As global regulations proliferate and stakeholder expectations increase, organizations are exposed to a greater degree of compliance risk than ever before. Specifically, compliance risk is the threat posed to a company’s financial, organizational, or reputational standing resulting from violations of laws, regulations, codes of conduct, or standards of practice.
To understand their risk exposure, many organizations may need to improve their risk assessment process to fully incorporate compliance risk exposure.
Because the array of potential compliance risks facing an organization is typically very complex, any robust assessment should employ both a framework and methodology
The case for conducting robust compliance risk assessments can be made given today’s business complexity. It is also deeply rooted in the US Federal Sentencing Guidelines for Organizations, which establish the potential for credit or reduced fines and penalties should an organization be found guilty of a compliance failure.
Nevertheless, according to a survey conducted jointly by Deloitte & Touche LLP and US publication Compliance Week, 40% of companies do not perform an annual compliance risk assessment.
In this article, we’ll discuss how CFOs can work with their Chief Compliance Officers to understand the full spectrum of compliance risks lurking in each part of the organization.
In addition, we will discuss ways to assess which risks have the greatest potential for legal, financial, operational, or reputational damage, and considerations for allocating limited resources to mitigate those risks.
How do compliance risk assessments differ?
Organizations conduct assessments to identify different types of organizational risk. For example, they may conduct enterprise risk assessments (typically owned by the CFO or the Chief Risk Officer) to identify the strategic, operational, financial, and compliance risks to which the organization is exposed.
In most cases, the enterprise risk assessment process is focused on the identification of “bet the company” risks—those that could impact the organization’s ability to achieve its strategic objectives. Many organizations also conduct internal audit risk assessments that likely consider financial statement risks and other operational and compliance risks.
While both of these kinds of risk assessments are typically intended to identify significant compliance-related risks, neither is designed to specifically identify legal or regulatory compliance risks (see comparison below).
Interrelationship among enterprise risk management, internal audit and compliance risk assessments
Therefore, while compliance risk assessments should certainly be linked with the enterprise or internal audit risk processes, they generally require a more focused approach.
That is not to say that they cannot be completed concurrently, or that they ought to be siloed efforts—most organizations may be able to combine the activities that support various risk assessments, perhaps following an initial compliance risk identification and assessment process.
- Next page