My favorite place to be is in my backyard, with the sun shining on me, in my oversized comfy chair watching the birds or reading a magazine. During the winter months, the sun becomes scarce. I try to scratch out some time on the weekends, but it’s often too chilly, even in my home near Los Angeles, to really enjoy the warmth.
Sometimes we just plain run out of creativity. Or we aren’t inspired. Or we don’t feel as if we’re connecting the way we need to with the business.
Would someone who came to the Ethics and Compliance Office refer a friend?
Shockwaves hit publicly traded companies in March of 2022 when the SEC announced its proposed rule that would require public companies to include certain climate-related disclosures in their annual reports and registration statements.
In January, we surveyed the compliance community to find out what your priorities are for 2023.
We asked about what you’re focusing on this year, the most important thing you’re working on, and the area of law you’re most focused on this year.
Let’s pull out your sanctions-specific risk assessment, shall we?
Wait, you don’t have one?
Ah, don’t worry, there are lots of folks in that boat.
Many companies don’t have a sanctions-specific risk assessment. But you don’t want to be in that boat because it exposes your company to enormous risk.
Coming up this Thursday, June 30, I have the honor to co-host 90 minutes of NAVEX Global’s deep dive into the results of its recent
This article first appeared on the Diligent Insights blog found here.
If you’re renovating your house, a general contractor is critical. He or she oversees the project and knows what needs to be done to execute the vision. But if the pipes aren’t fitted correctly, the general contractor may not see it until water seeps into the newly laid white oak floors. A general contractor is just that — general. They need the assistance of plumbers and electricians — specialists — to get a real view of the risks to the build.
The same is true in the relationship between enterprise risk (also known as integrated risk) and compliance. There’s currently a debate about whether compliance should be subsumed into a singular risk function. While compliance risk is part of a complete risk function, it needs to be separate and its risk assessment process independently managed.
Compliance Risk Is Distinct
Corporate compliance departments typically deal with a narrow, yet critical, set of risks. These include bribery, antitrust, trade compliance, data privacy, modern slavery, conflict minerals and/or money laundering. In short, the laws managed by compliance have enormous penalties when things go wrong. It’s not uncommon to see fines in the billions and the imposition of a corporate monitor for several years when companies act unethically. This subset of challenges needs its own department, budget and risk monitoring.
Five Best Practices
Enterprise risk management can easily work effectively with the compliance function to ensure compliance risk is understood and responded to appropriately. Here are five best practices to ensure smooth sailing…
Recently I noticed something interesting. At Spark Compliance, we’ve got this nifty software that tells us when various companies visit our website, and which pages people review. Nearly everyone who looks at the Risk Assessments page also looks at the Program Assessments page. In addition, I’ve recently had potential and current clients call me asking about risk assessments, when it’s clear based on their goals that they actually need a program review, and vice versa.
To a certain degree, the confusion makes sense. Both assessment types reveal areas of potential deficiency of controls and evaluate how risk is being managed. But the goal of the two activities are significantly different.
The US Department of Justice and other regulators endorse and expect risk assessments to be performed regularly, and that program reviews take place on a systematic basis. How do you know which activity you need right now? First of all, evaluate the goal of the assessment.
The Goal of a Risk Assessment
The goal of a risk assessment is to evaluate the risks facing the business. This evaluation uncovers the major compliance-related risks, then ranks them based on the likelihood that the bad thing will happen, and on the impact that the bad thing could cause. The likelihood is then reduced by the mitigating activity already in place. This may include having policies in place, training being performed, and other controls that manage risk.
The Goal of a Program Assessment
The goal of a program assessment is to…
A couple of weeks ago I gave a webinar with Compliance Line that has created a huge amount of buzz. It’s topic was the Top Ten Mistakes Compliance Officers Make when Performing Risk Assessments, and people were so engaged we couldn’t get to most of the questions! If you didn’t have the chance to see it, you can watch it HERE. In it, we explore the top ten mistakes (and what to do to fix them!). We look at:
1. Taking on too many risks at once
2. Tackling too many regions/business units
3. Creating document disasters
4. Religious adherence to the interview outline
5. Questioning knowledge instead of activities (this one is my favorite)
6. Not using a repeatable methodology
7. Throwing away the current program plan
8. Letting every score be medium
9. Using red/yellow/green on the heat map (ooh, this one is controversial!)
10. Shoving the report in a drawer
Risk assessments can be difficult, but they don’t have to involve self-sabotage. Find out how to make them better. View the video HERE.
p.s.: Don’t miss our next webinar on The Top Ten Third-Party Risk Management NIGHTMARES (just in time for Halloween!). Get more information and sign up HERE.
Kristy Grant-Hart is a compliance and ethics expert specializing in transforming compliance departments into in-demand business assets.