Category: Risk Assessments

Category: Risk Assessments

How to  Spring Clean Your Compliance Program

My favorite place to be is in my backyard, with the sun shining on me, in my oversized comfy chair watching the birds or reading a magazine. During the winter months, the sun becomes scarce. I try to scratch out some time on the weekends, but it’s often too chilly, even in my home near Los Angeles, to really enjoy the warmth.

Read More »

Getting Along: Enterprise Risk and Compliance

This article first appeared on the Diligent Insights blog found here.

If you’re renovating your house, a general contractor is critical. He or she oversees the project and knows what needs to be done to execute the vision. But if the pipes aren’t fitted correctly, the general contractor may not see it until water seeps into the newly laid white oak floors. A general contractor is just that — general. They need the assistance of plumbers and electricians — specialists — to get a real view of the risks to the build.

The same is true in the relationship between enterprise risk (also known as integrated risk) and compliance. There’s currently a debate about whether compliance should be subsumed into a singular risk function. While compliance risk is part of a complete risk function, it needs to be separate and its risk assessment process independently managed.

Compliance Risk Is Distinct

Corporate compliance departments typically deal with a narrow, yet critical, set of risks. These include bribery, antitrust, trade compliance, data privacy, modern slavery, conflict minerals and/or money laundering. In short, the laws managed by compliance have enormous penalties when things go wrong. It’s not uncommon to see fines in the billions and the imposition of a corporate monitor for several years when companies act unethically. This subset of challenges needs its own department, budget and risk monitoring.

Five Best Practices

Enterprise risk management can easily work effectively with the compliance function to ensure compliance risk is understood and responded to appropriately. Here are five best practices to ensure smooth sailing…

Read More »

Do I Need a Risk Assessment or Program Assessment?

Recently I noticed something interesting. At Spark Compliance, we’ve got this nifty software that tells us when various companies visit our website, and which pages people review. Nearly everyone who looks at the Risk Assessments page also looks at the Program Assessments page. In addition, I’ve recently had potential and current clients call me asking about risk assessments, when it’s clear based on their goals that they actually need a program review, and vice versa.

To a certain degree, the confusion makes sense. Both assessment types reveal areas of potential deficiency of controls and evaluate how risk is being managed. But the goal of the two activities are significantly different.

The US Department of Justice and other regulators endorse and expect risk assessments to be performed regularly, and that program reviews take place on a systematic basis. How do you know which activity you need right now? First of all, evaluate the goal of the assessment.

The Goal of a Risk Assessment

The goal of a risk assessment is to evaluate the risks facing the business. This evaluation uncovers the major compliance-related risks, then ranks them based on the likelihood that the bad thing will happen, and on the impact that the bad thing could cause. The likelihood is then reduced by the mitigating activity already in place. This may include having policies in place, training being performed, and other controls that manage risk.

The Goal of a Program Assessment

The goal of a program assessment is to…

Read More »

VIDEO: Top Ten Mistakes Compliance Officers Make when Performing Risk Assessments

A couple of weeks ago I gave a webinar with Compliance Line that has created a huge amount of buzz. It’s topic was the Top Ten Mistakes Compliance Officers Make when Performing Risk Assessments, and people were so engaged we couldn’t get to most of the questions! If you didn’t have the chance to see it, you can watch it HERE. In it, we explore the top ten mistakes (and what to do to fix them!). We look at:

1. Taking on too many risks at once

2. Tackling too many regions/business units

3. Creating document disasters

4. Religious adherence to the interview outline

5. Questioning knowledge instead of activities (this one is my favorite)

6. Not using a repeatable methodology

7. Throwing away the current program plan

8. Letting every score be medium

9. Using red/yellow/green on the heat map (ooh, this one is controversial!)

10. Shoving the report in a drawer

Risk assessments can be difficult, but they don’t have to involve self-sabotage. Find out how to make them better. View the video HERE.

p.s.: Don’t miss our next webinar on The Top Ten Third-Party Risk Management NIGHTMARES (just in time for Halloween!). Get more information and sign up HERE.

Read More »