Understanding and Approaching Compliance and Ethics Risk
Historically the compliance function did not understand and model processes for risk management. Compliance documented and met requirements, and found and resolved issues. There was limited modeling of compliance issues and risk to determine business impact and prioritization of resources. Most often compliance was reactive, putting out fires instead of actively interpreting and predicting compliance and ethics risk issues, and developing treatment plans to mitigate or avoid damage to the organization.
The CECO in the 21st century must take a risk-based approach to compliance processes. This requires the organization to take in information from the external business and regulatory environment, understand the current and future context of a dynamic and distributed business, and model risk and business impact today and into the future. In some industries CECOs are best served to use risk models that support decision tree and scenario analysis to model risk in their environments, but can also benefit from heat maps, MARCI charts (mitigate, assure, redeploy, and cumulative impact), and even quantitative approaches such as loss distributions in Monte Carlo simulations to portray loss and impact (if there is enough data to make these meaningful).
Regardless of the complexity of the analysis, the principles of compliance risk management are the same:
- Understand your risk: An organization needs to have a risk-based approach to managing compliance and ethics. This includes a periodic assessment (e.g., annual) of the exposure to the organization for unethical conduct. However, the risk assessment process should also be dynamic, done each time there is a significant business change that could lead to exposure and incidents (e.g., mergers and acquisitions, new strategies and entry into new markets).
- Approach compliance based on proportionality of risk: How an organization implements compliance procedures and controls must be based on the proportionality of the risk it faces. If a certain area of the world or a business partner receives a high risk score for ethics or corruption, the organization must respond with stronger compliance procedures and controls. Proportionality of risk also applies to the size of the business — smaller organizations are not expected to have the same measures as large enterprises.
- Monitor the risk and regulatory environment: Content and information on changes to risk and regulatory environments is critical. New laws, changed regulations, court rulings, and standards of practice all change what is required of the organization. The compliance function needs to have a defined process and be accountable to monitor risk of changes in the regulatory environment.
- Tone at the top: The compliance risk management program needs to be fully supported by the board of directors and executives. Communication with top-level management must be bidirectional. Leadership must communicate what is both acceptable and unacceptable risk, and support the compliance and ethics program. Executives and the board must be informed about the effectiveness and operations of the compliance and risk management strategy to fulfill their fiduciary obligations.
- Know who you do business with: Organizations need to know their business relationships. This requires that an established risk-monitoring framework is in place that catalogs the organization’s third-party relationships, markets, and geographies. Due diligence efforts must be in place to make sure the organization is contracting with ethical entities. If there is a high degree of risk of corruption, compliance, or ethical issues in a relationship, additional preventive and detective controls must be put in place. This goes beyond business partners: this means knowing employees, and conducting background checks where needed in order to understand if they are susceptible to corruption and unethical conduct.
- Keep information current: Due diligence and risk assessment efforts must be kept current. These are not point-in-time efforts, but must be done on a regular basis or when the business becomes aware of conditions that point to increased risk to ethics and compliance issues.
- Compliance oversight: The organization must have someone responsible for oversight of compliance risk processes and activities. This includes the authority to report compliance and ethical risk to independent monitoring bodies such as the audit committees of the board.
- Manage change in the business: The organization must monitor the business for changes that can impact its compliance and ethics program or introduce greater risk to corporate integrity. The organization needs to document changes required for business practices as a result of observations and investigations, and must implement changes through a deliberate program of change management. These changes must be monitored by compliance to actively prevent corruption.
BTW – for proper attribution, MARCI risk assessments is a methodology developed by Deloitte.
LinkedIn Groups
Group: Chief Compliance and Ethics Officers
Discussion: Principles of Compliance Risk Management
I agree, this is a very thoughtful and thorough analysis, but how does the CECO accomplish this, in these tight economic times with cut backs and budgetary restrictions. The CECOs I talk to, in smaller companies are overburdened already and are working hard just stay up to speed. Does this become a multi-disciplinary function or is there software to aid. If the practical is not addressed, I believe this theoretically accurate approach as it is, will not get implemented.
Posted by Alan
Alan,
Your comments are good. I am actually going to be addressing this in some subsequent posts. I typically work with larger organizations that have more resources to dedicate to this. There is a lot of opportunity for software to streamline processes and optimize costs.
LinkedIn Groups
Group: Unified Compliance
Discussion: Principles of Compliance Risk Management
Moving compliance from a fire department to a police department is a large undertaking. Using established Information Security Management System designs and GRC platforms to manage the system can ease the transformation.
I think without the formal structure of a documented management system adopted by the board and given a clear charter on how they are to interact with the company will make any effort impossible.
Posted by Keith
Keith,
The problem is that compliance has been both a fire and police department. Many of my other blog entries comment on this issue. Organizations are trying to move compliance beyond being an internal enforcement agency to one that is a champion of values, ethics, corporate culture, and social accountability.
But I do agree that technology such as GRC software has a critical role to play.
LinkedIn Groups
Group: Corporate Integrity (GRC)
Discussion: Principles of Compliance Risk Management
Great Article. I agree that compliance has to be integrated with other areas in the organization such as Finance, Legal, Operations etc.
Posted by Joanne
LinkedIn Groups
Group: Corporate Integrity (GRC)
Discussion: Principles of Compliance Risk Management
Michael, thank you for the very inspiring article. The challenge I face now is to understand how risk based approach could be used for corporate Ethics. While risk management for fraud and anti corruption dimensions is more or less clear, Ethics is still a concept which needs risk oriented methodology.
Posted by Timur
Timur,
Great question. The United States Sentencing Commission Organizational Sentencing Practices, in what it defines as the elements of an effective compliance and ethics program, requires that a periodic risk assessment be done for unethical and non-compliant conduct.
To fully cover this – it may be best to blog about it in the near future, but here are a some points.
1 – You need to define your ethical risks. What are the categories of ethical risk that your company faces. This can be conflict of interests, fraud, corruption/bribery, human rights issues (e.g., child labor, forced labor), and many others.
2 – Prioritize your risk. Which areas/categories of ethical risk are of the most concern to the organization, which should it be concerned about. This is influenced by your industry, past experience/incidents, geographies you do business in, etc.
3 – Assess your risk. For each area of ethical risk – what is being done today to address it. Do you have the proper policies, training, monitoring? Should more be in place? Is there too much in place where it inhibits the business?
4 – Determine your risk actions. You can accept the risk as it is (actually the risk owner does). You can insure the risk (not always feasible). You can avoid the risk by taking a different course of action (not always feasible). You can mitigate the risk by putting in additional levels of controls (preventive controls such as policies, training, awareness; detective controls in increased monitoring and assessments).
I will be sure to expand on this in some future posts.
LinkedIn Groups
Group: CompliancEX
Discussion: Principles of Compliance Risk Management
Great article and insighful comments! Thank you all.
Posted by Lucy
LinkedIn Groups
Group: CompliancEX
Discussion: Principles of Compliance Risk Management
Michael
I agree with the bulk of the points from the article however, disagree that that the long standing principle was that compliance and risk were mutually exclusive activities.
This may have been a more individual view of businesses, and or individuals within businesses, being largely behavioral (or ignorance to the risk components) of a compliance role.
Having spent a number of years in this space, I know that when compliance is discussed it is viewed as being the ‘corporate firefighters’ or used as a means of providing the appearance of good corporate governance. But from that, myself, and the people i have worked with have always contemplated the risk and provide advice accordingly.
I always say, you cant always comply with everything all the time, therefore what is the acceptable risk for those things that you cant comply with, then what is the consequence of non-compliance.
If I ask myself that question every time then I can effectively manage the compliance risks.
That is still a very useful article though.
Regards,
Ross
Posted by Ross
Ross,
I do understand and have seen compliance programs that have focused on risk management.
However, many compliance programs have focused more on checklists – making sure they cross there T’s and dot their I’s right – than understanding and modeling compliance risk. The reactive approach that focuses on checkboxes fails the organization in being able to understand and prioritize compliance risks so it can assign and balance appropriate and limited resources to manage the most significant compliance risk and exposures.
LinkedIn Groups
Group: CompliancEX
Discussion: Principles of Compliance Risk Management
While specific to the UK Bribery Act, the guidance offered by the Ministry of Justice regarding “adequate procedures” is very similar and provides a step-by-step approach to implementation of a process of risk assessment and proportional response. For someone newer in the field, it would be a good model for any compliance program, not just one dealling with anticorruption. Really, it is not all that different from guidance under the Federal Sentencing Guidelines but it offers very specific examples that can be helpful to the CECO in updating their programs.
Posted by Peggy
LinkedIn Groups
Group: Corporate Integrity (GRC)
Discussion: Principles of Compliance Risk Management
IMHO, the areas of compliance for any organisation first need to be identified to establish the focus our efforts. The principles provided by Michael’s principles will come in handy for Compliance Officers to have and perform their oversight responsibilities.
The issue is sometimes that management thinks the Compliance Officer is responsible to implement the requirements of policy and procedures, regulations etc… I.e. they must make sure that the operations they are managing is compliant with legislation.
Posted by Julian
LinkedIn Groups
Group: CompliancEX
Discussion: Principles of Compliance Risk Management
Thank you for your kindness share with this useful article
Posted by YUN
excellent
LinkedIn Groups
Group: Corporate Integrity (GRC)
Discussion: Principles of Compliance Risk Management
Thanks a lot for your article, Michael. As far as I am concerned the point is on how to coordinate activity between the compliance function and risk management; secondly, in my opinion, the lack of a proper risk assessment methodology (I mean, without a sound quantitative and/or qualitative approach) very often undermines the compliance function’s activity and an efficient reporting to the top management.
Posted by Gianfrancesco
LinkedIn Groups
Group: Information Security Policy and Compliance
Discussion: Principles of Compliance Risk Management
What about FAIR which tends to be more quantitative vs. FRAP which tends to be qualitative?
Posted by Nancy
Nancy,
Both FAIR and FRAP can be used to meet the needs of Compliance Risk Management – depending on the organization’s specific needs. I do like quantitative approaches as long as they are not cumbersome.
LinkedIn Groups
Group: Information Security Policy and Compliance
Discussion: Principles of Compliance Risk Management
I like the thoughts here around compliance risk although I am usually suspect of so called risk management when it comes to security controls. Every risk management program I have seen begins and fails with the step number one: identify and rank your critical assets. Every asset in a modern environment is critical. If you could identify non-critical assets you could eliminate them. I proffer threat based management instead of asset based.
Posted by Richard
LinkedIn Groups
Group: Corporate Integrity (GRC)
Discussion: Principles of Compliance Risk Management
Excellent article … thank you.
Posted by Mark
LinkedIn Groups
Group: CompliancEX
Discussion: Principles of Compliance Risk Management
Thank you for the excellent article …
Posted by Mark
LinkedIn Groups
Group: Corporate Integrity (GRC)
Discussion: Principles of Compliance Risk Management
Excellent post! Compliance is just one portion of the GRC departments. Regular audits and compliance reviews are essential to maintaining low risk. You have to know your customers and keep yourself informed in your industry in order to keep business running efficiently.
Posted by Laurie
LinkedIn Groups
Group: Corporate Integrity (GRC)
Discussion: Principles of Compliance Risk Management
Good post, Michael. Given that compliance is one of several important objective areas (strategy, operations and financial reporting also come to mind, along with supporting areas, e.g., information technology), would you advocate a similar approach for managing each of the other objective areas as part of a GRC program?
Larry
Posted by Larry
Larry,
In response to your post – yes. The more we can share information, provide shared services/processes, across GRC related roles in the organization the greater we can see how the intricacies of risk and compliance.
LinkedIn Groups
Group: Healthcare Compliance and Risk Management Resource Center
Discussion: Principles of Compliance Risk Management
Michael – you are, of course, right on target. My observation is that companies that have a historic way of doing business fill their key positions with people entrenched in that mindset. This is the backbone of a corporate culture. And with a profession that is by nature “personally” risk-averse, such as healthcare, change is going to be very difficult, to the point that it may require new leadership. Once the proactive mindset is adopted, the battle in a sense is just beginning. This is why we see demand for training in what you might describe as reactive compliance, but puzzlement or at best polite attention when we talk about proactive ways to instill best practices. I’m not going to give up the fight, however.
Posted by Bruce
Bruce,
You are spot on – it does require a change in perspective. All of us need to do more work in measuring and modeling the value of proactive compliance risk management.
LinkedIn Groups
Group: CompliancEX
Discussion: Principles of Compliance Risk Management
Thank you for this insight. As someone who is newer to this field, it is helpful to see a broad view before things get too muddled in minutia.
Posted by Christopher
LinkedIn Groups
Group: Corporate Integrity (GRC)
Discussion: Principles of Compliance Risk Management
Agree with most except in real business this is more documentation and very little action. Proper Risk Management deals with actions on detection and mitigation and while compliance does drive many of them, the majority is addressing the day to day business tasks with proper methods defined by each business. Hence the solutions can’t be templated but rather a flexible solution build to drive a flexible yet implementation free form model
S
Posted by Sukanta
LinkedIn Groups
Group: Enterprise Risk Management Association
Discussion: Evolvoing Role of Compliance & Ethics in GRC Strategies
Michael, you have a valid point but I am still confused.
Is this the only reason for the existence of GRC?
Would I be wrong if I say GRC is another framework/model to practice ERM?
There was an article in the PMA’s (Performance Management Association) latest newsletter which was quite confusing and conflicting in my point of view and I communicated my feedback to the PMA. Here’s what I write to them for your consideration.
Hi Angela,
This is in reference to Fayyaz Malik’s article in the September issue of performance portal. (titled “Governance, Risk and Compliance – Risk Management Focus)
From my point of view as a risk professional, this article is too much conflicting and confusing. For example at one point the writer says,
“In order to be a world class organisation it’s vital for an organisation to implement the practices such as GRC, Risk Management, business process re-engineering etc that can tremendously change the organisation for good.”
What does he actually mean here? GRC stands for Governance, Risk Management and Compliance. Then what’s the need for mentioning Risk Management separately?
Toward the end of the article, he says “We offer a number of solutions and are developing further solutions for various organisation around GRC, which comply with various standards and regulations such as SAMA, Shariah, ISO 31000, ANZ 4360, COSO, SOX, BASELII etc”
What he actually means here is beyond my understanding. As a matter of fact GRC is one approach to risk management by OCEG (Open Compliance and Ethics Group).
ISO 31000 is another framework for risk management based on ANZ 4360.
COSO II is another framework for risk management.
The BASEL II/III Accord is still another framework for risk management specifically for banking industry by BIS (Bank for International Settlement). Banks need to comply with Basel Accord. It’s a regulatory compliance framework for all banks all over the world
SOx is not a risk management framework rather an ACT for compliance w.r.t. financial practice and corporate governance.
Shariah is the name of Islamic jurisprudence to be practiced by Islamic Banks to be compliant with Shariah
One may implement and maintained any of the risk management frameworks (GRC, COSO, ISO 31000) to practice Enterprise Risk Management. Of course there are merits and demerits of each framework.
Posted by Ehtisham
Ehtisham,
ERM is the R in GRC. The risk management function does not manage compliance in day to day operations. Nor is the risk management function responsible for audit and other governance functions.
The goal of GRC is to provide a framework for collaboration between these roles as well as shared processes/information where it makes sense. It is not there to consolidate them but to respect each of their vital roles and get them to work together in harmony and consistency so that each can better serve the other and itself.
There are many good risk frameworks that can function to serve the R in GRC. However, not one of those risk frameworks truly builds out the requirements to manage regulations, define and communicate policies, manage investigations, conduct training – these are compliance functions.
These roles need to work together – that is what GRC is about. That is what the OCEG GRC Maturity Model promotes.
LinkedIn Groups
Group: Enterprise Risk Management Association
Discussion: Evolvoing Role of Compliance & Ethics in GRC Strategies
This is my definition of ERM:
A unified framework of corporate governance (including strategic direction, internal audit, legal and regulatory compliance, ethical leadership and corporate citizenship) and the management of risk integrated into all organizational processes for informed decision making to achieve strategic objectives for long term growth.
Posted by Ehtisham
Ehtisham,
I do think your definition of ERM is overly broad. I do not know of one ERM function that is truly managing all of these pieces. And the definition is so broad that what you define as ERM spans much of management in general.
LinkedIn Groups
Group: Corporate Integrity (GRC)
Discussion: Principles of Compliance Risk Management
Really excellent effort to comprehensively cover the complex topic of Compliance.
But I have a small doubt still on the efficacy of these paper work to eliminate totally the risks,particularly in view of the current approach to various types of fraud
Posted by Krishnan
Krishnan,
The goal of risk management, in this post compliance risk management, is not to totally eliminate risk. Risk management is about risk acceptance, risk avoidance, risk transfer (insurance), and risk mitigation. Any of these risk options are applicable. Risk elimination is an expensive and impossible ideal – particularly when it comes to fraud.
LinkedIn Groups
Group: Enterprise Risk Management Association
Discussion: Evolvoing Role of Compliance & Ethics in GRC Strategies
I think it is important to not get caught up in trying to delineate between GRC, ERM, Risk Management, etc. The important thing is that your organization has a structured, disciplined approach to evaluate, measure, monitor, and mitigate risk. This can be done under one comprehensive GRC program, or as Michael proposes, split between GRC and a traditional Risk Management function.
The “best” model is one that works for your organization, and will likely vary depending on corporate culture, history, and executive management/board leadership. If it is split as proposed, however, there needs to be a clear definition of roles and responsibilities so important aspects of a GRC program don’t “fall between the cracks”.
Posted by Nick
LinkedIn Groups
Group: Enterprise Risk Management Association
Discussion: Evolvoing Role of Compliance & Ethics in GRC Strategies
I submit to you the hypothesis Nick that if a company does a great job at managing its risks, then it has all that it needs- a robust process for managing risks that is supported by principles and a framework- forget the GRC stuff- not needed and is redundant and only confuses the picture as has been proven time and time again over the past several years
We can take any example of any situation you could dream of in a company and I can clearly demonstrate how a good system of risk management will address that situation comprehensively should you desire to do so
Posted by Arnold
Arnold,
Please point to the failures – I have given you examples in the past and you have yet to poke holes in them.
Yes – organizations fail. There are failed GRC strategies. I see just as many failed ERM strategies as well. There are also organizations doing things well.
One cannot argue that it is good to get roles of audit, risk, and compliance to work collaboratively and share information. The ERM frameworks out there are good for risk management – but they do not identify what compliance, audit, and other areas need. A broader framework of collaboration is needed.
LinkedIn Groups
Group: Corporate Integrity (GRC)
Discussion: Principles of Compliance Risk Management
I was reading the last comments and I found interesting – among the others – what Julian du Plessis wrote some days ago. I have to say I agree with him: I often cope with top management “ignorance” about what the compliance officer does. Sometimes he is considered a sort of mysterious object or simply a walking cost…sometimes he is required to write down procedures and rules – whereas he should be up to the opposite: check the company complies with the law and assess the risk of not doing so…actually the compliance function – at least in small or middle-sized Italian financial institutions – is not seen as a risk management function (yet).
I totally agree with what Michael said in his last comment.
Posted by Gianfrancesco
LinkedIn Groups
Group: Corporate Integrity (GRC)
Discussion: Principles of Compliance Risk Management
Adding to Gianfrancesco’s comment, the conflict of interests between other business areas/Management from a side and Compliance function from another makes it so difficult to manage and to get the appropriate cooperation mandatory for efficient compliance risk management, in addition, the role of Compliance as a control function, keeps it far away from being dealt with easily by other functions, as if it were a support or another business area function, so i would strongly recommend the concept of empathizing the Compliance culture & sufficient knowledge for Executive Managements about the Compliance real risks & consequences and the serious impacts on the organization.
Posted by Mays