Tag: Risk Assessment

Categories
Blog

Compliance Risk Assessment vs. Fraud Risk Assessment: Why the Distinction Matters

One of the most common points of confusion I see in the compliance space is the conflation of a compliance risk assessment and a fraud risk assessment. At first glance, they may look similar as both touch on governance, controls, and organizational exposure. Yet, as Jonathan Marks emphasized in a recent episode of the Data-Driven Compliance podcast, they are not the same. They serve different purposes, employ different methodologies, and generate different impacts. And if you blur the two, you may be leaving the corporate back door wide open.

In this post, I aim to explore the distinctions, explain why they matter, and demonstrate how both assessments complement one another in building a stronger, more resilient compliance program.

Compliance Risk Assessment: Coloring Inside the Lines

A compliance risk assessment is the backbone of the compliance function. It answers the question: Are we following the laws, regulations, and internal policies to which we are required to adhere?

The methodology is structured around:

  • Identifying obligations — What laws, regulations, and internal codes apply to our business?
  • Assessing exposure — Where are we most likely to be out of compliance?
  • Evaluating controls — What policies, procedures, and safeguards exist to manage those obligations?
  • Prioritizing remediation — Which gaps carry the greatest legal, financial, or reputational risk?

The Department of Justice (DOJ) has long framed this as a “three-question test”: Is your program well designed? Is it implemented in good faith? Does it work in practice? A compliance risk assessment is the diagnostic tool that helps answer these questions.

Consider this: a compliance risk assessment ensures that the organization operates within the bounds of the law. It helps the business avoid the unintentional missteps that could land it in hot water with regulators.

Fraud Risk Assessment: Thinking Like a Fraudster

By contrast, a fraud risk assessment is not about whether you are following the rules; it is about whether someone could deliberately break them, deceive the organization, and benefit at its expense. Marks put it succinctly: compliance without fraud detection is like locking the front door while leaving the back door wide open.

A fraud risk assessment is built around three key elements:

  1. The Act – The fraud scheme itself. Examples include false vendor setups, revenue inflation, insider collusion, or misuse of restricted funds.
  2. The Concealment – How the scheme is hidden. Fraud is rarely obvious. It may involve falsifying documents, manipulating data, overriding controls, or exploiting process weaknesses.
  3. The Conversion – How the perpetrator benefits. Whether through cash, bonuses, promotions, or reputational gain, there is always a payoff.

This approach is fundamentally about mindset. A compliance risk assessment looks at processes. A fraud risk assessment forces you to think like the fraudster, the “mind behind the crime.”

Methodological Differences

Marks emphasized that while compliance risk assessments and fraud risk assessments may overlap, their methodologies diverge in several important ways:

  • Focus on Intent vs. Process
    • Compliance asks: Are we following the rules?
    • Fraud asks: Could someone intentionally subvert the rules, and would we detect it in time?
  • Scope of Risk
    • Compliance focuses on legal and regulatory exposure.
    • Fraud encompasses a broader range of threats, including financial, operational, and reputational risks—whether driven by insiders or outsiders.
  • Tools and Techniques
    • Compliance assessments often rely on surveys, documentation review, and structured interviews.
    • Fraud assessments utilize forensic tools, including analytics, behavioral red flags, and targeted scenario testing, to identify potential risks.
  • Outcomes
    • Compliance assessments typically produce policies, certifications, and gap analyses.
    • Fraud assessments deliver actionable detection and deterrence strategies.

Red Flags: The Early Warning System

One of the most practical contributions of a fraud risk assessment is its focus on red flags, the early warning signs that something is not right. Marks categorized them into four groups:

  1. Data Red Flags – Unusual transaction timing, frequency, or amounts.
  2. Document Red Flags – Missing or altered records, incomplete approvals.
  3. Control Red Flags – Inadequate segregation of duties, override of established processes.
  4. Behavioral Red Flags – Employees living beyond their means or facing personal stressors.

The key is not simply to identify these red flags, but to connect them back to your control environment. Are your controls designed to catch intentional deception or only unintentional error? Too often, organizations rely on compliance-oriented controls that were never built to stop someone determined to cheat the system.

Skills and Experience Matter

Another critical difference lies in who conducts the assessment. Compliance risk assessments often require individuals with expertise in law or regulation. Fraud risk assessments, however, require a different skill set; professionals who understand fraud schemes, internal controls, and forensic techniques are needed.

As Marks bluntly put it: certifications are nice, but experience is essential. Those leading fraud risk assessments need to have “skinned their knees” in real-world situations to understand the difference between a red flag and a false signal. Without that expertise, organizations risk a paper exercise that fails to capture the real threats.

Complementary, Not Substitutes

It is tempting for organizations to assume that a compliance risk assessment also covers fraud risk. That is a dangerous misconception. While the two assessments intersect, they are not substitutes. A compliance risk assessment confirms the rules are being followed—a fraud risk assessment tests whether someone could and would intentionally break those rules for personal gain.

Together, they create a multidimensional view of risk:

  • Compliance risk assessments keep the organization lawful.
  • Fraud risk assessments keep the organization safe.

When aligned, they reinforce one another. For example, fraud red flags can be embedded into compliance training, transforming static learning into practical, scenario-based awareness. Compliance findings can inform fraud detection by highlighting areas where processes are weakest.

Beyond Reports: Building Organizational Resilience

The ultimate value of both types of assessments lies not in the reports they generate but in the resilience they build. Marks is right to stress that neither should be treated as a “set it and forget it” project. Both are living, breathing processes that evolve in tandem with your business model, regulatory landscape, and risk environment.

A well-executed fraud risk assessment provides a strategic roadmap for preventing, deterring, and detecting fraud early. A well-executed compliance risk assessment ensures that your program is not only designed and implemented but also functioning effectively in practice. Together, they enhance oversight, foster continuous improvement, and promote a culture of integrity.

Final Thoughts

The compliance community is rightly focused on regulatory risk, ensuring that policies, procedures, and obligations are met. But stopping there creates a blind spot. Fraud is intentional, adaptive, and motivated by gain. It exploits weaknesses not only in processes but in culture.

The lesson for compliance professionals is clear:

  • Do not assume that your compliance risk assessment covers fraud risk.
  • Invest in both assessments, recognizing their differences and complementary strengths.
  • Ensure the right people, with the right experience, are conducting each.
  • Embed fraud red flags into your training and compliance processes.

At the end of the day, compliance keeps you lawful. Fraud risk management keeps you safe. Organizations that appreciate the distinction and act accordingly will be better prepared to withstand the unexpected, protect their stakeholders, and build lasting trust.

Categories
Innovation in Compliance

Innovation in Compliance – Global Outsourcing and GDPR Compliance – Navigating Challenges and Opportunities with Inge Zwick

Innovation comes in many areas, and compliance professionals need to be ready for it and embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode, Tom Fox interviews Inge Zwick, a senior leader from Emapta Global, a global outsourcing company, who elaborates on his experience working in different international locations, including the Philippines and now Italy.

Zwick discusses the complexities and common concerns around outsourcing under GDPR, emphasizing the importance of compliance and data protection. They explain how Emapta supports clients in achieving GDPR compliance while outsourcing, including risk assessments, data flow mapping, and maintaining secure work environments. The conversation delves into the practical aspects of handling Subject Access Requests (SARs), the integration of compliance into operational workflows, and the importance of maintaining ongoing monitoring and updates. Zwick also touches upon how ESG initiatives and compliance are seamlessly woven into Emapta’s operations, providing a sustainable approach to global outsourcing. Lastly, advice is given to business leaders on how to future-proof their outsourcing strategies in light of GDPR, encouraging them not to shy away from global talent opportunities due to compliance fears.

Key highlights:

  • Company Overview and Global Operations
  • Outsourcing and GDPR Compliance
  • Risk Assessment and Data Security
  • Subject Access Requests (SAR)
  • Outsourcing Contracts and GDPR Obligations
  • Integrating Compliance into Operations
  • Future-Proofing Your Outsourcing Strategy  

Resources:

Connect with Inge Zwick

Connect with Emapta Global

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Creating a Compliance Monitoring Plan

Compliance professionals recognize that robust compliance programs do not simply happen; they require meticulous planning, thoughtful execution, and continual enhancement. Central to any thriving compliance framework is a solid compliance monitoring plan. Even seasoned compliance practitioners occasionally encounter challenges when constructing a monitoring strategy capable of effectively identifying, assessing, and mitigating compliance risks. In this guide explicitly tailored for corporate compliance professionals, we will explore key steps toward creating an effective compliance monitoring plan, drawing on the foundational principles outlined in the Hallmarks of an Effective Compliance Program from the FCPA Resource Guide, 2nd edition.

Compliance monitoring is the ongoing process of assessing and verifying a company’s adherence to applicable laws, regulations, and internal policies. Unlike reactive investigations, compliance monitoring proactively identifies potential issues before they evolve into significant problems or compliance violations.

Step 1: Define Objectives and Scope

Once you have identified your organization’s primary compliance risks through a comprehensive risk assessment, you must define clear and measurable objectives for your compliance monitoring activities. These objectives align directly with your broader compliance strategy, corporate mission, and risk appetite. Begin by establishing what success looks like for your compliance monitoring initiative. Is your primary goal to prevent regulatory breaches, detect internal misconduct promptly, or validate the effectiveness of internal controls? Articulated objectives enable your compliance function to measure progress accurately and demonstrate accountability to stakeholders.

Objectives should be SMART, specific, measurable, achievable, relevant, and time-bound to facilitate clear monitoring and reporting. Next, explicitly outline the scope of your monitoring activities. Determine whether you will monitor all compliance areas equally or strategically prioritize areas of heightened risk, such as international operations, third-party relationships, or high-risk transactions. Defining scope effectively helps allocate your finite compliance resources to the highest impact areas, thus maximizing your monitoring effectiveness. Incorporate feedback from cross-functional teams and relevant business units to ensure your defined scope aligns closely with organizational realities and practical constraints. Regularly revisiting and refining these objectives and scope based on evolving risks and business circumstances keeps your compliance monitoring plan relevant, flexible, and responsive. According to the Hallmarks, clear policies, procedures, and thorough risk assessment underpin a successful compliance program. Thus, ensure your objectives remain tightly integrated with identified risks and documented compliance standards.

Step 2: Develop Monitoring Procedures

With objectives and scope set, the next step is crafting detailed compliance monitoring procedures. Effective procedures must specify the methods, frequency, and tools you’ll use to assess compliance adherence systematically. Procedures should integrate various manual and automated methods to create comprehensive oversight. Regular audits, randomized sampling, targeted employee interviews, and comprehensive documentation reviews form the procedural baseline. It is crucial to identify precisely how each monitoring activity will be executed, who will perform these tasks, and how frequently they will occur. Additionally, incorporating continuous monitoring technologies provides proactive, real-time insights, enhancing the immediacy of your responses to potential compliance breaches.

Documenting these monitoring procedures meticulously ensures consistency, transparency, and accountability, aligning directly with the emphasis on rigorous oversight and robust internal controls. Incorporating clear documentation standards into these procedures provides evidence of compliance activity during internal and external reviews, establishing credibility and trust with stakeholders and regulators. Regularly review and update your monitoring procedures to reflect evolving regulatory requirements, emerging risks, and insights gained from previous monitoring activities. Such periodic reassessments are vital to maintaining effective monitoring practices that meet industry best practices and regulatory expectations, preparing your organization to respond confidently to regulatory scrutiny and internal audits.

Step 3: Assign Roles and Responsibilities

Clearly defining roles and responsibilities within your compliance monitoring plan is fundamental for seamless execution. Compliance team members must understand their duties, expectations, and associated deadlines. Designate who will conduct monitoring activities, evaluate monitoring results, and initiate necessary corrective actions. Assigning these roles based on individual expertise, experience, and authority helps ensure tasks are completed effectively and efficiently. Explicitly document these roles within your compliance governance framework, ensuring clarity and transparency.

The FCPA Resource Guide underscores the importance of adequate autonomy, authority, and resources allocated to compliance functions. Ensuring compliance personnel have delineated responsibilities enhances accountability, promotes clear communication, and supports rapid decision-making. Regular training and communication sessions reinforce these responsibilities, helping compliance team members remain informed and prepared to execute their roles effectively. Furthermore, clearly defined roles and responsibilities empower compliance personnel to act decisively, enhancing responsiveness and ensuring effective intervention when issues arise. Continually reassess and refine these roles as your compliance program evolves, ensuring they remain relevant, efficient, and aligned with organizational goals and regulatory requirements.

Step 4: Implement Continuous Monitoring and Reporting

Effective compliance monitoring must be continuous rather than episodic. Continuous monitoring provides regular, real-time insights into compliance performance, significantly improving your ability to identify and address issues promptly. Implementing technological tools such as data analytics software, automated alerts, and compliance dashboards can greatly enhance continuous monitoring efforts. These technologies provide real-time data, facilitating immediate recognition of compliance deviations and swift corrective action. Establish clear, comprehensive reporting frameworks to communicate monitoring results effectively across all organizational levels, from operational managers to senior executives and board members.

Reporting frameworks must include clearly defined frequency, format, and content, ensuring consistent and relevant information distribution. Transparent reporting aligns directly with the FCPA Resource Guide’s emphasis on adequate internal controls, fostering organizational transparency and accountability. Effective reporting frameworks facilitate informed decision-making, enable quick interventions, and promote organizational trust. Regularly revising reporting protocols based on feedback and evolving compliance needs ensures ongoing effectiveness and relevance.

Step 5: Follow-Up and Remediation

The final crucial step in your compliance monitoring plan involves structured processes for follow-up and remediation. When non-compliance is identified through monitoring efforts, promptly implement a clearly defined process for addressing such issues. The first action is to perform a thorough root cause analysis to comprehend the underlying factors contributing to the compliance violation fully. This analytical step is vital because addressing only superficial symptoms may allow systemic issues to persist, increasing the likelihood of recurrence. After identifying the root cause, develop targeted remediation plans to rectify these foundational weaknesses. These plans should detail precise actions, timelines, responsible parties, and required resources. Communicate these remediation actions throughout the organization, ensuring transparency and clarity among all stakeholders.

Verification processes must be robust and systematic, designed to rigorously assess the effectiveness of implemented remedial actions. Monitoring the outcomes of remediation activities is essential in demonstrating that the organization takes compliance failures seriously and is committed to continuous improvement. Regularly scheduled follow-up evaluations should be conducted, and the results communicated to compliance and senior management. Transparency during this phase is critical, as it builds credibility with regulators and stakeholders by clearly demonstrating that the organization learns from its mistakes and proactively takes corrective action.

Additionally, documenting every step of the follow-up and remediation process provides valuable evidence during external audits and reviews, showcasing organizational accountability. Adopting a disciplined approach to follow-up and remediation aligns directly with the FCPA Resource Guide’s emphasis on ensuring effective responses to compliance risks and issues. This structured approach mitigates risks and cultivates a culture of integrity, accountability, and continuous improvement within your organization, significantly enhancing the resilience and credibility of your compliance program.

Lessons for Compliance Professionals

If all of this sounds like a continuous improvement loop, there is a reason. Developing a comprehensive compliance monitoring plan is foundational in cultivating and sustaining an effective compliance program. Compliance professionals must ensure monitoring is proactive, continuous, and aligned with broader organizational objectives and compliance strategies. Documented procedures, defined roles, continuous monitoring technology, transparent reporting, and rigorous follow-up constitute essential pillars supporting ongoing compliance effectiveness. Aligning these strategies with the Hallmarks of an Effective Compliance Program from the FCPA Resource Guide further solidifies your compliance initiatives, positioning your organization for long-term success, resilience, and integrity.

Categories
31 Days to More Effective Compliance Programs

31 Days for a More Effective Compliance Program: Day 19 – Evaluating the Risk Management Process

Welcome to a special podcast series on the Compliance Podcast Network, 31 Days to a More Effective Compliance Program. Over these 31 days of the series in January 2025, Tom Fox will post a key part of a best practices compliance program daily. By the end of January, you will have enough information to create, design, or enhance a compliance program. Each podcast will be short, at 6-8 minutes, and will include three key takeaways you can implement at little or no cost to help update your compliance program. I hope you will join us each day in January for this exploration of best practices in compliance.

In today’s episode, we review the critical process of evaluating and translating risk assessments into actionable risk profiles. The discussion highlights the importance of prioritizing risks based on their significance and likelihood using risk matrices and heat maps. Expert insights from Ben Locwin and Bill Anathas emphasize focusing resources on high-risk employees and maintaining a robust compliance program aligned with FCPA guidelines. The episode also covers the Treasury Department’s OFAC compliance framework and offers concrete steps for continuous risk monitoring and remediation. Key takeaways include the necessity of a well-reasoned approach to risk evaluation, thorough documentation, and the implementation of a dynamic risk matrix to guide compliance efforts.

Key highlights:

  • Understanding Risk Profiles
  • Evaluating Risk Management Processes
  • Risk Matrix and Heat Maps

Resources:

Listeners to this podcast can receive a 20% discount on The Compliance Handbook, 5th edition, by clicking here.

Categories
Blog

Risk Assessment Lessons from Star Trek: Balance of Terror

Last month, I wrote a blog post on the tone at the top, exemplified in Star Trek’s Original Series episode, Devil in the Dark. Based on the response, some passionate Star Trek fans are out there. I decided to write a series of blog posts exploring Star Trek: The Original Series episodes as guides to the Hallmarks of an Effective Compliance program set out in the FCPA Resources Guide, 2nd edition. Today, I continue my two-week series, looking at the following 10 hallmarks of an effective compliance program as laid out by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in the FCPA Resources Guide, 2nd edition.

The episode Balance of Terror serves as an excellent example of risk assessment. This episode showcases the complexities and importance of evaluating risks in high-stakes situations. In this episode, the USS Enterprise is patrolling the Romulan Neutral Zone when they discover that a series of outposts have been mysteriously destroyed. The Enterprise encounters a Romulan Bird-of-Prey equipped with a powerful cloaking device and an advanced weapon capable of destroying planets. Captain Kirk must assess the risks of engaging the Romulan ship while preventing a potential war. What are some of the key risk assessment lessons?

The Risk is the Romulan threat to the Federation. The episode opens with the Enterprise facing an unknown enemy, the Romulans. This unknown factor presents a significant risk because of the Romulan’s uncertain capabilities. Their technology and tactics are shrouded in mystery, and there is a clear potential for escalation, as any misstep could lead to a full-blown war. Equally important is the impact on Federation security, as the Romulans’ aggressive actions threaten the Federation’s and its citizens’ safety.

Lesson 1 – Identifying Risks

The Enterprise crew must identify the nature and source of the threat the Romulan ship poses. This involves gathering intelligence on the Romulans’ capabilities, tactics, and intentions despite limited information. The risk assessment lesson is that effective risk assessment begins with identifying potential threats and vulnerabilities. Organizations must gather relevant data to understand the nature and scope of risks they face. This includes external threats, such as competitors or geopolitical issues, and internal vulnerabilities, such as process inefficiencies or compliance gaps.

Lesson 2 – Assessing the Risk

Captain Kirk must evaluate the Romulan threat, considering the immediate danger to the Enterprise and the broader implications of a conflict with the Empire. Captain Kirk and his crew engage in a meticulous risk assessment process to gather intelligence by analyzing the Romulan vessel’s capabilities and tactics and then devising a plan to counter the Romulan threat, including deploying a decoy and using deception tactics.

The possibility of igniting a war demands careful consideration of the consequences of each action. The risk assessment lesson is that assessing the potential impact of identified risks is crucial for prioritizing response strategies. Organizations should evaluate the possible consequences of risks in terms of financial loss, reputational damage, operational disruption, and legal implications. Understanding the severity and likelihood of risks helps in developing appropriate mitigation plans.

Lesson 3 – Developing a Risk Mitigation Strategy

Kirk and his crew analyze various response options, weighing the pros and cons of engaging the Romulan ship versus maintaining a defensive stance. They consider strategic maneuvers, potential diplomatic outcomes, and the risks of escalation. The risk assessment lesson is that a comprehensive risk assessment involves analyzing available response options and their associated risks. Organizations should explore different scenarios and develop contingency plans to address potential threats. This includes evaluating the effectiveness and feasibility of risk mitigation strategies and determining the best course of action.

Lesson 4 – Decision-Making Under Uncertainty

Kirk must make critical decisions under conditions of uncertainty, with incomplete information about the Romulans’ intentions and capabilities. Logically and intuition guide his choices, balancing immediate tactical needs with long-term strategic goals. The risk assessment lesson often involves making decisions with limited information. Organizations should develop frameworks for decision-making under uncertainty, incorporating quantitative data and qualitative insights. Open communication and collaboration among stakeholders can enhance the decision-making process.

Lesson 5 – Monitoring and Continuous Improvement

As the situation evolves, Kirk continuously monitors the actions of the Romulan ship and adjusts his strategy accordingly. His ability to adapt to changing circumstances is crucial to the Enterprise’s survival. The lesson in risk assessment is that it is an ongoing process that requires continuous monitoring and adjustment. Organizations should establish mechanisms for tracking the effectiveness of risk mitigation efforts and be prepared to adapt strategies as new information emerges. Regular reviews and updates to risk assessments help ensure that organizations remain responsive to dynamic environments.

Balance of Terror provides a compelling narrative that illustrates the essential elements of risk assessment, from identifying threats to making informed decisions under uncertainty. For compliance professionals and business leaders, the episode underscores the importance of a systematic approach to risk assessment, emphasizing the need for thorough analysis, strategic planning, and adaptability in the face of evolving challenges. By drawing lessons from Captain Kirk’s command decisions, organizations can enhance risk management practices and better navigate complex and uncertain environments.

Join us tomorrow as we consider the lessons on training and ongoing communications from the Star Trek episode The Trouble with Tribbles.

Categories
Blog

Elevating Your Risk Assessment Game with AI and Machine Learning, Part II

We conclude this two-part blog post on using Artificial Intelligence (I) and Machine Learning (ML) in risk assessments. By embracing AI and machine learning, compliance professionals can elevate their risk assessment capabilities, drive more informed decision-making, and position their organizations for long-term success in an increasingly complex and volatile business landscape. Today, we conclude with how to use these tools and some use cases.

When adopting AI-powered risk assessment solutions, compliance functions will face several key challenges, which can be addressed through a well-planned and strategic approach. Key challenges include implementing a robust data governance framework to ensure data quality, integration, and accessibility across the organization. Invest in data cleansing, normalization, and enrichment processes to prepare the data for AI models. You must be able to demonstrate how you got to certain decisions. To do so, you can use tools such as decision trees or logistic regression to explain their decision-making process better.

Your risk management model should ensure the accuracy, reliability, and fairness of the AI-powered risk assessment. To do so, you can establish a comprehensive model validation and governance framework, which includes regular performance monitoring, stress testing, and bias testing. The model validation process involves cross-functional teams, including risk experts, data scientists, and compliance professionals.

Multiple compliance areas lend themselves to use cases for AI and machine learning in risk assessment.

  1. Fraud Detection and Prevention. Machine learning algorithms can analyze transaction data, user behavior patterns, and other relevant information to identify suspicious activities and detect potential fraud in real-time. AI-powered anomaly detection can flag unusual transactions or account activities that deviate from the norm, allowing organizations to investigate fraud risks quickly and mitigate them.
  2. Vendor and Third-Party Risk Management. AI can rapidly assess the risk profiles of vendors, suppliers, and other third parties by aggregating and analyzing structured and unstructured data from various sources, including news reports, social media, and regulatory filings. Machine learning models can continuously monitor third-party relationships, detect changes in risk factors, and provide dynamic risk scoring to support vendor due diligence and ongoing risk mitigation.
  3. Compliance and Regulatory Risk. AI-driven natural language processing can help organizations stay on top of evolving regulatory requirements by automatically scanning and interpreting new laws, regulations, and industry guidelines. Machine learning can assist in identifying potential compliance gaps, policy violations, and other regulatory risks by analyzing internal data, such as employee activities, communications, and transactions.
  4. Operational Risk Assessment. AI and machine learning can model and simulate complex business processes, identify potential points of failure, and predict the likelihood and impact of operational disruptions. These technologies can also be leveraged to monitor and analyze real-time data from IoT devices, sensors, and other operational systems to detect anomalies and emerging risks.
  5. Enterprise Risk Management. AI-powered risk aggregation and correlation analysis can help organizations gain a more holistic, enterprise-wide view of their risk landscape, identifying interdependencies and potential risk concentrations. Machine learning algorithms can assist in prioritizing risks based on factors such as likelihood, impact, and velocity, enabling more informed decision-making and resource allocation.
  6. Emerging Risk Identification. AI and machine learning can scour vast amounts of external data, including news, social media, and industry reports, to identify emerging risks and trends that may not be apparent through traditional risk assessment methods. These technologies can also simulate future scenarios and stress test the organization’s resilience against potential black swan events or disruptive changes in the business environment.

By focusing on these traditional corporate risks, compliance professionals can enhance their risk assessment capabilities, improve decision-making, and better position themselves to navigate the increasingly complex and dynamic risk landscape. Integrating AI and machine learning into risk assessment requires a strategic, well-planned approach, commitment to continuous improvement, and a culture of innovation.

As you embark on this transformative journey, remember that integrating AI and ML is not a one-time event but a continuous refinement, learning, and adaptation process. Stay agile, keep an open mind, and be prepared to navigate the evolving compliance and risk management landscape.

The future of risk assessment is here, and it is powered by the extraordinary potential of artificial intelligence and machine learning for compliance professionals. Embrace this opportunity to unlock new levels of insight, efficiency, and proactivity – and lead your organization towards a more resilient and compliant future.

Categories
Blog

Elevating Your Risk Assessment Game with AI and Machine Learning, Part I

I am on a mission to explore how AI and machine learning (ML) can impact the compliance profession, the compliance profession, and the corporate compliance function. Today, I want to explore using AI and ML in risk assessment. I believe that they both have the potential to transform the way we approach risk identification, analysis, and mitigation. By harnessing the capabilities of AI and ML, compliance teams can elevate their risk assessment game and position their organizations for long-term success. Today, in Part I, we consider why you should utilize AI and ML in your risk assessment process and the first steps to take.

For years, organizations have relied on manual, human-driven risk assessment approaches. This often involves painstaking data gathering, expert interviews, document reviews, and applying risk frameworks and methodologies. While these time-tested methods have their merits, they are inherently limited in several ways:

  • Subjectivity and Bias: Human risk assessors bring their own experiences, perspectives, and biases to the table, which can lead to inconsistent or skewed risk evaluations.
  • Scalability Challenges: As businesses grow in size and complexity, manually assessing every risk factor becomes overwhelming and resource-intensive.
  • Reactivity vs. Proactivity: Traditional risk assessment tends to be retrospective, focusing on known or historical risks. Anticipating emerging threats requires a more forward-looking, proactive approach.
  • Lack of Real-Time Responsiveness: The pace of change in today’s business environment means that risk profiles can shift rapidly. Manual processes may need help to keep up with these dynamic conditions.

AI and ML offer promising solutions to overcome the limitations of manual risk assessment. By leveraging these technologies, compliance teams can identify a more significant overall set of risks. AI-powered systems can scour vast internal and external datasets to uncover potential risk factors that human analysts may have overlooked. Machine learning algorithms can identify patterns, anomalies, and correlations, providing a more comprehensive, data-driven view of the risk landscape.

However, it is not simply the ability to uncover more risks through greater data sets but also the ability to use AI and ML tools. Compliance professionals can quantify and model risk variables with greater precision, considering a broader range of factors and their interdependencies. This allows for more accurate risk scoring, prioritization, and scenario planning. This leads directly to anticipating emerging threats and vulnerabilities, empowering organizations to take proactive measures.

Consistency and objectivity are critical for any risk assessment. In this area, AI and ML-based systems can apply consistent, standardized risk assessment methodologies, reducing the impact of individual biases and subjectivity. Automated risk assessment powered by AI and ML can also process large volumes of data and handle complex risk evaluation tasks, freeing compliance professionals to focus on strategic decision-making. The goal is to move towards a more continual monitoring system, and here,  AI-driven risk assessment can be integrated into real-time monitoring and alert systems, allowing organizations to quickly identify and respond to changes in their risk profiles.

How does a compliance function implement all of this AI and ML? There are several steps you should consider.

  • Assess Your Data Readiness: Effective AI and ML-powered risk assessment relies on high-quality, structured data availability. The DOJ mandates that you have access to your company’s data, including identifying any gaps or limitations and developing a plan to enhance data governance and management.
  • Identify Use Cases and Prioritize: Conduct a thorough analysis of your risk assessment needs and pain points. In other words, what are your high-risk areas? Determine which specific areas – such as fraud detection, vendor risk management, or third parties – could benefit the most from AI and ML-driven solutions.
  • Evaluate and Select the Right Tools: Research and evaluate a range of AI and ML-powered risk assessment platforms and solutions. Consider factors like integration capabilities, user-friendliness (it’s all about the UX), scalability, and the provider’s track record in compliance and risk management.
  • Pilot and Iterate: Start with a targeted pilot project to test the viability and effectiveness of your chosen AI and ML-based risk assessment approach. (Hint: Start small with a low-risk target.) Closely monitor the results, gather feedback, and continuously refine the solution to optimize its performance.
  • Train Your Team: Ensure compliance and risk management professionals have the necessary skills and knowledge to effectively leverage AI and ML technologies. Invest in training, workshops, and collaboration with data science and technology experts.
  • Establish Governance and Oversight: Develop robust governance frameworks to ensure the responsible and ethical use of AI and ML in risk assessment. This includes addressing algorithm bias, data privacy, and human oversight.
  • Foster a Culture of Innovation: Encourage a mindset of continuous improvement and experimentation within your compliance function. Empower team members to explore new ways of leveraging emerging technologies to enhance risk assessment and drive organizational resilience.

Join us tomorrow to consider implementation and some compliance use cases.

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Why Use Ai and ML in Risk Assessments?

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

In this episode, we consider why you should move away from human-driven risk assessment to AI and ML-assisted risk assessments.

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Blog

Culture Week: Part 5 – A Listening Tour to Improve Culture

We conclude our focus on culture this week by returning to some of our long-time compliance roots for improving culture, such as the listening tour. In 2022, returning Starbucks Chief Executive Officer (CEO) Howard Schultz began engaging in a “listening tour” of Starbucks stores literally across America. In an article by Justin Bariso, he said Schultz told employees, “We are traveling the country, trying to, with great sensitivity, understand from you how can we do better.” What are employees telling him? Bariso wrote, “he listens intently to one Starbucks employee after another; a pained look comes over Schultz’s face. Employees lament the lack of training, increased turnover, and extreme pressure they’ve endured as company profits soared, but worker conditions plummeted.”

This listening tour has several goals for Schultz. The first is that even though the company has sustained record profits, morale at the company is at an all-time low. Witness the unionizing efforts that have been successful. Employees are simply fed up with not being listened to. This has eroded employee trust and management and driven down the once vibrant culture at the iconic institution. To rebuild that trust, Starbucks, as their CEO, “must first listen.” However, it is more than simply listening to rebuild trust; it is rebuilding employee engagement by making them and their ideas part of the solution.

There is still much work for Starbucks and Schultz to do. Yet these initial steps can lead to real change. Schultz is doing more than saying “We Care”; he is modeling that language in his behavior. This is action at the top. It also communicates to other senior management that they must listen to re-engage and build employee trust. What if a Chief Compliance Officer took that same approach to culture? I believe that a Schulz-inspired listening tour can improve your corporate culture. Below are three keys for the compliance officer to conduct a practical listening tour.

A. Engagement

Start by meeting as many compliance stakeholders as possible. You can use town hall settings or go smaller, meeting with key employee leaders, key stakeholders, and employees identified as high-risk who you can meet with individually or in smaller groups. Listen to their compliance concerns and take their compliance ideas back to the home office. After returning to your office, winnow down their ideas and suggestions to form the basis of enhancements to your culture. This employee engagement will lead to greater stakeholder buy-in for your culture.

B. Education

During the town hall meetings and the smaller, more informal group meetings, you can do more than simply listen—you can also train. This training is on ethics and how the employees could use compliance as a business tool. Most business’s ethical standards are not found in an existing compliance program. They are found in the general anti-discrimination guidelines and ethical business practices such as anti-competitiveness and prohibition of using confidential information. Often, these general concepts can be found in a company’s overall Code of Conduct or similar statement of business ethics. Workplace anti-discrimination and anti-harassment guidelines can be found in Human Resource policies and procedures. Concepts such as anti-competitiveness and the use of customers’ and competitors’ illegally obtained confidential information may be found in antitrust or other business practice-focused guidelines.

This gets your employees and other stakeholders thinking about doing business ethically. It is ethical concept-based training, in contrast to a rules-based approach. Moreover, this lays the groundwork for enhancing your culture and the training that will occur as the enhancement is rolled out.

C. Risk Assessment

Now, think about this same approach from the risk assessment perspective. Listen to your employees’ concerns and compliance issues. From there, you can ask questions about what was done and why. This approach is not adversarial or interrogation, but it is ferreting out the employees’ concerns while having the employees educate your compliance team on the actual procedures that are used. By listening and gently questioning, you should garner enough information to create a risk assessment profile that can inform and even become the basis of compliance program enhancements.

Bariso concluded his article by stating, “People lose motivation when they sense you don’t care. But the simple act of listening creates goodwill. When your people feel understood, they’ll be motivated to contribute and can help you discover insights you wouldn’t otherwise. So, when it comes to solving your company’s biggest problems, don’t ignore your most helpful resource: your people.” It all starts with listening. Let your employees and other stakeholders have the “chance to share their problems, as well as to propose solutions. Meetings like these will reveal key insights and transform your people from employees to partners.”

I hope you have enjoyed and, more importantly, found this week’s blog posts on helpful culture. I also hope you will join the conversation by commenting or posting on LinkedIn about your experiences around corporate culture.

Categories
Blog

Changing Sales Models

Over the past 12 months or so, there have been a series of Foreign Corrupt Practices Act (FCPA) enforcement actions in which the respondents have changed and/or modified their sales models to move away from external third parties and toward direct sales and business generation models. This portends a change in the way the Department of Justice (DOJ) may think about sales models, their inherent risk, and risk management going forward. These FCPA enforcement actions involved Albemarle, SAP, Gunvor, and Trafigura.

Albemarle

The Albemarle Non-Prosecution Agreement (NPA) cited several remedial actions by the company that helped Albemarle obtain a superior result in terms of the discounted fine and penalty. These steps were taken during the pendency of the DOJ investigation so that when the parties were ready to resolve the matter, Albemarle had built out and tested an effective compliance program. The company shifted to a direct sales business model.

This change was relatively new and undoubtedly noteworthy for FCPA enforcement actions, which were changes in a company’s approach to sales and their sales teams. Obviously, corrupt third-party agents brought the company to such FCPA grief. Many of the quotes in the NPA make it clear that Albemarle executives had an aversion to paying bribes but had greater moral flexibility when a third-party agent was involved. This led to the company moving away from third-party agents to a direct sales force.

SAP

While most of the remediation reported in this matter was standard, the one item that every compliance professional should consider is that SAP proactively discontinued using third-party agents for business origination. The point is perhaps the most significant, as the DOJ called out SAP for discontinuing their use of third-party agents. The DOJ information sets out the following: Change in sales models. On the external sales side, SAP eliminated its third-party sales commission model globally, prohibited all sales commissions for public sector contracts in high-risk markets, and enhanced compliance monitoring and audit programs, including creating a well-resourced team devoted to audits of third-party partners and suppliers.

Gunvor

As I noted in my review of the Albemarle and SAP enforcement actions, SAP eliminated its third-party sales commission model globally and prohibited all sales commissions for public sector contracts in high-risk markets. It also enhanced compliance monitoring and audit programs, including the creation of a well-resourced team devoted to audits of third-party partners and suppliers. Albemarle changed its approach to sales and its sales teams. Guvnor also moved away from third-party agents to a direct sales force.

Trafigura

Trafigura eliminated the use of third-party business origination agents. Matt Kelly noted in Radical Compliance, “This is the latest in a string of FCPA enforcement cases where we’ve seen a big, structural change to the sale function. Albemarle eliminated its use of third-party sales agents as part of its FCPA settlement last year; SAP eliminated its third-party sales commission model globally as part of its own FCPA settlement announced in January. Now we have a third global enterprise going that same route, reducing its FCPA risk in a deep, permanent way by restructuring its sales operations.” Here, Trafigura did away with third-party representatives for business generation.

In these four recent enforcement actions, the companies changed their approach to sales and their sales teams and did away with third parties generating new business. All of this points to these companies moving away from third-party agents to a direct sales force.

Moving to a direct sales force does have its risks, which must be managed, but those risks can certainly be managed with an appropriate risk management strategy, monitoring of the strategy, and improvement; those risks can be managed. Yet there is another reason, and more importantly, a significant business reason, to move towards a direct sales business model. Every time you have third-party agent or anyone else between you and your customer, you risk losing that customer because your organization does not have a direct relationship with the customer. A direct sales business model will give your organization more direct access to your customers.

The fact that the 2020 FCPA Resource Guide, 2nd edition, and the 2023 Evaluation of Corporate Compliance Programs do not outline this strategy is another intriguing aspect of how Albemarle, SAP, Gunvor, and Trafigura use it. These are all approaches developed by the companies based upon their own analysis and risk models. It may have come from a realization that the risk involved with third-party sales models was simply too significant, that the companies wanted more control over their sales or some other reason. Whatever the reason for the change, the DOJ took note of each organization and viewed it affirmatively.

Every compliance professional should understand that this is how new ideas are developed by the DOJ and in compliance. Companies assess their own risks and then move forward to manage or change their risk profiles. Expect to start seeing and hearing more about the direct sales model for the DOJ. This is where the DOJ’s comments on compensation incentives and consequence management will come into play.