The of a proactive or a risk-based approach is not new and may seem obvious: Identify the greatest risks to your organization and prioritize the related controls, policies, and procedures. This is familiar territory for risk managers, but it may require compliance professionals to take a second look at their approach.
We brought in the expertise of Carrie Penman, Chief Risk and Compliance Officer at NAVEX Global; Vera Cherepanova, the Head of Studio Etica; and Scott Moritz, Senior Managing Director of FTI Consulting, to explore a risk-based approach to regulatory compliance.
Watch the full discussion: How to Adopt a Risk-Based Approach to Regulatory Compliance
Defining A Risk-Based Approach
Determine your highest areas of organizational risk... Then identify your current mitigation strategies, any gaps between the current mitigation, and your acceptable levels of risks.
A good definition of a risk-based approach to regulatory compliance is "determining your highest areas of organizational risk, whether it's compliance, cultural, operational, financial, or reputational. From there, identify your current mitigation strategies, any gaps between the current mitigation, and your acceptable levels of risks," says Penman.
According to Moritz, the goal of a risk-based approach is understanding and demonstrating that you know your business operations and the risk landscape: “The products and services that you bring to market, your customer base, geography, customer acquisition process - these various external risk factors could have negative consequences.”
Benefits of a Risk-Based Approach
There are several benefits to adopting a risk-based approach to regulatory compliance:
- More organization-wide focus on regulatory outcomes, resources, and activities
- Greater flexibility to adapt to changing conditions
- Increased transparency through clear outcomes and accountability
A New Mindset for a Different Approach
Some executives have taken the attitude that low-likelihood events are not going to happen at their company, and that planning for these events is a waste of resources.
“Starting a process with this attitude is probably not going to lead to an endeavor that will adequately identify potential risks,” says Penman.
"I encounter a lot of misplaced with executives, particularly if they are going through a risk assessment for the very first time," explains Moritz. “But when you start delving into specific scenarios, many executives realize: ‘Oh, yes, that could happen. And that would be devastating.’”
"I have seen so many times with so many companies that a risk assessment was a part of a compliance and ethics program, but not a foundation. The first step in a compliance and ethics program implementation is writing a code of conduct and a bunch of policies and procedures - with the risk assessment being a standalone and disconnected exercise,” says Cherepanova. “We need to change that mindset.”
The Department of Justice released new guidance for corporate compliance programs to help guide these efforts: The guidance emphasizes that a risk and compliance program needs to be dynamic. It needs to reflect the lessons learned by the company; or, if the company has not experienced significant negative events, lessons learned from members of their peer group, industry, or the geographies in which they operate.
Risk-Based Approach Not Adopted?
What could go wrong if you ignore risk-based regulatory compliance? There are several things to consider:
- Your risk and compliance program could lose credibility
- It may be hard to explain alternate approaches to the satisfaction of regulators
- Reputational and monetary loss
“A risk-based effort needs to be a living, breathing process that is continuously updated and monitored. Letting it gather dust on the shelf is the ultimate failure,” says Penman.