Risk assessments are one of the most important tasks a compliance officer performs – and also one of the most confounding. How do you keep assessing your organization’s risks in a disciplined, methodical manner, when the range and nature of those risks changes so often?
Thankfully we recently received some great advice on that point, courtesy of the U.S. Comptroller of the Currency, one of the chief banking regulators in the United States. OCC recently sanctioned a bank for systemic failures in risk management. The specific bank in question isn’t important for us here today, but the OCC settlement order included a lengthy explanation of what it wants to see for an effective risk methodology. It’s advice that compliance officers anywhere can put to good use in your own organization.
Start by knowing the business
First the OCC order stressed that the risk assessment should evaluate all the risks that the company has. The agency event included a list of where those risks might reside:
- Products and services offered;
- Customer types and entities served;
- Transaction types;
- Countries or geographic locations of customers and transactions;
- Methods the organization uses to interact with its customers.
In the OCC’s case, that list applies to banking. Now let’s imagine how those bullet points would work if you’re trying to assess FCPA risk. You’d be asking questions such as:
- Do we offer products or services to foreign governments?
- Do we know which of our customers qualify as state-owned companies?
- Which of our transactions would carry high corruption risk?
- Where in the world are we doing business, that we might encounter high levels of corruption?
- How do we actually interact with our customers? Through intermediaries, or on-the-ground sales offices, or via online interactions based here at home?
I like this approach because it emphasizes a subtle but important point: successful risk assessments depend on the compliance officer knowing the business.
That is, you need to understand how the business actually makes its money, who its customers are, and how the company interacts with those customers. You need to develop a map – either figuratively, in your head; or even literally on a whiteboard – of how the business operates. Then you can start matching those operations to risk.
That’s true whether the issue is anti-money laundering compliance (what OCC worries about), FCPA risk (what my questions above address), or any other compliance risk, really. First and always, the compliance officer needs to understand how the business operates. Then you can begin collecting data about risk that’s more useful and informative, because you know where to look and what questions to ask.
I like this approach because it emphasizes a subtle but important point: successful risk assessments depend on the compliance officer knowing the business.
Add up the data to understand risk
OCC said a bank’s risk assessment should also look at (1) volumes and types of transactions and services by country or geographic location; and (2) the number of customers that typically pose higher risk, both by type of risk and by geographic location.
This is useful advice too; it helps compliance officers understand the data you’ll need to collect and study to evaluate the risks you have.
For example, you might want to look at the volume of transactions that qualify as high FCPA risks, sorted by country; or the number of third parties that pose higher fair-labor risk, either by type (human trafficking, wage withholding, and so forth) and by location. The risks are different from what a bank faces, but the characteristics of your risk analysis are essentially the same.
The OCC order also talked about aggregating risks so you can evaluate them at the enterprise level.
For example, a bank compliance officer should assess risks individually within the bank’s business lines, and on a consolidated basis across all bank activities and product lines. Well, other compliance officers could do the same for FCPA or other types of compliance risks: look at each risk within your company’s major operating units, and at each risk for your enterprise as a whole.
Developing a sustainable risk assessment process
Let’s recap what we’ve covered so far. A successful risk assessment should be based on the compliance officer (1) knowing the business, so they can identify where compliance risk resides; and (2) adding up all relevant data, so they can study compliance risks in specific parts of the business or for the organization as a whole.
OK, but we still have our original question: How can compliance officers develop a sustainable risk assessment process that provides solid analysis time and again?
Those answers are straightforward. To know the business, the compliance officer must be involved with the business – meeting business unit chiefs regularly, sitting on in-house risk committees, participating in executive management meetings, and so forth. To collect and analyze relevant data, the compliance officer needs effective GRC tools and processes – gathering data through automatic workflows, then running it through sophisticated (but versatile) reporting protocols.
In other words, effective risk assessments truly are one part people skills and one part technology skills. The OCC settlement offers great advice; it lets us hear a regulator’s thoughts on what a good risk assessment process should be able to do. Then comes the hard work of compliance officers putting the right conditions in place at your organization so that you can build that good risk assessment process.
Interested in learning how NAVEX helps organizations with automating risk and compliance processes, including risk assessments?