Making Your Risk Assessments Count: A Compliance Perspective to Risk Assessment
The traditional approach for assessing compliance risks focuses on the severity of impact and likelihood of occurrences, often on a residual risk basis. This approach often results in a cluster of low likelihood risks with various levels of potential severity and fails to address the potential implications to the enterprise of a breakdown in established policies and procedures. For compliance risks, in lieu of mindless guesswork on probabilities, companies should consider the effects of noncompliance events in terms of the following factors:
- The impact on reputation (e.g., fines, penalties, loss of revenues, legal fees and other costs, loss of market capitalization, the “spotlight attraction” effect, etc.).
- The velocity or speed to impact, including whether the effects of noncompliance can occur without warning and how quickly the effects can escalate, attracting media and regulatory attention.
- The persistence of the impact (i.e., the duration of time over which the noncompliance event will affect the company).
- The enterprise’s response readiness (i.e., how resilient the company is in responding to a noncompliance event).
As with operational risks, the no boundaries view of the enterprise can have an impact on compliance risks. For example, lead content, toxic materials, impure ingredients and other inputs provided by suppliers that do not meet specifications aligned with the laws and regulations the company is subject to can damage the company’s brand and reputation in the market, regardless of the supplier’s culpability. While compliance risk management addresses applicable laws and regulations rather than the effects of market forces or customer behavior, many of the same forces that drive other risk categories have an impact on compliance risk. Personnel attrition, influx of new personnel, rapid growth, new technology, increased complexity, speed to market and other performance pressures, for example, can create an environment where compliance issues can arise. So, too, can the business customs from different countries, new lines of business, new acquisitions and corporate restructuring.
Financial reporting risks, a variant of compliance risks, are a separate conversation. Given the structure provided by the Sarbanes-Oxley Act compliance process in the United States and similar processes in other countries, most companies understand that these risks, and the related internal control environment, require a separate assessment framework that focuses on financial reporting assertions.
Engage the Appropriate Process Owners to Drive Expected Results
For operational and financial risks, the expected results from assessing risk include:
- Monitoring performance
- Evaluating and implementing midcourse corrections
- Determining areas where response plans are needed
- Implementing process improvements to improve performance
- Providing inputs into the business planning process and periodic operational reviews
For compliance and financial reporting risks, the expected results include identifying, evaluating and remediating deficiencies in the control environment.
Responsibilities for the assessments of these categories of risks, as well as the responses to those assessments, can be allocated to the operating units, finance function, general counsel, chief compliance officer (if there is one), other support functions and the risk committee and/or senior risk officer (if there is one), according to the nature of the risks. As appropriate, the internal audit function can play a supportive, consultative role. The idea is to engage the managers best positioned to own the risk assessments, as well as the appropriate follow-up activities to act on the assessment results.
Learn more about Section 404 compliance on KnowledgeLeader through the resources listed below:
Control Gap Remediation Methodology Training Guide
SOX Training Guide: Remediation Efforts and Needs
Self-Assessment Questionnaire: IT Security Remediation
