Corporate compliance risk assessment, lessons learned

Since I have already written about risks theory and risk management in general, I am now writing more about compliance specific risks and what can a compliance risk assessment tell you.

In order to be able to manage compliance risks, we first need to recognize them. For this purpose we first have to take up a compliance risk assessment and put in place detective controls.

 

 

Actually, ideally we would first take up a structured, well-thought-over compliance risk assessment throughout our organizations. In reality, many do this after having some practice in compliance or specific compliance risk areas, learning about risks as you go, putting down fires and talking to the 'civilians' in an organization.

 

At least this is the situation in our part of the Europe, where compliance program and compliance management are novelties in the system of governance. Compliance as a governance function is hardly starting to show on the map in the corporate world, making its space 'under the stars'. It has to do a lot with adding to the existing checks and balances and changing power distribution in an organization, penetrating into already owned territories, braking Chinese walls sometimes :) Taking up compliance as an independent function from scratch is a great challenge, it means a change and it takes time, a lot of patience and energy. As most of the bigger changes do...

However, at some point compliance officer will take up a compliance risk assessment.

These would be typical dangers and unwanted consequences of incompliance, that you want to detect and locate the source of and prevent:

• Regulatory Inspection and penalties
• Civil damages and compensations
• Criminal prosecution and penalties
• Business loss or lost opportunities (like ban from a public tender)
• Loss or damage in reputation.

These would be typical indicators that help you detect and locate compliance risks:

• Tips from employees in different forms, like asking questions or direct reports of incompliance
• Internal incidents
• Clients' complaints
• Regulators inspection and findings
• Greater law suits and outcomes
• Employee research findings (like ethics surweys, corporate culture or organizational climate research)
• Process reality that differs from rules and procedures.

Analysing all or some of the above would be one way of conducting compliance risk assessment. However, use it as a base for interviewing the directors and key leaders in the company. This is really crucial in an overall corporate compliance risk assessment.

 

And the following are some of the typical drivers of compliance risks - the factors that you can (more or less) influence and thus act in a preventive manner:

• The corporate culture, ethics
• Tone from the top
• Propriety / integrity of persons on top and middle levels and key positions
• Reporting lines
• Policy management and implementation
• Employee education and awareness
• Rewarding system
• Disciplinary consistency
• Compliance communication and training.

We can express compliance risks by the categories in order to measure them.

We can rate low risk as 1 and 2 = not in focus of your attention for now; however you need to observe it regularly;

Middle risk can be rated as 3 and 4 = there is actual danger that something bad will happen, if we don't do something about it eventually; the time span and nature of measures are dependant of the rating of 3 or 4;

High risk as a 5 = this is a red zone, a 'tempted bomb'; you need to react quickly.
 

You can assign these risk grades to an overall business operation, certain business operation, certain events, relationships, business dealings or a business partner. In order to grade a compliance risk, you would usually follow these steps, which are best shown on an example:

 

1. Specify the situation and the risk; what’s the potential danger of something bad happening in certain business operation or a business relationship;

Situation: You are a well known technology products manufacturer from Slovenia and you are building a plant in Bulgaria. You are hiring an experienced contractor there, who will need to attain some licences from the Bulgarian government.

 

Risk: Danger that a contractor is not fit for the task of building a plant properly, which can lead to regulatory fines, accidents could happen etc. There is also a danger that a contractor would offer inappropriate payments to Bulgarian officials in order to attain licences.

You have risk of getting fined or prosecuted for security issues, a corruption and a reputation risk.

 

2. Evaluate the likeliness of that consequence to happen (you have to base it upon certain facts, experience and assumptions);

Security incident = 2

Corruption = 4

Reputation damage = 4

 

3.  Evaluate the severity of that consequence, if it comes true;

Security incident = 4

Corruption = 5

Reputational damage = 5

 

4. Grade the risks accordingly;

Security incident = (2+4)/2 = 3

Corruption = (4+5)/2 = 4, 5

Reputational damage = (4+5)/2= 4, 5.

 

5. Make propositions for mittigating these risks and then monitor;

As a compliance officer you would recommend that the company arranges for extra security supervision in building the plant later, however addres the highest attention to proper practices in the procedures with the Bulgarian government. You could suggest that the (additional) due dilligence of a contractor is conducted, too. You would want to communicate your code of ethics to that contractor and have some of your corporate professionals to escort this contractor through the procedures with the Bulgarian government. Your company will probably need to plan certain delay in starting your Bulgarian plant, due to longer waiting time and administration to attain the permits. But you will protect your good name (which has shown to be highly threatened) and sleep well.

 

Andrijana Bergant,

strongly convinced that a compliance as a business function will mark the future of Slovenian corporations’ governance, and that ethics will become something tangible in terms of business; usable in the process of serious business decision making.

Switching to english with my compliance and ethics blog

I am switching to English with this blog, so more visitors can understand my notes. I am seeing that many of the visitors are from North America, too. Welcome! I hope it will give you some useful observations about the corporate compliance and ethics environment in this part of the CEE region.

My mission as a compliance professional - of which this blog is an important part - is to share my observations and knowledge from over 6 years of experience in building compliance program from scratch in the Slovenian based corporation. I hope to help advance the compliance and ethics profession development in Slovenia and give some orientation points to the beginners in the field, as well as possible business / professional observers from abroad. Namely, the state of corporate compliance and ethics is a strong definer of the market in general; in terms of stability, maturity, competitiveness etc...

This is the translation of the titles of my previous blogs:
1. The beginning of this diary
2. Do we understand risks or rather feel them
3. What does honesty mean to me
4. What does a compliance do in a corporation, as a governance function?

When I started my compliance job in late 2007, most of corporate professionals and managers in my environment didn't know about compliance and ethics programs at all.

For few years now, compliance function is already present in banks and most of the insurance companies in Slovenia, because of the two EU directives, commonly referred to as Basel 2 and Solvency 2 directives. These directives are recognizing compliance as one of the key functions in the system of governance and are obliging financial sector companies - through the local legislation - to have it embedded into their governance structure.

Some companies from pharma, telecommunications and manufacturing ... sector also have compliance programs, due to the influence of their multinational principles. Most Slovenian managers and directors nowadays know that compliance and ethics are special discipline and ever more present part of corporate governance. There's more recognized link to corporate ethics, too.

Not long ago ethics was taken as something that doesn't really fit in a serious business conversation; not so much because it wasn't considered important, more of underestimated, and definitely not something you manage or have to implement. Today, corporate ethics and integrity is highlighted and talked about a lot.

What is happening now in Slovenia for the last year and some is that several civil and professional organizations started to form initiatives and working groups (of most of which I am an active member) exactly for promoting, educating and good practices sharing about compliance and ethics, using international standards and best practices.

I am just finishing giving an interview for the Compliance and Ethics Professional, the magazine of the mainstream international corporate compliance and ethics organization, the Society of Corporate Compliance and Ethics (SCCE). It covers exactly this topic in more detail and I will post in my blog after it's published in the Magazine first.

Andrijana Bergant,

strongly convinced that a compliance as a business function will mark the future of Slovenian corporations’ governance, and that ethics will become something tangible in terms of business; usable in the process of serious business decision making.