With the unabated expectations for executive management and the board of directors to have their finger on the pulse of their organization’s compliance management system and build in compliance risk discussions in assessing strategic decisions, and with the increased personal and professional exposure with respect to compliance at the senior-most levels of management, how can the compliance function give senior management and the board a higher level of confidence in their ability to monitor and direct compliance efforts.
1. Build Regulatory Inventory
Developing a compliance risk profile for your organization starts with building out a centralized regulatory inventory, i.e., all the laws and regulations applicable to the organization given the universe of activities engaged your organization is engaged in. The applicable laws and regulations are mapped to those activities to which they apply. The corollary to this is that you can see where there are regulatory crossovers (i.e., those regulations that apply to multiple activities), thus, providing opportunities for process and operational efficiencies.
2. Determine the Inherent Risk of Applicable Laws/Regulations
With the regulatory inventory, we then develop a compliance risk profile for the organization. The risk profile is built from the bottom up, i.e., we start with individual activities and roll those up into an aggregate view at the enterprise level. To do this, we first determine the inherent risk level of each applicable law and regulation. Inherent risk is the risk posed by the applicable laws and regulations absent any mitigating controls. There are many factors that go into determining inherent risk. Among other things, the risk assessment allows the organization to identify which of its many activities contribute the most to its overall compliance risk profile, thus providing important input to strategic decision-making.
3. Map Controls to Applicable Laws/Regulations
Once the inherent risk is determined, we identify and map control factors to each regulatory obligation. If controls do not exist, controls will need to be developed to mitigate the risk. There are different types of controls—some are preventative, and some are detective; some are manual, while some are automated. Well implemented automated, preventative controls are generally more effective and allow for real-time monitoring, than detective, manual controls. The frequency of the control can also be specified. The type and quality of the control should depend on the level of inherent risk of the applicable regulatory obligation and the organization’s view of the risk. Risk/control relationship can be one-to-one or one-to-many. The important thing is that by documenting these in a centralized, integrated solution, the connections can be easily seen—it creates transparency and allows for operational efficiency.
4. Calculate Residual Risk
After the inherent risks are determined and controls are mapped, the residual risk is then calculated. Residual risk is the risk remaining after controls are put in place, and this takes into consideration the design and operational effectiveness of the controls.
Compliance risk assessment helps an organization understand the full range of its risk exposure, including the likelihood that a risk event may occur, the reasons it may occur, and the potential severity of its impact. When effectively implemented, it helps organizations prioritize risks, map these risks to applicable risk owners, and effectively allocate resources to risk mitigation.