the data of residents in the EU, you will need to comply with GDPR. If you regularly deal with third parties or suppliers and subcontractors, you will need to make sure these third parties have sufficient compliance programs of their own to address information security, privacy, and fraud risks.
The most important thing is this: your compliance efforts should be aimed squarely at the risks that are most critical to your business.
An effective compliance risk assessment must also include a clear picture of your organization’s operations. In other words, you need to know the “who, what, where, when, and how” of the day-to-day operations happening on the ground in your company.
Key Steps to Compliance Risk Assessment
Step 1 – Understand the current state of affairs
Try to find what already exists. Learn about and document the key company processes, systems, and transactions. It may be possible to find existing business process materials prepared for contract certification purposes. You also want to take the opportunity to meet key personnel who execute the business’s processes and systems. Interview these people and understand what motivates them and stresses them.
Step 2 – Map the potential risk contact points that exist in your company
Once you have a detailed picture of your company’s operations and the compliance landscape your company operates within, it’s time to identify the compliance risk contact points or specific company operations that present the potential for violating applicable regulations.
You can identify these contact points by evaluating each of the key processes, systems, and recurring transactions identified in Step 1 in terms of questions or issues associated with the regulatory regimes you want to comply with.
Step 3 — Assess the current controls in place to prevent, detect, and correct violations
Are the existing procedures and controls at your company effectively addressing the risk contact points you identified? For each risk contact point, identify the specific policy, procedure, work instruction, or any other control that applies. You should assess the sufficiency of these controls in the context of your knowledge of each contact point.
Consider the likelihood that a violation will occur given a current control, whether such a violation would be detected, and, once detected, what the worst potential impact of the violation would be.
The contact points that are insufficiently addressed by current controls present compliance program gaps that need to be addressed.
Step 4 — Determine and prioritize the compliance enhancement measures you undertake
Your company probably won’t have the resources to tackle every compliance risk at once. You should rank your program’s gaps in terms of risk criticality and the resources required to remediate them. You’ll want to expend more resources policing high-risk areas than low-risk areas.
Once you’ve prioritized your company’s compliance opportunities, you should identify projects to address them systematically. Identify the compliance enhancements that will generate the most benefits for your company.
Step 5 — Update your compliance risk assessment periodically
It’s important to note that a risk assessment shouldn’t be a one-off event. The DOJ’s guidance document for prosecutors states that as prosecutors evaluate the quality of a corporate compliance program, they should assess whether the company’s risk assessment is current and has been reviewed periodically.
Events such as the acquisition of new companies, movement into new geographical or sector markets, corporate reorganization, and engagement with new customers and regulators will raise different types of compliance risks. Similarly, regulatory changes and how enforcement authorities interpret these risks can create new compliance risks. It is important to implement a deliberate, recurring process to periodically update your risk assessment.
Regular compliance risk assessments are just one crucial element of an effective compliance program. To learn about the other program elements that are necessary for fostering a culture of ethical behavior and compliance, check out our ebook The 10 Key Elements of an Effective Compliance Program.