Risk and compliance is a dynamic profession full of rapidly-evolving regulations, standards, and best practices. New frontiers and emerging technologies are changing the roles and responsibilities of compliance professionals, along with the risks they face.
Given this, it’s not surprising that NAVEX Next, our day-long virtual conference featuring speakers from across the risk and compliance spectrum, provoked a lot of questions, including in the fields of risk-based approaches, integrated risk management, and environmental, social, and corporate governance. In this new series, we offer our experts’ responses to many of the questions raised at this year’s conference.
A Risk-Based Approach to Compliance
Everyone agrees a “risk-based approach” is essential to compliance program success – but what does that phrase really mean in practice? In the session “How to Adopt a Risk-Based Approach to Regulatory Compliance,” speakers Carrie Penman, Scott Moritz, and Vera Cherepanova answer questions about how compliance officers can apply a risk-based approach to identify, quantify and respond to risk. Watch this session to learn more.
How should we prepare for low-likelihood, high-impact events?
Part of a risk assessment strategy is business continuity planning. There are a number of issues that might be uncovered in a risk assessment that would require some additional planning. Organizations that have successfully coming weathered the COVID-19 pandemic, for example, had very strong business continuity planning tied to the risk assessment process.
Who's responsible for the risk assessment: compliance or internal audit?
It’s not critical who does it. However, it is important that all parties be on the same page. Often, internal audit works in partnership with compliance. Sometimes, compliance does its own auditing; in others, internal audit has taken it on. But they need to work in harmony and not at cross purposes.
Do perceptions of risk-based approach differ in different parts of the world?
They do. Risk preferences are a key element of economic behavior for us and our organizations. There is a lot of research examining risk preferences in different countries, how much they differ, or how much they are alike. And this research says that yes, risk preferences do differ on several levels. Individually, factors such as age, gender, financial situation, and character traits like introversion and extroversion influence our attitude towards risk. Macroeconomic factors such as GDP per capita, political and economic stability, and inflation rates affect our risk preferences and choices we make. Then there is also the culture, the factor of so-called “uncertainty avoidance,” which is usually a characteristic of a risk culture within a given country.
The combination of all this has an impact on how risk is treated within an organization – because organizations are people. We bring our whole selves to work, and our risk preferences come along with us. The decisions that we make at work are impacted by all the factors outlined above.
Environmental, Social and Governance (ESG)
Between racial equality, the #metoo movement, and climate change, Environmental, Social, and Governance (ESG) will be a big focus for business in the next few years. In the session “ESG: What is Demanded by Investors vs. What is Required by Law?”, speakers Kelli Rogge and Sam Abadir answer questions about how to build an ESG framework for your business.
Who should be on the cross-group steering committee at a large organization?
First, be sure to involve individuals from the finance arm of your organization. Then include people from investor relations as well as human capital or human resource departments. Your marketing team should be included. If you have an environmental health and safety function within your organization, that’s another important group to bring to the table as well. And of course, the risk and compliance functions play a huge role in this as well.
How do I get third parties on board with my ESG reporting, either to tell me this information or to follow my goals?
Incorporated third parties into your ESG planning by making it part of your contract. Make sure that it's included in any agreement you put together. Also, make it part of your RFI and RFP to ensure you're selecting vendors that have the same goals in mind. If ESG is part of your purpose, you want to make sure that your entire supply chain shares your values. Establish it in your vendor Code of Conduct, contracts, audit program, and vendor audit program.
Be patient and open to having conversations with a lot of third parties. Oftentimes, a key supplier or part of the supply chain can help get other third parties on board. Be clear about what kind of information you need and why you may be asking for it. If you're issuing a green bond, for example, there are various framework components associated with that and documentation needs in case of an audit.
Integrated Risk Management for Compliance
Integrated risk management may be the future, but it can difficult to define. In the session “What Compliance Needs to Know About IRM,” French Caldwell offers answers to compliance questions about IRM – what it is, who’s responsible, and what actions organizations can take to get on board.
We don't have an enterprise risk management function, so how would we even get started at IRM?
Start integrating IRM by reviewing your strategic initiatives. Ask: "What are the assets that support our strategic initiatives? What are the processes? Who are the people? What are the systems, the technologies that support those strategic initiatives, and what are the risks associated with them?" Then do a business impact analysis on each of those risks. And as you go through those assets, people, technology, and processes you begin to see the risks that can damage or sink a strategic initiative.
How can compliance officers adopt integrated risk management into their own areas of accountability and decision making?
Compliance officers are naturally attuned to risk. They're highly aware of regulatory risks, reputational risks, the risks to brands, and personnel risk. But there needs to be prioritization. Identify the things that could sink the ship and focus on those.
Once you’ve identified and prioritized your risks, take it up a level and open up a line of conversation with the strategic planners. Fear can help motivate and ensure funding, but it isn’t enough. Match risk to strategic initiatives and business performance. If you can get that positive business value discussion going, it helps to ensure that you’re really supporting the enterprise. When trying to make the business case for GRC, a third of your business case should be built above the line, above that inflection point of business value. We now call that IRM.
Of course, two-thirds of your case will still be based on making risk and compliance and audit work better together. Making sure that we're protecting the company. That we are ensuring our employees understand our ethics program, our code of conduct, and their own role. That they think to acknowledge it, sign off on it, and train properly on it.