Historically the compliance function did not understand and model processes for risk management. Compliance documented and met requirements, and found and resolved issues. There was limited modeling of compliance issues and risk to determine business impact and prioritization of resources. Most often compliance was reactive, putting out fires instead of actively interpreting and predicting compliance and ethics risk issues, and developing treatment plans to mitigate or avoid damage to the organization.
The CECO in the 21st century must take a risk-based approach to compliance processes. This requires the organization to take in information from the external business and regulatory environment, understand the current and future context of a dynamic and distributed business, and model risk and business impact today and into the future. In some industries CECOs are best served to use risk models that support decision tree and scenario analysis to model risk in their environments, but can also benefit from heat maps, MARCI charts (mitigate, assure, redeploy, and cumulative impact), and even quantitative approaches such as loss distributions in Monte Carlo simulations to portray loss and impact (if there is enough data to make these meaningful).
Regardless of the complexity of the analysis, the principles of compliance risk management are the same:
- Understand your risk: An organization needs to have a risk-based approach to managing compliance and ethics. This includes a periodic assessment (e.g., annual) of the exposure to the organization for unethical conduct. However, the risk assessment process should also be dynamic, done each time there is a significant business change that could lead to exposure and incidents (e.g., mergers and acquisitions, new strategies and entry into new markets).
- Approach compliance based on proportionality of risk: How an organization implements compliance procedures and controls must be based on the proportionality of the risk it faces. If a certain area of the world or a business partner receives a high risk score for ethics or corruption, the organization must respond with stronger compliance procedures and controls. Proportionality of risk also applies to the size of the business — smaller organizations are not expected to have the same measures as large enterprises.
- Monitor the risk and regulatory environment: Content and information on changes to risk and regulatory environments is critical. New laws, changed regulations, court rulings, and standards of practice all change what is required of the organization. The compliance function needs to have a defined process and be accountable to monitor risk of changes in the regulatory environment.
- Tone at the top: The compliance risk management program needs to be fully supported by the board of directors and executives. Communication with top-level management must be bidirectional. Leadership must communicate what is both acceptable and unacceptable risk, and support the compliance and ethics program. Executives and the board must be informed about the effectiveness and operations of the compliance and risk management strategy to fulfill their fiduciary obligations.
- Know who you do business with: Organizations need to know their business relationships. This requires that an established risk-monitoring framework is in place that catalogs the organization’s third-party relationships, markets, and geographies. Due diligence efforts must be in place to make sure the organization is contracting with ethical entities. If there is a high degree of risk of corruption, compliance, or ethical issues in a relationship, additional preventive and detective controls must be put in place. This goes beyond business partners: this means knowing employees, and conducting background checks where needed in order to understand if they are susceptible to corruption and unethical conduct.
- Keep information current:Due diligence and risk assessment efforts must be kept current. These are not point-in-time efforts, but must be done on a regular basis or when the business becomes aware of conditions that point to increased risk to ethics and compliance issues.
- Compliance oversight: The organization must have someone responsible for oversight of compliance risk processes and activities. This includes the authority to report compliance and ethical risk to independent monitoring bodies such as the audit committees of the board.
- Manage change in the business: The organization must monitor the business for changes that can impact its compliance and ethics program or introduce greater risk to corporate integrity. The organization needs to document changes required for business practices as a result of observations and investigations, and must implement changes through a deliberate program of change management. These changes must be monitored by compliance to actively prevent corruption.