Since I have already written about risks
theory and risk management in general, I am now writing more about compliance
specific risks and what can a compliance risk assessment tell you.
In order to be able to manage compliance risks, we first need to recognize them.
For this purpose we first have to take up a compliance risk assessment and put
in place detective controls.
Actually, ideally we would first take up a structured, well-thought-over
compliance risk assessment throughout our organizations. In reality, many do
this after having some practice in compliance or specific compliance risk
areas, learning about risks as you go, putting down fires and talking to the
'civilians' in an organization.
At least this is the situation in our part of the Europe, where compliance
program and compliance management are novelties in the system of governance.
Compliance as a governance function is hardly starting to show on the map in
the corporate world, making its space 'under the stars'. It has to do a lot
with adding to the existing checks and balances and changing power distribution
in an organization, penetrating into already owned territories, braking Chinese
walls sometimes :) Taking up compliance as an independent function from scratch
is a great challenge, it means a change and it takes time, a lot of patience
and energy. As most of the bigger changes do...
However, at some point compliance officer will take up a compliance risk
assessment.
These would be typical dangers and unwanted consequences of incompliance, that
you want to detect and locate the source of and prevent:
- Regulatory Inspection and penalties
- Civil damages and compensations
- Criminal prosecution and penalties
- Business loss or lost opportunities (like ban from a public tender)
- Loss or damage in reputation.
These would be typical indicators that help you detect and locate compliance
risks:
- Tips from employees in different forms, like asking questions or direct reports of incompliance
- Internal incidents
- Clients' complaints
- Regulators inspection and findings
- Greater law suits and outcomes
- Employee research findings (like ethics surweys, corporate culture or organizational climate research)
- Process reality that differs from rules and procedures.
Analysing all or some of the above would be one way of conducting compliance
risk assessment. However, use it as a base for interviewing the directors and
key leaders in the company. This is really crucial in an overall corporate
compliance risk assessment.
And the following are some of the typical drivers of compliance risks - the
factors that you can (more or less) influence and thus act in a preventive
manner:
- The corporate culture, ethics
- Tone from the top
- Propriety / integrity of persons on top and middle levels and key positions
- Reporting lines
- Policy management and implementation
- Employee education and awareness
- Rewarding system
- Disciplinary consistency
- Compliance communication and training.
We can express compliance risks by the categories in order to measure them.
We
can rate low risk as 1 and 2 = not in focus of your attention for
now; however you need to observe it regularly;
Middle risk can be rated as 3 and 4 = there is actual danger that something bad
will happen, if we don't do something about it eventually; the time span and nature of measures
are dependant of the rating of 3 or 4;
High risk as a 5 = this is a red zone, a 'tempted bomb'; you need to react
quickly.
You can assign these risk grades to an overall business operation, certain
business operation, certain events, relationships, business dealings or a
business partner. In order to grade a compliance risk, you would usually follow
these steps, which are best shown on an example:
1. Specify the situation and the risk; what’s the potential danger of something
bad happening in certain business operation or a business relationship;
Situation: You are a well known technology products manufacturer from Slovenia
and you are building a plant in Bulgaria. You are hiring an experienced
contractor there, who will need to attain some licences from the Bulgarian government.
Risk: Danger that a contractor is not fit for the task of building a
plant properly, which can lead to regulatory fines, accidents could happen etc.
There is also a danger that a contractor would offer inappropriate payments to
Bulgarian officials in order to attain licences.
You have risk of getting fined or prosecuted for security issues, a corruption
and a reputation risk.
2. Evaluate the likeliness of that consequence to happen (you have to base it upon certain facts, experience and assumptions);
Security incident = 2
Corruption = 4
Reputation damage = 4
3. Evaluate the severity of that consequence, if it comes true;
Security incident = 4
Corruption = 5
Reputational damage = 5
4. Grade the risks accordingly;
Security incident = (2+4)/2 = 3
Corruption = (4+5)/2 = 4, 5
Reputational damage = (4+5)/2= 4, 5.
5. Make propositions for mittigating these risks and then monitor;
As a compliance officer you would recommend that the company arranges for extra
security supervision in building the plant later, however addres the highest attention to proper practices in
the procedures with the Bulgarian government. You could suggest that the (additional) due dilligence of a contractor is conducted, too. You would want to communicate your
code of ethics to that contractor and have some of your corporate professionals
to escort this contractor through the procedures with the Bulgarian government. Your company will probably need to plan certain delay in starting your Bulgarian plant,
due to longer waiting time and administration to attain the permits. But
you will protect your good name (which has shown to be highly threatened) and sleep well.
Andrijana Bergant,
strongly
convinced that a compliance as a business function will mark the future of
Slovenian corporations’ governance, and that ethics will become something
tangible in terms of business; usable in the process of serious business
decision making.
Ni komentarjev:
Objavite komentar