When we are talking about risk assessment and the Evaluation of Corporate Compliance Programs, there are three areas to really focus on. First, the Evaluation considers how organizations create and use their methodology for risk assessment. Second, this new guidance focuses on how the data you gather informs the choices you make in your compliance and ethics program. Third, the Evaluation introduces the notion of manifested risk.
The Evaluation asks specifically: what methodology has the company used to identify, analyze and address the particular risks it face?
It’s similar to the teacher who asks you to show your work. Here, you must show how you developed your methodology and why. You must also consider the risk assessment’s recommendation and explain why you choose, or don’t choose, to implement the recommendations. Eric walks you through this process and explains how you can meet these standards.
This new guidance also suggests that the DOJ wants to know how you gather your information to analyze. What metrics, information and data are you collecting to help detect misconduct? How has it informed the compliance program? Many organizations gather data in a number of ways—through hotline reports, direct reports to management, and other human resources data. The Evaluation is a clarion call for organizations to aggregate data and show how the information you collect affects your program.
The Evaluation raises the idea of manifested risk, which is a new concept to many people. Manifested risk is risk that is likely to occur in your organization. For instance, if you know that the risk of bribery is high and there have been reports of bribery in the past, then bribery is a manifested risk for your organization. Many organizations spend time and money addressing risks that they are not likely to face. You want to look at your organization’s history and its operation to determine what your real risks are and then address those risks. You cannot be willfully blind.
When considering risk assessment, you must always consider the frequency of your assessments. There’s no hard and fast rule, but you should complete a risk assessment periodically.
Matt Kelly started his career in compliance and ethics as the managing editor of Compliance Week magazine. He spent over ten years of his career at Compliance Week, achieving the position of Editor and Publisher. Before working at Compliance Week, Matt was a freelance newspaper writer. After leaving Compliance Week, Matt founded his own company, Radical Compliance. Radical Compliance provides consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also serves as Matt’s personal blog. Matt writes and speaks frequently on corporate compliance, audit, and governance, and now works with various private clients to understand the those fields and to develop go-to-market strategies or provide other assistance in reaching audiences of compliance professionals.