Let’s start with what’s not a corporate compliance risk assessment – reviewing internal controls. At best, that is benchmarking or an audit of sorts. These reviews have their place, but they’re a health check to my mind. We need a lifestyle analysis for a more rounded risk assessment – a proper corporate compliance risk assessment.
We can’t estimate risk without understanding the organisation’s external lifestyle. A five-person technology start-up developing NFTs in a coworking space in Hong Kong faces almost none of the same risks as a sizeable Honduran aquaculture business supplying some of the United States’ biggest restaurant chains.
The first step in a practical corporate compliance risk assessment is to map the basics:
- What you do.
- Where you do it.
- With whom you work.
- How you work (model and markets).
If you’re struggling to conceptualise these ideas, we have developed a straightforward (and high-level) external risk assessment tool here, which you can complete for free. You can gather this information using a blend of surveys, workshops, and interviews, usually quite quickly. The trick is to avoid asking complex questions or using risk jargon. For example, avoid asking people to estimate likelihood using words like “possible, sometimes, probable, etc.”. If you’re inviting many people (via a survey), it’s often easier to ask us to estimate in percentage terms. When we pick numbers or values as a group, we tend to be accurate at the median point.
For workshops, I like tools including Mentimeter to allow anonymous (and therefore more honest) answers to simple questions. If we’re trying to assess integrity risks – including corruption, fraud, and conflicts of interest – I might ask:
- Who poses the biggest corruption risk? Allow the respondents to pick multiple options from your usual stakeholders (clients, central government (licenses & permits), local government, subcontractors, suppliers, etc.).
- How likely are the following risks? Then list options on a slider (0% to 100%), including requests for bribes from officials and paying officials extra to do their jobs properly.
Whatever tools or tactics, the goal is simple: reduce complexity, provide anonymity, and gather as many relevant opinions as possible. Technological tools coupled with targeted follow-up interviews seem to be the most effective methodology. Once you have this picture of the external lifestyle of your organisation, it’s a lot easier to develop an internal corporate compliance risk assessment right-sized to the pressures you will realistically face.
If you need more detailed guidance or advice on gathering this information within your organisation, let us know.
With a fuller picture of the lifestyle factors, we can move on to analysing the internal controls – also known as benchmarking. Our goal is to focus on those areas of most relevance. One of the problems with many so-called risk assessments is treating all controls as equal. Imagine you are planning to build a house. We need to know about our environment to choose the right location, materials, security systems, and features. Is the area fire or flood-prone, who lives nearby, what are the crime statistics, will we be connected to the grid, etc.
In the corporate compliance risk assessment context, we might focus less on payments to intermediaries if the organisation sells online, direct to end-users. Or we might need to assess if training is remote-enabled and accessible without a company email if our business involves flexible or contract labour (like in retail). We shrink the scope of the analysis to those controls and systems relevant to our risk profile.
When it comes to asking questions, keep it simple. Again, I like to use sliders, as there’s something more intuitive and spontaneous about them. For example, suppose I’m trying to assess integrity risks, including fraud, corruption, and conflicts of interest. In that case, I might ask, “Are the following drivers of risk? To what extent?” I’d use a slider with disagree and agree at either end, and questions might include:
- Pressure to hit targets
- Lack of understanding of compliance
- Lack of systems & processes
- Lack of leadership support
- Lack of compliance resources
- Actions of others (partners, suppliers, clients)
- Local and customer culture
It’s always helpful to focus on what causes internal risk – the behavioural analysis – rather than review controls in isolation. Going back to the building a home analogy – if our schematics and planning are flawless, but the construction crew are hopeless, the overall security of our new home will be compromised. Once the property is built, the most outstanding security systems in the world won’t save us if our kids keep leaving windows open, we don’t back up the CCTV feed, or we leave the alarm off. The internal risk analysis must focus on both the hardware and software.
If you’re stuck for inspiration, we have a compliance maturity scorecard assessment to get you started.
Analysing our risk software (human behaviours) is a natural segue to the final stage of our health and wellbeing review. An organisation’s mental health might be better described as its integrity or ethical culture. We don’t blurt out, “Are you depressed, anxious, etc.” to understand mental health. We usually ask questions designed to understand the underlying mental state and follow up with targeted questions.
It’s the same in an organisational setting. We have an assessment of your integrity culture here to get you started. What we want to understand is the well-being within the organisation across four domains:
- Accountability – how do leaders and managers behave? We also need to know how accountable they are.
- Knowledge – do people have the right resources and support to identify (potential) issues and respond appropriately?
- Trust – how do you assure people that you will listen and protect them when they speak up? We also need to understand if people can say, “I don’t know, understand, agree”, or “I made a mistake.”
- Accessibility – do people have access to timely support and help to address ethical challenges?
A 360 health check
Bringing together the external lifestyle factors, the health of internal controls, and the organisational mental well-being affords us a 360 perspective – a proper corporate compliance risk assessment. With some creativity, a sprinkling of technology, and most importantly, good questions, we can get this comprehensive lifestyle analysis affordably and quickly.
These assessments comprise approximately 50% of what we do, so if you’re stuck, get in touch for a no-obligation strategising session.