Do I Need a Risk Assessment or Program Assessment?

Recently I noticed something interesting. At Spark Compliance, we’ve got this nifty software that tells us when various companies visit our website, and which pages people review. Nearly everyone who looks at the Risk Assessments page also looks at the Program Assessments page. In addition, I’ve recently had potential and current clients call me asking about risk assessments, when it’s clear based on their goals that they actually need a program review, and vice versa.

To a certain degree, the confusion makes sense. Both assessment types reveal areas of potential deficiency of controls and evaluate how risk is being managed. But the goal of the two activities are significantly different.

The US Department of Justice and other regulators endorse and expect risk assessments to be performed regularly, and that program reviews take place on a systematic basis. How do you know which activity you need right now? First of all, evaluate the goal of the assessment.

The Goal of a Risk Assessment

The goal of a risk assessment is to evaluate the risks facing the business. This evaluation uncovers the major compliance-related risks, then ranks them based on the likelihood that the bad thing will happen, and on the impact that the bad thing could cause. The likelihood is then reduced by the mitigating activity already in place. This may include having policies in place, training being performed, and other controls that manage risk.

The Goal of a Program Assessment

The goal of a program assessment is to…