How to create a world-class compliance risk assessment
The Spanish Criminal Code provides specific requirements for the implementation of corporate compliance programs to regulate the criminal liability of legal entities. The Spanish framework is similar to the U.S. Federal Sentencing Guidelines for Organizations when the adequate oversight efforts to prevent a compliance breach are proven to reduce penalties. Having a criminal compliance risk map is one of the compliance program requirements mentioned by the Spanish criminal code.
Building a program to reach high business values requires the chief compliance officer to be focused on addressing criminal, compliance and ethical risks. This approach is supported by a risk map to assess business actions which may result in criminal offences, or more generally, in a regulatory, legal, contractual or ethical breach. This map will guide prevention actions, such as training or developing policies and internal controls, or contingency actions such as incident management or dealing with investigations.
There are many different approaches to produce a compliance risk map. I would like to highlight key best practices for a world-class assessment:
1- Set the risk mapping scope with a comprehensive list of criminal offences (locally the art .31 bis), regulations, contracts, voluntary commitments, and fraud schemes. This risk universe allows classifying risk factors to facilitate mitigation and communication actions. The compliance risk landscape should address industry-specific, counter-party and general regulations. Multinational companies should group the compliance risk domains by general topics to link them to different local jurisdictional requirements. This compliance requirement list should be validated by subject matter specialists from the compliance and the legal departments.
2- Follow a global ERM policy to assure this map can be easily integrated into the GRC management. While the ERM practices or the internal audit risk assessments are not specifically performed to identify legal and regulatory compliance risks, they can be combined, calibrated or linked to a legal compliance map. This project should be built on the current ERM activities. Also, assessing the financial impact ensures that the compliance risk map will not be limited in a qualitative category. Using international standards, such as the ISOs 31000, 37001 and 19600, allows better supporting the methodological framework.
3- Plan from the top to the bottom. Expanding the risk map may be time consuming. The compliance officer may perform an initial risk assessment to articulate efforts.
This is a simplified example for planning the risk mapping in a multinational company:
expand
You can expand this example with more data from compliance exception reports, detailed whistleblowing statistics, external and tax audit findings, transactional records, client complaints, surveys and social media data.
4- Cover the business actions produced by administrators, directors, managers, executives, employees, consultants and suppliers. Involve employees at many company levels, jurisdictions and functions to limit the risk biases while capturing both top and bottom risks. Set a clear ownership of the compliance risks to facilitate managing the action plans and reporting (my related article). Performing the assessments close to the operations increases the chances of identifying the most relevant risks. The chief compliance officer should understand the full spectrum of compliance requirements and issues. External legal advisors can be a good help.
5- Involve key people in the risk assessments. Risk owners will disclose their risks, their vulnerabilities, if they trust in the people in charge of the risk assessment. Involving locally well-recognized directors in the risk mapping is a must to do. Introducing the initiative with training also creates a positive working environment.
6- Compliance risks should be frequently followed-up according to their exposure by reviewing results of action plans, producing key risk indicators, and escalating them to different risk committees or executive boards. Ethics and compliance risks appear each day by regulatory pressures, new strategic objectives, organizational changes, and cybercrime. Just getting a compliance risk map is false compliance (locally called make-up compliance in Spain). The dynamic follow-up of risk actions builds the compliance culture.
What lessons have you learned produce a compliance risk map? Please, expand this article with your comments.
Get the latest in corporate governance, risk, and compliance on Twitter