Transcription
Compliance risk assessmentsThe third ingredient in a world-classethics and compliance program
You can’t mitigate a risk if you don’t know it’s thereAs global regulations proliferate, and as stakeholderexpectations increase, organizations are exposed toa greater degree of compliance risk than ever before.Compliance risk is the threat posed to an organization’sfinancial, organizational, or reputational standing resultingfrom violations of laws, regulations, codes of conduct,or organizational standards of practice. To understandtheir risk exposure, many organizations may need toimprove their risk assessment process to fully incorporatecompliance risk exposure.The case for conducting robust compliance riskassessments is deeply rooted in the U.S. Federal SentencingGuidelines for Organizations, which establishes thepotential for credit or reduced fines and penalties shouldan organization be found guilty of a compliance failure.In today’s environment of global regulatory convergence,ever-increasing complexity, and the expansion ofbusinesses into new or adjacent industries, the need for abroader view of compliance risk has never been greater.Nevertheless, according to a survey conducted jointly byDeloitte and Compliance Week,1 40 percent of companiesdo not perform an annual compliance risk assessment.Many ethics and compliance officers will likely agree thatnew ethics, compliance, and reputational risks appeareach day. At the same time, the recent global recessionforced many organizational functions to closely examinetheir budgets and resources. Together, these factors havecreated a tension between growing regulatory obligationsand the pressure to do more with less. To help resolve thissituation and continue to add value to their organizations,ethics and compliance professionals need to be sure theyunderstand the full spectrum of compliance risks lurkingin each part of the organization. They then need to assesswhich risks have the greatest potential for legal, financial,operational, or reputational damage and allocate limitedresources to mitigate those risks.1How is a compliance risk assessment different fromother risk assessments?Organizations conduct assessments to identify differenttypes of organizational risk. For example, they may conductenterprise risk assessments to identify the strategic,operational, financial, and compliance risks to which theorganization is exposed. In most cases, the enterpriserisk assessment process is focused on the identificationof “bet the company” risks – those that could impact theorganization’s ability to achieve its strategic objectives.Most organizations also conduct internal audit riskassessments to aid in the development of the internal auditplan. A traditional internal audit risk assessment is likelyto consider financial statement risks and other operationaland compliance risks.While both of these kinds of risk assessments are typicallyintended to identify significant compliance-relatedrisks, neither is designed to specifically identify legalor regulatory compliance risks (see illustrative table).Therefore, while compliance risk assessments shouldcertainly be linked with the enterprise or internal auditrisk processes, they generally require a more focusedapproach. That is not to say that they cannot becompleted concurrently, or that they ought to be siloedefforts – most organizations may be able to combine theactivities that support various risk assessments, perhapsfollowing an initial compliance risk identification andassessment process.In focus: 2014 Compliance Trends Survey. /compliance-trends-survey-2014.htmlAs used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detaileddescription of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules andregulations of public accounting.2
The interrelationship among enterprise risk management (ERM), internal audit, and compliancerisk assessmentsERMInternal auditComplianceObjectiveIdentify, prioritize, andassign accountabilityfor managing strategic,operational, financial,and reputational risksDetermine and prioritize risks toaid in developing the internalaudit plan, helping to provide theboard and the executive teamwith assurances related to riskmanagement efforts and othercompliance activitiesIdentify, prioritize, and assignaccountability for managing existingor potential threats related to legalor policy noncompliance—or ethicalmisconduct—that could lead to finesor penalties, reputational damage, orthe inability to operate in key marketsScopeAny risk significantlyimpacting theorganization’s abilityto achieve its strategicobjectivesFinancial statement and internalcontrol risks, as well as someoperational and compliance risksthat are likely to materially impactthe performance of the enterpriseor financial statementsLaws and regulations with whichthe organization is required tocomply in all jurisdictions where itconducts business, as well as criticalorganizational policies—whether ornot those policies are based on legalrequirementsTypicalownerChief Risk Officer/Chief Financial OfficerChief Audit ExecutiveChief Compliance OfficerUnderstanding your top compliance risksThe compliance risk assessment will help the organizationunderstand the full range of its risk exposure, includingthe likelihood that a risk event may occur, the reasonsit may occur, and the potential severity of its impact.An effectively designed compliance risk assessment alsohelps organizations prioritize risks, map these risks to theapplicable risk owners, and effectively allocate resources torisk mitigation.An effective framework may also outline and organize theelements of an effective risk mitigation strategy that can beapplied to each compliance risk domain.Figure 1: Enterprise ethics and compliance program and riskexposure framework – An illustrative example( Deloitte Development tAnti-MoneyLaunderingAnti-trust &ConsumerProtectionBuilding a framework and methodologySupply ChainBecause the array of potential compliance risks facingan organization is typically very complex, any robustassessment should employ both a framework andmethodology. The framework lays out the organization’scompliance risk landscape and organizes it into riskdomains, while the methodology contemplates bothobjective and subjective ways to assess those risks.The framework needs to be comprehensive, dynamic, andcustomizable, allowing the organization to identify andassess the categories of compliance risk to which it may beexposed (see Figure 1). Some compliance risks are specificto an industry or organization—for example, workersafety regulations for manufacturers or rules governingthe behavior of sales representatives in the pharmaceuticalindustry. Other compliance risks transcend industries orgeographies, such as conflicts of interest, harassment,privacy, and document retention.OperationsLicense anagementGovernance andLeadershipRiskAssessmentsand DueDiligenceThird PartyComplianceCulture ofEthics andComplianceTesting andMonitoringCaseManagement andInvestigationsStandards,Policies, andProceduresDirect andIndirect TaxTraining andCommunicationsEnvironment,Health,and SafetyEmployeeReportingLegalCybersecurity& PrivacyExternal/RegulatoryReportingLabor &EmploymentFinancialComplianceFraud andCorruptionCompliance risk assessments The third ingredient in a world-class ethics and compliance program 3
Applying the methodology and conducting therisk assessmentUsing an objective methodology to evaluate the likelihoodand potential impact of each risk will help the organizationunderstand its inherent risk exposure. “Inherent risk”is the risk that exists in the absence of any controls ormitigation strategies. At the outset, gaining a preliminaryunderstanding of inherent risk helps the organizationdevelop an early view on its strategy for risk mitigation.And when organizations identify inherent risk they shouldconsider key risk drivers that can be organized into thefollowing four broad categories: Legal impact: Regulatory or legal action brought againstthe organization or its employees that could result infines, penalties, imprisonment, product seizures, ordebarment. Financial impact: Negative impacts with regard to theorganization’s bottom line, share price, potential futureearnings, or loss of investor confidence. Business impact: Adverse events, such as embargosor plant shutdowns, that could significantly disrupt theorganization’s ability to operate. Reputational impact: Damage to the organization’sreputation or brand—for example, bad press or socialmedia discussion, loss of customer trust, or decreasedemployee morale.It is important to provide both quantitative and qualitativemeasures for each category. However, as with all riskassessments, precise measurement may prove to beelusive. In the case of risks with direct financial impact,an actual monetary value may be measurable withrespect to the risk. Another way to evaluate risk is using acriticality scale that indicates the extent of impact shouldnoncompliance occur. Extent of impact can be described inqualitative terms. For example, for reputational impact, lowimpact might be minimal to no press coverage, while highimpact might be extensive negative press in the nationalmedia (see Figure 2).Figure 2: An illustrative criticality scale ( Deloitte Development LLC)LowHighRating4Reputational fallout/BranddamageCivil or criminal fines orpenaltiesLoss of sales/customerconfidenceSustained U.S. national (andinternational) negative mediacoverage (front page of businesssection)Major federal or state action/Fraud or bribery investigationSignificant loss or harm ofcustomer relationship(s),including customer shut downsNegative U.S. national orinternational media coverage(not front page)Federal or state investigationsFailure of ability to meetcustomer needs, e.g., significantquality issues, customer delays,or inability to deliver productsto customerNegative media coveragein a specific U.S. region or aforeign countryRoutine costly litigationIneffective products deliveredto customers or delay incustomer deliveryLocalized negative impact onreputation (such as a singlelarge customer) but recoverableSmaller actions, penalties/finesLess than optimal acceptance bycustomersNo press exposureNo regulatory or legal actionLimited, if any, impact oncustomers
Determining residual riskWhile it is impossible to eliminate all of an organization’srisk exposure, the risk framework and methodologyhelp the organization prioritize which risks it wants tomore actively manage. Developing a framework andmethodology helps organizations determine the extent towhich the organization’s existing risk-mitigation activities(for example, testing and monitoring or employee trainingprograms) are able to reduce risk. Effective risk mitigationactivities may reduce the likelihood of the risk eventoccurring, as well as the potential severity of impact to theorganization.When an organization evaluates inherent risk in light of itsexisting control environment and activities, the degree ofrisk that results is known as the “residual risk.” If existingrisk mitigation strategies are insufficient at reducingresidual risk to an acceptable level, this is an indication thatadditional measures are in order.Some key questions about your exposureThere are a number of critical questions organizations should ask related tocompliance risks and the program(s) in place to mitigate those risks: What kinds of compliance failures would create significant brand risk orreputational damage? Could the failures arise internally, in the supply chain, or withregard to third parties operating on the organization’s behalf? What is the likelyimpact of that damage on the organization’s market value, sales, profit, customerloyalty, or ability to operate? What kinds of compliance missteps could cause the organization to lose the abilityto sell or deliver products/services for a period of time? How should the compliance program design, technology, processes, and resourcerequirements change in light of growth plans, acquisitions, or product/category/service expansions? Is the organization doing enough to inform customers, investors, thirdparties, and other stakeholders about its vision and values? Is it making themost of ethics, compliance, and risk management investments as potentialcompetitive differentiators? What are the total compliance costs—beyond salaries and benefits at thecentralized level—and how are costs aligned with the most significant compliancerisks that could impact the brand or result in significant fines, penalties, and/or litigation? How well-positioned is the compliance function? Does it have a seat “at the table”in assessing and influencing strategic decisions?What makes a compliance risk assessmentworld class?While every compliance risk assessment is different, themost effective ones have a number of things in common.To build a world-class assessment, consider the followingleading practices: Gather input from a cross-functional team: Acompliance risk assessment requires the participationof deep subject matter specialists from the compliancedepartment and across the enterprise. It is the peopleliving and breathing the business – those in specificfunctions, business units, and geographies – whotruly understand the risks to which the organization isexposed, and will help ensure all key risks are identifiedand assessed. In addition, if the methodology is designedin a vacuum without consulting the risk owners, theoutput of the process will lack credibility when it comesto implementing mitigation programs. Build on what has already been done: Rather thanstarting from scratch, look for ways to leverage existingmaterial, such as enterprise risk assessments, internalaudit reports, and quality reviews, and integratecompliance risk content where appropriate. Be sure tocommunicate the differences between the compliancerisk assessments and other assessments to groupsyou seek to engage. Clearly, the output of each riskassessment process should inform and connect witheach of the others. Establish clear risk ownership of specific risks anddrive toward better transparency: A comprehensivecompliance risk assessment will help identify thoseindividuals responsible for managing each type of risk,and make it easier for executives to get a handle on riskmitigation activities, remediation efforts, and emergingrisk exposures. Make the assessment actionable: The assessmentboth prioritizes risks and indicates how they should bemitigated or remediated. Remediation actions shouldbe universally understood and viable across borders.Be sure the output of the risk assessment can be usedin operational planning to allocate resources and thatit can also serve as the starting point for testing andmonitoring programs. What are the personal and professional exposures of executive management andthe board of directors with respect to compliance?Compliance risk assessments The third ingredient in a world-class ethics and compliance program 5
Solicit external input when appropriate: By definition,a risk assessment relies on knowledge of emergingrisks and regulatory behavior, which are not alwayswell known within the organization. Tapping outsideexpertise can inform the assessment and ensure thatit incorporates a detailed understanding of emergingcompliance issues.Many organizations are considering investments intechnology, such as analytical and brand monitoringtools, to help leverage and analyze data to strengthentheir risk-sensing capabilities. Additionally, organizationsare considering investments in data, including traditionalmedia/negative mention monitoring, social media data,surveying, and other data sources. Treat the assessment as a living, breathingdocument: Once you allocate resources to mitigate orremediate compliance risks, the potential severity ofthose risks will change. The same goes for events in thebusiness environment. All of this should drive changes tothe assessment itself.Conclusion Use plain language that speaks to a general businessaudience: The assessment needs to be clear, easyto understand, and actionable. Avoid absolutes andcomplex legal analysis. Periodically repeat the risk assessment: Effectivecompliance risk assessments strive to ensure aconsistent approach that continues to be implementedover time, e.g., every one or two years. At the sametime, risk intelligence requires ongoing analysis andenvironment scanning to identify emerging risks or earlywarning signs. Leverage data: By incorporating and analyzing keydata (e.g., hotline statistics, transactional records,audit findings, compliance exception reports, etc.),organizations can gain a deeper understanding of whereexisting or emerging risks may reside within the business.6The constantly changing regulatory environment increasesthe vulnerability of most organizations to compliance risk.This is particularly true for those organizations that operateon a global scale. The complexity of the risk landscapeand the penalties for non-compliance make it essential fororganizations to conduct thorough assessments of theircompliance risk exposure. A good ethics and compliancerisk assessment includes both a comprehensive frameworkand a methodology for evaluating and prioritizing risk.With this information in hand, organizations will be ableto develop effective mitigation strategies and reducethe likelihood of a major noncompliance event or ethicsfailure, setting themselves apart in the marketplace fromtheir competitors.
ContactsPlease contact one of our Enterprise Compliance Services leaders for more information.Nicole SandfordPartner Deloitte AdvisoryNational Practice Leader,Enterprise Compliance ServicesDeloitte & Touche LLP 1 203 708 4845nsandford@deloitte.comStamford, CTKeith DarcyIndependent Senior Advisor toDeloitte & Touche LLP 1 203 905 2856kdarcy@deloitte.comStamford, CTMaureen MohlenkampPrincipal Deloitte AdvisoryDeloitte & Touche LLP 1 212 436 2199mmohlenkamp@deloitte.comStamford, CTBrian ClarkPartner Deloitte AdvisoryDeloitte & Touche LLP 1 816 802 7751bclark@deloitte.comKansas City, MOLaurie EisslerDirector Deloitte AdvisoryDeloitte & Touche LLP 1 313 396 3321leissler@deloitte.comDetroit, MINolan HaskovecSenior Manager Deloitte AdvisoryDeloitte & Touche LLP 1 212 436 2973nhaskovec@deloitte.comNew York, NYKevin LanePrincipal Deloitte AdvisoryDeloitte & Touche LLP 1 214 840 1577kelane@deloitte.comDallas, TXThomas NicolosiPrincipal Deloitte AdvisoryDeloitte & Touche LLP 1 215 405 5564tnicolosi@deloitte.comPhiladelphia, PAHolly TuckerPartner Deloitte AdvisoryDeloitte Financial Advisory Services LLP 1 214 840 7432htucker@deloitte.comDallas, TXAdditionally, feel free to reach out to our team of former compliance officers who are located across the country andexperienced in a wide variety of industries.Martin BiegelmanDirector Deloitte AdvisoryDeloitte Financial Advisory Services LLP 1 602 631 4621mbiegelman@deloitte.comPhoenix, AZIndustry: TechnologyRob BiskupTimothy CercelleDirector Deloitte AdvisoryDirector Deloitte AdvisoryDeloitte Financial Advisory Services LLP Deloitte & Touche LLP 1 313 396 3310 1 216 589 oit, MICleveland, OHIndustry: Consumer & Industrial ProductsIndustry: InsuranceMichael FayPrincipal Deloitte AdvisoryDeloitte & Touche LLP 1 617 437 3697mifay@deloitte.comBoston, MAIndustry: Investment ManagementHoward FriedmanDirector Deloitte AdvisoryDeloitte & Touche LLP 1 713 982 3065hfriedman@deloitte.comHouston, TXIndustry: Energy & ResourcesPeter ReynoldsDirector Deloitte AdvisoryDeloitte & Touche LLP 1 973 602 4111pereynolds@deloitte.comParsippany, NJIndustry: Investment ManagementThomas RollauerDirector Deloitte AdvisoryExecutive Director, Deloitte Center forRegulatory StrategiesDeloitte & Touche LLP 1 212 436 4802trollauer@deloitte.comNew York, NYIndustry: Financial Services/Banking& SecuritiesGeorge HanleyDirector Deloitte AdvisoryDeloitte & Touche LLP 1 973 602 4928ghanley@deloitte.comParsippany, NJIndustry: Insurance
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial,investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor shouldit be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect yourbusiness, you should consult a qualified professional advisor.Deloitte shall not be responsible for any loss sustained by any person who relies on this document.Copyright 2015 Deloitte Development LLC. All rights reserved.Member of Deloitte Touche Tohmatsu Limited
Compliance risk assessments The third ingredient in a world-class ethics and compliance program 3 The interrelationship among enterprise risk management (ERM), internal audit, and compliance risk assessments ERM Internal audit Compliance Objective Identify, prioritize, and assign accountability for managing strategic, operational, financial,
