One way to evaluate risks as determined by the company’s risk assessment is through a risk matrix. Once risks are identified, they are then rated according to their significance and likelihood of occurring and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of your remedial efforts or for continuous auditing. A variety of solutions and tools can be used to manage these risks going forward, but the key step is to evaluate and rate these risks. All your actions should flow from the risk ranking.
The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These become the focus of your most significant risk management efforts, coupled with audits and monitoring going forward. A variety of tools can be used to continuously monitor risk going forward. Consider providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. It is important to create a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. Finally, let this risk assessment and evaluation inform your compliance program, rather than letting the compliance program inform the risk assessment.
Three key takeaways:
1. Even after you complete your risk assessment, you must evaluate those risks for your company.
2. The DOJ and SEC are looking for a well-reasoned approach to how you evaluate your risk.
3. Create a risk matrix and rank your risks; then remediate and monitor as appropriate.
For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.