Risk assessments are one of the foundational elements of an effective ethics and compliance program. Yet, many companies struggle to implement and maintain a basic and repeatable process for assessing risk. With the ramifications of Covid-19, simple and effective risk assessments are needed now more than ever. Reasons for this struggle include a lack of experience or lack of resources, including the people, the time, and the technology, needed to carry out a risk assessment. However, a well-designed risk assessment process can be easy to administer, quick to deploy, and tailored to your organization’s size and complexity. It can also be a great way to engage employees and other key stakeholders who are working remotely during this pandemic.
The United States Federal Sentencing Guidelines (“FSG”) outlines the general expectations for an effective risk assessment process. According to the FSG, risk assessments should:
- Be periodic in nature
- Evaluate the potential impact and severity of risk
- Result in prioritization and modification of the program [continuous improvement]
In their Evaluation of Corporate Compliance Programs – Guidance Document (“Guidance”), the United States Department of Justice (“DOJ”) went a step further and provided details on what constitutes an effective risk assessment process. The starting point as the DOJ noted is “identifying, assessing, and defining your company’s risk profile.” In addition, effective risk assessments evaluate the degree to which you are devoting scrutiny and resources to the “full spectrum of risks” not just the risks that are easily identifiable. The Guidance then provides three very broad areas to evaluate the adequacy and effectiveness of your risk assessment process:
- Methodology. What methodology has the company used to identify, analyze, and address the particular risks it faces? What is the structure and approach you use to assess risk? Is it sound and consistent, and has it been tested?
- Metrics. What information or metrics has the company collected about your company’s risks? Are your top risks based upon what the compliance team thinks or just a handful of leaders? Or do the risk assessment results derive from a broader and more diverse group of stakeholders?
- Monitoring. How has the risk assessment process informed the company’s compliance program? Is the risk assessment current and subject to periodic review? When was the last time a risk assessment was conducted and who reviewed the output? What kind of discussion ensued?
To address these three (3) key areas, compliance teams should build their risk assessment process around these five (5) key areas:
- Who participates in the assessment? The focus of a risk assessment is twofold. First, to tap into the “wisdom of the crowds” and understand the company’s “full spectrum” of risks. A diversity of experience, knowledge, and opinions is critical to the success of this process. As the Guidance suggests, are the company’s risks determined by “what the compliance team thinks or a handful of leaders” or does the risk assessment take a broader approach to include subject matter and operational experts? One common mistake is to assume that participants don’t or won’t have the requisite technical expertise to adequately assess or evaluate each risk. This is a false assumption. It is exactly because each participant views the company’s risks from a slightly different perspective (some technical, some not), that this diversity drives an effective process.
Second, a risk assessment should be seen as an employee engagement tool – the tactical face of your ethics and compliance program. How well does it reflect on you and your program? Unfortunately, too many risk assessments suffer from extensive manual processes, lack of automation, and little transparency. This approach frustrates employees and ultimately diminishes the value of the risk assessment process. Effective risk assessments automate the assessment process and take a broad yet simple approach to both risks and participants. Moreover, the risk assessment can be a great way to connect with employees during this time of remote working.
- What risks should be assessed? What risks to include in an assessment is ultimately up to you and your organization. Risks that are germane to your company and industry should be included as well as risks that have occurred in the past (or most recently like Covid-10) and risks that have afflicted other companies of similar size and reach. An effective risk assessment should also include emerging and non-conventional risks. For example, we are seeing more and more companies include ethics and culture risks (e.g. ethical leadership, organizational justice, speak-up culture, fear of retaliation) in their formal risk assessment process. In addition, special attention should be given to risks that don’t necessarily make it into the “top 10,” but have the potential to cause significant financial, operational and reputational damage to the company (i.e. low frequency/high severity risks such as pandemics or recessions).
When assessing multiple risks across the organization, special attention should be given to the number of risks being assessed in the process. In our experience, an optimal number of risks to include in a risk assessment survey is between 15 and 30. Beyond that range, participants in the assessment will quickly succumb to survey fatigue and the potential for invalid responses or low participation is greatly increased.
- What methodology is used? The single most important factor to consider when designing a risk assessment methodology, is consistency. As organizations change over time, so do their risks, and so does institutional knowledge. If your methodology is constantly changing, so will your focus. Maintaining a consistent process, however ensures that company’s risk profile can be monitored from year to year on a consistent basis.
The de facto standard in risk assessment is the COSO-ERM framework. COSO utilizes four (4) dimensions to evaluate a risk: (1) Likelihood – the probability of a risk occurring; (2) Impact – the financial, operational, human, and reputational impact if the risk does occur; (3) Effectiveness – the ability of the organization to manage the risk under normal operating conditions; and (4) Velocity – the speed at which a risk can manifest. We see most companies adopting some form or variation of the COSO-ERM framework as their methodology. An automated risk assessment tool that employs this framework, can make assessing risk relatively easy and straightforward.
- What does the actual assessment process look like? Your company’s risk assessment process is highly dependent on your organization’s culture and internal processes. Some companies prefer a bottoms-up approach, while others prefer a top-down approach. Some prefer standardized surveys, while others prefer 1:1 discussions or focus groups. However, an effective process includes some combination of the following:
- Surveys. Automated surveys are a good way to tap into the “wisdom of the crowd” and drive engagement with your ethics and compliance program. Surveys can be anonymous or named and they can be conducted at both a very high-level of the organization (i.e. the senior leadership team) and at very tactical levels of the organization for more granular assessments. Online surveys can also be completed remotely, thereby continuing the risk assessment process in this time of social distancing.
- Focus groups. Focus groups (including 1:1 meetings), which can be done remotely, can help provide color commentary around survey results or to establish your risk universe. They can also uncover hidden risks that may not have been identified during the assessment process. Focus groups are also a great way to drive engagement with the ethics and compliance program and to better understand the business.
- Action plans. As we will discuss below, taking action after a risk assessment is critical. Too often, the results of a risk assessment are stored away until the next risk assessment. Effective risk assessments include the implementation and monitoring of mitigation plans to address the risks identified. Ownership should be clearly identified and progress tracked. Action Plans also help employees connect risk mitigation with the underlying business activity.
- Discussions. Ultimately, the purpose of a risk assessment is to drive an open discussion within your organization about risk. This is the true benefit of an effective risk assessment process. These discussions should not just happen at the C-suite or Board of Directors level, but all levels of the organization. Discussing risk openly promotes a speak-up culture, leverages the diversity of the organization, and creates an effective process.
- What do you do with the results? As noted above, the risk assessment process is only as good as the risk discussion it fosters and the mitigation plans it creates. If there is no discussion and no mitigation, the risk assessment process is by default “ineffective” and has probably created more risk for the company than it has addressed.
In the age of Covid-19, risk assessments are needed now more than ever. Using available standards and proven techniques, your risk assessment process can serve not only as a foundation for your ethics and compliance program, but as a continuous engagement tool during these unprecedented times.
 United States Sentencing Commission (2018), United States Federal Sentencing Guidelines, Guidelines Manual §8B2.1. Effective Compliance and Ethics Program, pp 517 – 522, November 1, 2018
 United States Department of Justice – Criminal Division (2019), Evaluation of Corporate Compliance Programs – Guidance Document, April 2019
 Surowiecki, J. (2005). The Wisdom of Crowds. Anchor Books.
 Committee of Sponsoring Organizations of the Treadway Commission (2004). Enterprise Risk Management – Integrated Framework. https://www.coso.org/Documents/COSO-ERM-Executive-Summary.pdf