Categories
Blog

Enterprise Risk Assessment: Essential Strategies for Compliance Professionals

An Enterprise Risk Assessment is fundamental to managing an organization’s strategic and operational landscapes. For compliance professionals, navigating the intricate world of risk can be particularly complex yet crucial. It includes risk identification, analysis, risk assessment, management, ongoing monitoring, and continuous improvement. The enterprise risk assessment process helps organizations to identify and manage potential risks proactively, allocate resources more effectively to address the most critical risks, improve decision-making and strategic planning, enhance resilience and adaptability to changing conditions, comply with regulatory requirements and industry standards, and protect the organization’s reputation and stakeholder confidence.

It all begins with identifying risk, as the first step in enterprise risk management is identifying potential risks. These areas can include consulting management and executive leadership. Often, key insights come from asking management about what concerns them the most. These discussions can provide a broad view of issues that could become significant risks. You can analyze your competitors by reviewing competitors’ regulatory filings, such as the 10-K and 10-Q reports. This can allow you to identify risks that are common in the industry. You can review litigation patterns: By regularly understanding the types of litigations your company faces, you can pinpoint areas that require mitigation. It can also come through a manner as straightforward as your daily interactions in regular conversations with employees across different functions, which can bring to light operational risks that are not immediately apparent.

The next crucial step is assessing these risks. Here, you should design and calculate both inherent and residual risks. An inherent risk is a level of risk without any controls. For instance, a company with significant foreign operations inherently has a higher risk concerning the Foreign Corrupt Practices Act (FCPA). A residual risk is determined when, after implementing control measures, the remaining risk is termed residual risk. This reflects how effective the control measures are in mitigating the identified risks.

A company with only a domestic company would generally have a low inherent FCPA risk, whereas a multinational corporation would face high inherent risks due to its global operations.

From there, you should assess the risks you have determined. You should prioritize the identified risks based on residual risk levels, focusing on the highest-priority risks requiring immediate attention and action. This helps the organization allocate resources and attention to the most critical risks.

You must also evaluate whether the residual risk levels for each identified risk are within the organization’s defined risk appetite and tolerance thresholds. Identify any risks that exceed the organization’s risk appetite and require further risk treatment or mitigation measures.

The next step is your overall risk management strategy. This will depend on the position of various risks on a heat map, a visual representation of risks based on their impact and likelihood. It starts with high-impact, low-likelihood risks that fall into the quadrant, such as cybersecurity threats, which can be managed by transferring them to third parties via insurance policies. Next are high-impact, high-likelihood risks, requiring robust internal controls to minimize occurrence. Finally, low-impact, low-likelihood risks can be monitored and accepted without intensive mitigation efforts. A key part of risk management involves continuous monitoring and reassessment, reflecting the dynamic nature of the business environment. For instance, the shift to remote working during the COVID-19 pandemic introduced new risks that required novel mitigation strategies.

Determining an organization’s risk appetite involves discussing it with executive leadership and possibly the board of directors. It’s about balancing taking on certain risks and having strategies to manage them effectively. Risk appetite discussions often revolve around the results of the risk assessments. The objective is to align the company’s strategies with its willingness and ability to tolerate various risks.

A critical challenge in risk assessment is achieving consensus when there are differences in risk perceptions. Some methods for bridging this gap include:

  • Pre-Surveying Key Stakeholders: Stakeholders are surveyed for risk rankings before detailed discussions.
  • Calibration Sessions: These sessions involve detailed discussions among knowledgeable stakeholders aligned against the survey results and the risk assessment calculations.
  • Iterative Adjustments: Participants agree upon the risk scores through a structured dialogue, ensuring that the assessment is robust and reflective of collective insights.

Complex businesses with specific risk factors, like those in the technology or healthcare sectors, might require deep-dive assessments. These assessments focus intensely on areas such as cybersecurity or regulatory compliance, providing detailed insights into the broader risk management framework.

Resistance to implementing risk mitigation strategies can be a significant hurdle, especially for low-likelihood but high-impact risks. You should ensure that all recommendations and management refusals are well-documented. This protects the compliance team and provides a clear record should issues arise. You can also explore insurance options for transferring specific risks, making compliance a cost-effective ally to business operations.

Effective enterprise risk management is a continuous, multi-faceted process that balances risk identification, assessment, mitigation, and monitoring. By leveraging structured methodologies and collaborative approaches, compliance professionals can ensure that their organizations are well-prepared to navigate the complex global risk landscape. Understanding and managing enterprise risks is not just about compliance—it’s about fostering a resilient, proactive, and forward-thinking organizational culture.

Categories
Innovation in Compliance

Taxman: Why Compliance Should Talk to Tax


 
Tom Fox is back again for a special new five-part series, Taxman: On the Intersection of Tax and Compliance. Tracy Howell, Tom’s colleague and tax expert extraordinaire, joins in to discuss the intersection between compliance and tax. 
 

 
Why Should Compliance and Tax Interact? 
All organizations have an enterprise risk management (ERM) system. One risk common to multinational companies especially is corporate tax risk; and yet, it tends to remain under the radar. While tax professionals are usually very good at identifying and mitigating tax risk, if there is no close interaction between compliance and tax professionals, the risks are elevated. 
 
Sophistication in Taxing Jurisdictions 
Most jurisdictions have a tax code, but street rules tend to also be in play. “You have to establish very early on that you don’t pay bribes,” Tracy advises. The results of following the law are more expensive, but it pales in comparison to the cost of putting your company at risk. 
 
Resources
Tom Fox’s Email
Tracy Howell | Email | LinkedIn
 

Categories
Compliance Into the Weeds

Compliance into the Weeds: Episode 121-The Role of the CRO in ERM

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt Kelly (the coolest guy in compliance) and I take a deep dive intothe role of the Chief Risk Officer in overall Enterprise Risk Management. Some of the highlights include:
Some of the highlights include:

  • Why is effective ERM is more than simply operationalization of ethics and compliance?
  • Why the Board and senior management must take a holistic approach to ERM?
  • Why is it even more important for Boards and senior management to have better risk governance?
  • How do you define the role of Chief Risk Officer?
  • What is the role of internal audit in today’s analytical world of risk management?
  • Could or even should the role of the Chief Audit Officer evolve into the role of a Chief Risk Officer?

For more reading check out Matt’s blog post “The Chief Risk Officer Role”. Also listen to the Radical Compliance podcasthere.