Published

Shifting Your Regulatory Compliance to a Risk-Based Approach

The of a proactive or a risk-based approach is not new and may seem obvious: Identify the greatest risks to your organization and prioritize the related controls, policies, and procedures. This is familiar territory for risk managers, but it may require compliance professionals to take a second look at their approach.

We brought in the expertise of Carrie Penman, Chief Risk and Compliance Officer at NAVEX Global; Vera Cherepanova, the Head of Studio Etica; and Scott Moritz, Senior Managing Director of FTI Consulting, to explore a risk-based approach to regulatory compliance. 


Watch the full discussion: How to Adopt a Risk-Based Approach to Regulatory Compliance

Defining A Risk-Based Approach 

Determine your highest areas of organizational risk... Then identify your current mitigation strategies, any gaps between the current mitigation, and your acceptable levels of risks.

A good definition of a risk-based approach to regulatory compliance is "determining your highest areas of organizational risk, whether it's compliance, cultural, operational, financial, or reputational. From there, identify your current mitigation strategies, any gaps between the current mitigation, and your acceptable levels of risks," says Penman.

According to Moritz, the goal of a risk-based approach is understanding and demonstrating that you know your business operations and the risk landscape: “The products and services that you bring to market, your customer base, geography, customer acquisition process - these various external risk factors could have negative consequences.”

Benefits of a Risk-Based Approach

There are several benefits to adopting a risk-based approach to regulatory compliance:

  • More organization-wide focus on regulatory outcomes, resources, and activities
  • Greater flexibility to adapt to changing conditions
  • Increased transparency through clear outcomes and accountability

A New Mindset for a Different Approach

Some executives have taken the attitude that low-likelihood events are not going to happen at their company, and that planning for these events is a waste of resources.

“Starting a process with this attitude is probably not going to lead to an endeavor that will adequately identify potential risks,” says Penman.

"I encounter a lot of misplaced with executives, particularly if they are going through a risk assessment for the very first time," explains Moritz. “But when you start delving into specific scenarios, many executives realize: ‘Oh, yes, that could happen. And that would be devastating.’”

"I have seen so many times with so many companies that a risk assessment was a part of a compliance and ethics program, but not a foundation. The first step in a compliance and ethics program implementation is writing a code of conduct and a bunch of policies and procedures - with the risk assessment being a standalone and disconnected exercise,” says Cherepanova. “We need to change that mindset.”

Guiding Light 

The Department of Justice released new guidance for corporate compliance programs to help guide these efforts: The guidance emphasizes that a risk and compliance program needs to be dynamic. It needs to reflect the lessons learned by the company; or, if the company has not experienced significant negative events, lessons learned from members of their peer group, industry, or the geographies in which they operate.

Risk-Based Approach Not Adopted?

What could go wrong if you ignore risk-based regulatory compliance? There are several things to consider:

  • Your risk and compliance program could lose credibility
  • It may be hard to explain alternate approaches to the satisfaction of regulators
  • Reputational and monetary loss

“A risk-based effort needs to be a living, breathing process that is continuously updated and monitored. Letting it gather dust on the shelf is the ultimate failure,” says Penman.

Watch the full discussion!


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.


ESG Ownership: Compliance, Convergence and Opportunity

Global Survey Finds Businesses Increasing ESG Commitments, Spending

While 81% of respondents have a formal ESG program in place, not many have confidence in the actual program. Take a look at our new ESG survey designed to capture the awareness and mindset of global managers and executive leaders.   

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

What Compliance Leaders Need To Know About Germany’s Law To Strengthen Business Integrity

Germany’s “Law to Strengthen Business Integrity” regulates the criminal liability of companies under German law for the first time. The role of compliance management systems will prove crucial. Learn what the law is, what it means for affected companies, and what actions they should be taking now.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Subscribe Now!