Advice on the Art of Risk Assessments
Risk assessments can be a dizzying challenge for compliance officers, with so many ways to approach the task and so many variables to consider. So today let’s review some of the big themes from a webinar on risk assessments that I moderated last week, where plenty of good advice was dished out.
We spent a fair bit of time talking about how a compliance officer even gets started with a risk assessment. Do you first talk with employees, soliciting their observations about the risk in question? Or do you first look at the data, to see what it tells you about the risk?
Opinions differed on this question. Lots of people recommended that you begin with the human element. Talk with business leaders somehow involved in the risk you’re assessing, asking their opinion about the likelihood or severity of the risk. Then review relevant data after those conversations, to see whether their views about the risk are supported by the data or not. That certainly seems like a sensible approach.
On the other hand, you could look at the data first, to better understand how the risk (say, suspicious payments to third parties or incomplete cybersecurity due diligence on technology vendors) really manifests at your business. Then you’ll be able to ask more informed questions when you talk with business function leaders.
I’m all for preparation, but I do see a few pitfalls in the “data first” approach. For example, you might be able to ask more thoughtful and informed questions of business function leaders, but that might feel more prosecutorial to those function leaders than is helpful. (“I see we’re only screening 40 percent of our vendors for cybersecurity risk. Why is that?”) If your conversations end up taking a more adversarial tone, that won’t do you any favors.
Now consider the “person first” approach. When you talk with the business leader, you’re coming to him or her with a blank canvas. You’d have a better opportunity to talk freely about the risk in question, build a sense of alliance between the two of you, and perhaps even ask the function leader what data they’d recommend that you analyze.
Then you look at the data, to see whether it confirms what the function leader told you. Maybe the executive’s analysis was excellent. Maybe it was wildly incorrect because the executive lied to you, or just doesn’t know what’s really going on. In any case, you’re more likely to end up with better insights, whether that’s “yes, this risk is really well managed” or “crap, this management team is clueless” or somewhere in between.
Of course, we need to appreciate that the “people first, data second” approach only works well when the compliance function has full access to the company’s data — and that’s not always the case. So compliance officers need to factor access to data into your risk assessment plans as well. (While we’re on the subject, please take our survey about compliance officers’ testing, monitoring, and access to data, launched last week!)
One person on our webinar did say that if you’ve already been compliance officer at your company for a while, you probably can start with data first because you have pre-existing relationships with business function leaders. If you’re new to the role or the business, however, then start with people first to forge those personal connections; then look at the data. That struck me as hugely sensible advice.
And all of this boils down to what we’ve said since time immemorial: that good compliance is a people process. You, the compliance officer, need to think long, hard, and honestly about what your status within the company really is, so you can proceed with your risk assessment in the most effective way possible.
Testing and Risk Assessments
We also spent lots of time on a more tactical issue. When your risk assessment moves into the phase of testing controls, who should do the actual testing?
The consensus was that compliance officers should not be the ones doing the actual testing if possible, because testing controls is typically not in your skill set. Most compliance officers come from a legal background, so you’re good at investigations, reporting, and establishing business processes at the abstract level; but you’re not as strong on the nitty-gritty of internal control design and testing.
So whenever possible, ask the internal audit team to do the testing for you. They are likely to be much more savvy about which controls should be tested, how to test them, and how to interpret the results. (For example, you might be able to design your own tests for, say, the internal hotline; but could you really design and execute an effective test of whether all discounts granted to resellers first had complete documentation in hand?)
If your company doesn’t have an internal audit team, you might be able to contract with an external audit firm to do the testing work on a project basis. You might also be able to work with IT on certain risks, such as testing privacy or access controls.
It’s also possible that First Line business functions might do their own testing of controls, especially in highly regulated industries such as financial services. You could rely on that testing data as well, although again that depends on whether the compliance team has full data access.
More on Internal Audit’s Role
We should also pause here to split a few hairs. Compliance officers will want to do compliance risk assessments, while internal audit typically performs much broader enterprise risk assessments.
So the question arises: could you let internal audit perform your compliance risk assessment as part of its larger enterprise risk assessment?
The listeners and speakers on our webinar were unthrilled with that idea. So am I.
Internal audit might not understand the compliance risks you’re worried about as intimately as you do. They’ll (quite naturally) see compliance risk as one part of a larger whole, but for you compliance risk is the whole. So if you want the best data and best analysis for compliance risks, you’ll want to lead this risk assessment yourself.
That said, you also don’t want to exasperate the rest of your enterprise with duplicative risk assessments, and some of the questions you’d ask in your compliance risk assessment likely would overlap with internal audit’s enterprise risk assessment. So one good idea is to see whether your data collection needs could somehow be piggybacked onto some other evidence-collection exercise internal audit is already planning to do.
Really, there’s no right or wrong answer here, so long as you and internal audit are in agreement about how to proceed. You want to keep the burdens on the operating units as light as possible.