Risk assessments are an essential component of corporate compliance and ethics programs that organizations cannot afford to overlook. When conducted properly, risk assessments are an effective way for companies to monitor and evaluate potential compliance risk within an organization. Here are the top 5 tips, based on our experience, for creating and conducting effective risk assessments:
1. Understand the importance of risk assessments. Risk assessments aren't just a legal obligation. They are an integral element to creating, implementing and enforcing an effective compliance and ethics program. Building annual risk assessments into your company's compliance program is a must. Enforcement authorities increasingly expect companies to have formal processes for periodic assessment of compliance risks and to take appropriate steps to design and implement the risk assessments.
2. Design and implement a formal risk assessment process. The methods for conducting risk assessments should be tailored to the organization's specific industry, size and structure, and may include the use of questionnaires, employee surveys, live assessments and workshops, self-assessments, and interviews. Often times, having an outside team conduct an initial live risk assessment workshop with an organization's senior management teams in order to identify high-level areas of concern is the appropriate first step. These workshops enable organizations to begin charting areas of concern and potential remedial action plans. Other times, providing the organization with a toolkit that can be used to conduct self-assessment exercises internally, including holding risk assessment workshops, is a more suitable option.
3. Be objective. To be effective, a risk assessment must be objective and comprehensive on risks. It must also engage employees and functional leadership in the dialogue of what specific issues or concerns keep them up at night.
4. Conduct risk assessments regularly. Risk assessments should be a regular, systemic part of compliance efforts rather than an occasional, infrequent exercise performed when convenient or after a crisis. It is important to conduct risk assessments at the same time every year and deputize a consistent group, such as your internal audit department, compliance committee, or outside legal team to conduct the annual review.
5. Recognize the compliance risks and undertake a comprehensive review. Compliance programs should address key risk areas such as effective understanding and enforcement of company policies. Companies should conduct due diligence on business partners and implement effective internal controls for accurate books and records. Employees should be able to report violations confidentially without fear of retaliation. These are all important areas to be mindful of while conducting risk assessments. It is also important to memorialize risk assessment findings in an internal annual reporting process. Once the assessment is complete, the compliance or audit team should carefully compile its findings and recommendations in a comprehensive report to be presented to the chief compliance officer, board of directors, and/or other senior management for review and consideration of appropriate next steps.
What works for one particular organization may not work for another. What is important is to regularly analyze and evaluate the potential risk areas that are present within your company, in order to minimize those risks to the greatest extent possible.
Outside General CounselTM and Nicoll Davis & Spinella partner with employers to ensure that their business is properly conducting regular and effective risk assessments, to minimizes their risk by alerting them to potential violations or internal concerns before those potential issues turn into big legal problems. For information on how our firm can help you, contact Christopher Santomassimo at 201-712-1616 or [email protected].